APP 12 and APP 13: the Australian privacy rights almost no one uses

A plain-English guide to access and deletion under the Privacy Act — what organisations must do, what to do when they ignore you, and why automation matters.

What the Privacy Act 1988 gives you

The Privacy Act’s Australian Privacy Principles (APPs) are not voluntary ‘best practice’. For APP entities, they are legal obligations — and the OAIC can investigate systemic failures.

APP 12 gives individuals a right to access personal information held about them. APP 13 gives individuals pathways to correct information and to seek deletion where information is inaccurate, out of date, incomplete, irrelevant, or misleading — or where it should no longer be held.

These rights are the backbone of consumer sovereignty in Australian privacy law — and they are underused because they are operationally painful to exercise at scale.

APP 12 in practice

You can request access to your personal information from an organisation that holds it. The entity must respond within 30 days. It cannot impose a fee simply for asking — though limited charges may apply in narrow circumstances for provision in certain formats.

If access is refused, the refusal should be explained with reference to lawful exceptions. If the explanation is missing or implausible, that is a red flag — and a potential OAIC matter.

The practical difficulty is not the law; it is inventory. Most people do not know which APP entities hold what — which is why discovery tooling precedes effective access requests.

APP 13 in practice

Deletion is not a magic eraser — organisations may dispute whether information is truly ‘irrelevant’ or ‘no longer needed’ — but they cannot ignore you. They must engage, and they must respond.

Where information is wrong, APP 13 correction pathways force engagement. Where information is stale, deletion arguments often succeed fastest when tied to clear retention overreach or post-relationship necessity tests.

If you are dealing with brokers who profit from stale files, expect pushback — which is why templated legal language, tracked timelines, and escalation matter more than politeness.

The OAIC and civil penalties

The Office of the Australian Information Commissioner enforces the Privacy Act. For serious or repeated interferences with privacy, civil penalties for organisations can reach very large sums — including headline figures up to $50 million for corporations under reforms that took effect in late 2024 alongside other penalty calculations tied to turnover and benefit.

Recent years have seen the OAIC move from soft compliance toward public enforcement narratives — including civil penalty proceedings against major breach victims where security and handling practices are alleged to have fallen below law.

For individuals, the OAIC is the credible escalation lever when a company ghosts a valid request — not because you want a fight, but because rights without enforcement are decorative.

Why these rights go unexercised

Most Australians have never heard of APP 12 or APP 13. Those who have still face the work: identifying holders, drafting sufficient requests, tracking 30-day clocks, following up, and converting non-response into a coherent OAIC complaint.

That is hours per entity — multiplied across hundreds of brokers, platforms, and ID providers. The economics only work if the process is automated while preserving your legal standing.

NotMeID is designed as rights infrastructure: discover, confirm, request from your own email, escalate when statutory timelines slip — the full chain, not a dashboard of wishful thinking.