APP 11
Security of Personal Information.
Australian Privacy Principle 11 under the Privacy Act 1988 — the security obligation for personal information held by an APP entity. The Notifiable Data Breach scheme under Part IIIC sits alongside, imposing a clock on disclosure of eligible breaches.
An eligible data breach must be notified to the OAIC and affected individuals within roughly 30 days of awareness. The OAIC publishes quarterly statistics — your incident becomes a public statistic. Privacy Act reforms underway in 2025–26 are increasing maximum penalties for serious or repeated interferences with privacy.
What APP 11 requires.
How BackPro handles each obligation.
Reasonable security steps
Take such steps as are reasonable in the circumstances to protect personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure.
Destruction or de-identification
If an APP entity no longer needs personal information for any purpose for which it may be used or disclosed, the entity must destroy or de-identify it.
Notifiable data breach scheme
Notify affected individuals and the OAIC of any eligible data breach likely to result in serious harm. Notification must occur as soon as practicable — typically within 30 days of awareness — with prescribed content.
Privacy impact assessments
Conduct privacy impact assessments for projects involving significant personal information handling. Required for Australian Government and strongly recommended practice for APP entities — particularly post the 2022 reforms.
Access requests
Provide individuals access to personal information held about them on request. Respond within 30 days for most matters.
Correction of personal information
Take reasonable steps to correct personal information when an individual requests correction or when the entity becomes aware of inaccuracy.
What BackPro produces for APP 11.
The artifacts your auditor expects. Hashed, signed, timestamped, exportable. Generated continuously while you work, not assembled in the week before the audit.
Discovered, classified, and linked to the systems and controls protecting each category.
Per-category retention rules with automated destruction workflows and certificates.
Seriousness-of-harm assessment, individual notification letters, OAIC submission record.
Per-project PIA with risk register, mitigation plan, and version history.
Logged access requests, scoped disclosure packs with redactions, response timing audit.
Before/after change evidence with downstream propagation log.
See APP 11 mapped to your own controls.
Forty‑five minutes with our team. We take your existing control register, map it against APP 11 obligations, and show you which gaps BackPro closes automatically. The mapping is yours to keep whether you proceed with us or not.