APP 11 — Security of Personal Information
The Australian Privacy Principle that requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
Australian Privacy Principle 11 (APP 11) sits in Schedule 1 of the Privacy Act 1988 (Cth) and applies to all APP entities — Australian Government agencies and most private-sector organisations with annual turnover above $3 million. APP 11.1 requires entities to take reasonable steps to protect personal information; APP 11.2 requires destruction or de-identification of personal information once it is no longer needed for an authorised purpose.
What counts as “reasonable steps” is risk-based and is interpreted with reference to the Office of the Australian Information Commissioner’s Guide to Securing Personal Information.
- 01
A documented information security program that addresses personal information specifically.
- 02
Technical, organisational, and physical controls proportionate to the sensitivity of the information.
- 03
Routine destruction or de-identification of personal information no longer needed for an authorised purpose.
- 04
Incident response procedures including assessment for Notifiable Data Breach (NDB) obligations.
APP 11 is the principle the OAIC reaches for when assessing whether a data breach was preventable. The “reasonable steps” language is deliberately flexible, but it lets the regulator hold smaller organisations to lower bars than enterprise-scale entities. Most NDB cases trace back to either an APP 11.1 (security inadequate) or APP 11.2 (data retained beyond need) finding.