All articles
Compliance8 min read

Australian Privacy Principles: A Practical Guide for Brokers

CRMandGo Team · 11 April 2026

The Australian Privacy Principles (APPs) are the cornerstone of privacy regulation for any business handling personal information, and mortgage brokers handle some of the most sensitive personal information that exists. While the 13 APPs can seem abstract, each one has specific, practical implications for how you run your brokerage and configure your CRM.

The APPs that matter most for brokers

APP 3 (Collection) governs what personal information you can collect and how. For brokers, this means collecting only the financial data needed for the loan assessment, not hoarding information 'just in case.' APP 6 (Use or Disclosure) restricts using client data for purposes other than what it was collected for. You can't repurpose mortgage client data for marketing insurance products without separate consent.

Data storage and security obligations

APP 8 (Cross-border Disclosure) requires that personal information sent overseas maintains APP protections. If your CRM stores data in US data centres, you're responsible for ensuring those protections hold, which is practically difficult. APP 11 (Security) requires reasonable steps to protect personal information from misuse, interference, and loss. For a brokerage, this means encryption, access controls, and audit logging, not just a password on the office computer.

Client rights and access

APP 12 (Access) gives clients the right to access their personal information held by your brokerage. APP 13 (Correction) gives them the right to correct inaccurate data. Your CRM should support both: generating a client data report on request and allowing corrections with audit trail tracking of what changed.

Practical compliance steps

  • Publish a clear privacy policy that explains your data practices (APP 1)
  • Collect only the personal information necessary for the loan assessment (APP 3)
  • Store all data in Australian data centres to simplify APP 8 compliance
  • Implement encryption and access controls to meet APP 11 security obligations
  • Have a process for responding to access (APP 12) and correction (APP 13) requests

Frequently asked questions

Do the APPs apply to sole-trader brokers?
Yes, if your annual turnover exceeds $3 million, or you're a credit provider or credit reporting body (which includes mortgage brokers operating under an ACL). Most active mortgage brokers are covered by the APPs regardless of business size.
What happens if I breach the APPs?
The OAIC can investigate complaints and issue determinations requiring you to take specific actions (apologise, compensate, change practices). Serious or repeated breaches can result in civil penalties. Under the upcoming reforms, penalties increase significantly, making compliance a financial imperative, not just a legal one.
How do the APPs interact with NCCP record-keeping?
NCCP requires 7-year record retention; the APPs require deletion when data is no longer needed. These obligations overlap: retain credit records for 7 years (NCCP), but delete marketing data and unnecessary personal information when the client relationship ends (APPs). Your CRM should support selective deletion with documented legal basis.

Ready to see it in action?

CRMandGo is built for Australian brokers. Start your free trial, no credit card, no lock-in.

Start free trial