Who must comply with the Privacy Act 1988 in Australia?

The Privacy Act 1988 (Cth) applies to: Australian Government agencies; private sector organisations with annual turnover above $3 million; health service providers (regardless of turnover); credit reporting bodies; employers that use employee records for non-employment purposes; and certain other prescribed entities. Small businesses with turnover below $3 million may still be covered if they handle health information or trade in personal information. Under Australia law, Corporations Act 2001 (Cth), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.

What are the 13 Australian Privacy Principles?

The 13 APPs govern: (1) open and transparent management of personal information; (2) anonymity and pseudonymity; (3) collection of solicited personal information; (4) dealing with unsolicited personal information; (5) notification of collection; (6) use or disclosure of personal information; (7) direct marketing; (8) cross-border disclosure; (9) adoption, use, or disclosure of government related identifiers; (10) quality; (11) security; (12) access; and (13) correction of personal information. Under Australia law, Corporations Act 2001 (Cth), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.

What are the mandatory data breach notification requirements in Australia?

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth) requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an eligible data breach occurs — that is, a breach likely to result in serious harm to affected individuals. Notification must be made as soon as practicable and no later than 30 days after a breach is assessed. Under Australia law, Corporations Act 2001 (Cth), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.

Do I need a lawyer to create a Data Protection Policy (Australia) in Australia?

A Data Protection Policy (Australia) does not legally require a lawyer in Australia, and individuals and businesses may draft and execute the document independently. The Corporations Act 2001 (Cth) does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Australia lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Federal Court of Australia has jurisdiction over disputes arising from this type of document, and Australian Securities and Investments Commission (ASIC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Do I need a lawyer to use a Data Protection Policy (Australia) in Australia?

A Data Protection Policy (Australia) does not legally require a lawyer in Australia, though legal advice is recommended for complex transactions. Under Australian law, individuals may draft and execute this type of document independently. The Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010) provides consumer protections. However, the Australian Securities and Investments Commission (ASIC), Fair Work Commission (FWC), or state regulatory bodies may have specific requirements. For property transactions, state land registries and the Real Property Act require qualified conveyancers or solicitors. The Privacy Act 1988 (Cth) and Australian Privacy Principles impose obligations on parties handling personal data, and legal review confirms compliance. Where disputes arise, the Federal Court of Australia, state Supreme Courts, or relevant tribunals (NCAT, VCAT, QCAT) have jurisdiction. Forms-legal.com provides this template as a starting point — always review with a qualified Australian solicitor for significant transactions.

Data Protection Policy (Australia)

Data Protection Policy

Internal Data Protection Policy — Privacy Act 1988 (Cth) Compliant

DATA PROTECTION POLICY

[Organisation Name] ([ABN])

Effective Date: [Effective Date] | Next Review: [Review Date]

Privacy Officer: [Privacy Officer] | [Privacy Email]

1. PURPOSE AND SCOPE

1.1 [Organisation Name] (the “Organisation”) is committed to protecting the privacy of personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs).

1.2 This Policy applies to all directors, officers, employees, contractors, and agents of the Organisation who handle personal information in the course of their work.

1.3 This Policy sets out the Organisation’s approach to collecting, using, storing, disclosing, and managing personal information.

2. PERSONAL INFORMATION COLLECTED

2.1 The Organisation collects the following types of personal information: [Information Types].

2.2 Personal information is collected for the following purposes: [Collection Purpose].

2.3 The Organisation collects personal information only by lawful and fair means, and where reasonably practicable, directly from the individual concerned (APP 3).

3. USE AND DISCLOSURE

3.1 The Organisation uses and discloses personal information only for the primary purpose for which it was collected, or for related secondary purposes where an individual would reasonably expect such use or disclosure (APP 6).

3.2 The Organisation does not use personal information for direct marketing purposes without the individual’s consent, unless an exemption under APP 7 applies.

3.3 The Organisation does not sell personal information to third parties.

4. STORAGE AND SECURITY

4.1 The Organisation takes reasonable steps to protect personal information from misuse, interference, and loss, and from unauthorised access, modification, or disclosure, in accordance with APP 11.

4.2 Security measures include physical access controls, password protection, encryption of sensitive data, role-based access controls, and regular security audits.

4.3 Personal information is retained for [Retention Period], after which it is securely destroyed or de-identified.

5. INDIVIDUALS’ RIGHTS

5.1 Individuals have the right to access personal information the Organisation holds about them (APP 12). Requests should be directed to [Privacy Email].

5.2 Individuals may request correction of personal information that is inaccurate, out-of-date, incomplete, or misleading (APP 13).

5.3 Privacy complaints should be directed to [Privacy Officer] at [Privacy Email]. If not resolved to the individual’s satisfaction within 30 days, the individual may complain to the Office of the Australian Information Commissioner (OAIC).

6. STAFF OBLIGATIONS

6.1 All staff must complete privacy training on commencement and annually thereafter.

6.2 Staff must not access, use, or disclose personal information except as necessary for their role.

6.3 Breach of this Policy may result in disciplinary action including termination of employment, consistent with the Fair Work Act 2009 (Cth).

7. POLICY REVIEW

7.1 This Policy will be reviewed by [Privacy Officer] at least annually or following any significant change in law or organisational practice. The next scheduled review is [Review Date].

7.2 This Policy is governed by the laws of [Governing State], Australia.

Approved by

________________

Signature

Date: ________________

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Data Protection Policy (Australia)?

A Data Protection Policy in Australia sets the organisation's rules and expectations on data protection and the responsibilities of staff and users, supporting compliance with the Corporations Act 2001 (Cth).

The Privacy Act 1988 (Cth) applies to Australian Government agencies, private sector organisations with annual turnover above AUD 3 million, health service providers regardless of turnover, credit reporting bodies, organisations that trade in personal information, and certain other prescribed entities. Small businesses below the AUD 3 million threshold may nonetheless be covered if they handle health information, operate a residential tenancy database, or have opted in to coverage under s 6EA of the Act. The Privacy Act Review Report (February 2023) recommended expanding coverage to small businesses, which could significantly broaden the number of organisations required to implement formal data protection governance.

The 13 Australian Privacy Principles cover the full lifecycle of personal information handling: APP 1 (open and transparent management), APP 2 (anonymity and pseudonymity), APP 3 (collection of solicited information), APP 4 (unsolicited information), APP 5 (notification of collection), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 9 (government related identifiers), APP 10 (quality), APP 11 (security), APP 12 (access), and APP 13 (correction). A Data Protection Policy translates each of these principles into practical internal procedures staff must follow.

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth) requires APP entities to notify the OAIC and affected individuals when an eligible data breach occurs — meaning a breach likely to result in serious harm. The OAIC's Notifiable Data Breaches Report records hundreds of eligible breaches each year, with human error (including sending information to the wrong recipient) and malicious or criminal attacks (including ransomware and phishing) as the leading causes. A well-implemented Data Protection Policy that trains staff on privacy obligations and data handling procedures is one of the most effective tools for reducing the risk of reportable breaches.

APRA-regulated entities — authorised deposit-taking institutions, general and life insurers, and registrable superannuation entities regulated by the Australian Prudential Regulation Authority — must also comply with Prudential Standard CPS 234 Information Security (effective 1 July 2019), which requires documented information security policies, defined information asset ownership, and third-party security management. State and territory public sector organisations are subject to separate privacy legislation: the Privacy and Personal Information Protection Act 1998 (NSW) administered by the NSW Privacy Commissioner, the Privacy and Data Protection Act 2014 (Vic) administered by the Office of the Victorian Information Commissioner (OVIC), and the Information Privacy Act 2009 (Qld) administered by the Office of the Information Commissioner (OIC Queensland). These state Acts impose obligations similar to the APPs and require equivalent internal governance documentation. Forms-legal.com provides this template as a starting point for APP-compliant internal data governance.

When Do You Need a Data Protection Policy (Australia)?

An Australian Data Protection Policy is needed by every APP entity subject to the Privacy Act 1988 (Cth), and is strongly recommended for smaller organisations as a matter of good governance and commercial practice even where not strictly required by law.

Statutory requirement: APP 1.3 requires every APP entity to have a clearly expressed and up-to-date privacy policy. A Data Protection Policy that addresses both internal governance and external disclosure obligations satisfies the APP 1.3 requirement while also providing the internal operational guidance that a purely public-facing privacy notice does not.

NDB scheme readiness: Under Part IIIC of the Privacy Act 1988 (Cth), APP entities must assess suspected data breaches within 30 days and notify the OAIC and affected individuals where the breach is eligible. A Data Protection Policy that documents the organisation's breach response procedure — including who is responsible for assessment, what records must be kept, and how the OAIC is notified through the NDB Scheme portal — requires the organisation can respond within the statutory timeframe.

Health information handling: Health service providers — including hospitals, general practices, allied health clinics, and aged care facilities — handle sensitive health information under the Privacy Act 1988 (Cth) and the My Health Records Act 2012 (Cth). The OAIC's health privacy guidelines require health service providers to have documented information handling procedures. The My Health Records Act 2012 (Cth) s 75 empowers the System Operator (Australian Digital Health Agency) to collect civil penalties from organisations that mishandle My Health Record information.

ISO 27001 and government procurement: The Australian Signals Directorate (ASD) and the Department of Finance's Commonwealth Procurement Rules require government contractors to maintain documented information security and privacy management systems. ISO/IEC 27001:2022 certification — increasingly required by enterprise and government clients — specifically requires documented policies addressing information classification, access control, and incident response that align with the APPs.

APRA-regulated entities: The Australian Prudential Regulation Authority's Prudential Standard CPS 234 Information Security requires APRA-regulated banks, insurers, and superannuation funds to maintain information security capability proportionate to the threats they face. A Data Protection Policy that addresses classification of personal and sensitive information, access controls, third-party management, and breach response is a foundational element of CPS 234 compliance.

What to Include in Your Data Protection Policy (Australia)

An Australian Data Protection Policy must address the following elements to translate the 13 Australian Privacy Principles into workable internal procedures.

Scope and legal basis: Which entities and information types are covered — including personal information as defined in s 6(1) of the Privacy Act 1988 (Cth) (information or an opinion about an identified or reasonably identifiable individual) and sensitive information (the heightened-protection subset under s 6(1) including health, biometric, genetic, racial, religious, and criminal record information). The policy should state which privacy legislation applies (Privacy Act 1988 (Cth), and any applicable state health privacy legislation such as the Health Records and Information Privacy Act 2002 (NSW) or the Health Records Act 2001 (Vic)).

Collection and notification (APPs 3–5): The types of personal information collected, the purposes of collection, the method of collection (directly from the individual or from third parties), and the notification provided to individuals at the time of collection under APP 5.

Use and disclosure (APP 6): The permitted purposes for which personal information may be used or disclosed, including direct marketing rules under APP 7 (opt-out rights, the ADMA Code, and the Spam Act 2003 (Cth)), and the prohibition on use or disclosure for secondary purposes without consent.

Cross-border disclosure (APP 8): The procedure for disclosing personal information to overseas recipients, including the steps taken to ensure APP-equivalent protections are in place and the circumstances in which individual consent under APP 8.2(b) may be relied upon.

Security (APP 11): The technical and organisational security measures in place to protect personal information from misuse, interference, loss, and unauthorised access, consistent with the OAIC's Guide to Securing Personal Information. Reference to the ASD's Essential Eight cybersecurity strategies is recommended for organisations with elevated risk profiles.

Data retention and destruction (APP 11.2): Retention periods for each category of personal information, having regard to any statutory retention requirements (e.g., seven years for tax records under s 262A of the Income Tax Assessment Act 1936 (Cth)), and the process for securely destroying or de-identifying information that is no longer required.

Individual rights (APPs 12–13): The procedure for handling access requests — including the 30-day response timeframe, the circumstances in which access may be refused, and the right to complain to the OAIC — and the procedure for handling correction requests.

NDB scheme breach response: The step-by-step procedure for identifying, assessing, and notifying eligible data breaches under Part IIIC of the Privacy Act 1988 (Cth), including the 30-day assessment window under s 26WH and the OAIC notification process.

Staff training and accountability: The training program for staff handling personal information, the designated privacy officer responsible for policy compliance, and the disciplinary consequences of policy breach. For APRA-regulated entities, CPS 234 Information Security requires a defined information security capability that includes documented roles and responsibilities.

State and territory obligations: Where the organisation is a state government agency or health service provider subject to state privacy legislation — the Privacy and Personal Information Protection Act 1998 (NSW), the Privacy and Data Protection Act 2014 (Vic), the Information Privacy Act 2009 (Qld), the Personal Information Protection Act 2004 (Tas), or equivalent — the policy must address compliance with those Acts in addition to the Commonwealth Privacy Act 1988 (Cth). The NSW Privacy Commissioner, the Office of the Victorian Information Commissioner (OVIC), and the OIC Queensland each publish guidance on internal privacy policies that should be cross-referenced.

AI and automated decision-making: Organisations using artificial intelligence or automated tools to process personal information should address the privacy risks of algorithmic profiling, automated decision-making, and training AI models on personal data. The OAIC's guidance on privacy and AI (2023) recommends conducting a Privacy Impact Assessment (PIA) under APP 1.4 before deploying AI systems that use personal information.

Privacy Impact Assessments: A commitment to conducting Privacy Impact Assessments for high-risk new projects, systems, or data flows, consistent with the OAIC's Guide to undertaking privacy impact assessments. PIAs are established standards under APP 1 and may become mandatory under proposed reforms to the Privacy Act 1988 (Cth). Forms-legal.com provides this template as a starting point for Australian data protection governance documentation.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Data Protection Policy (Australia) (Australia) [Legal document template]. Forms Legal. https://forms-legal.com/australia/business/policies/data-protection-policy-australia

MLA

"Data Protection Policy (Australia) (Australia)." Forms Legal, 2026, https://forms-legal.com/australia/business/policies/data-protection-policy-australia.

BibTeX

@misc{formslegal-data-protection-policy-australia,
  author       = {{Forms Legal}},
  title        = {Data Protection Policy (Australia) (Australia)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/australia/business/policies/data-protection-policy-australia}},
  note         = {Free legal document template. Based on Corporations Act 2001 (Cth)}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Corporations Act 2001 (Cth) — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Related Documents

You may also find these documents useful:

Data Consent Form (Australia)

Obtain valid consent for the collection and use of personal information in Australia. Compliant with the Privacy Act 1988 (Cth), Australian Privacy Principles, and the Notifiable Data Breaches scheme. Covers data use, storage, third-party sharing, and withdrawal of consent.

Subject Access Request (Australia)

Request access to your personal information held by an organisation in Australia. Compliant with the Privacy Act 1988 (Cth) and Australian Privacy Principle 12, which gives individuals the right to access their personal information.

Data Processing Agreement (Australia)

As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.