Data Retention Policy (Australia)
Organisation: [Organisation Name] (ABN [Organisation ABN])
Address: [Organisation Address], [Organisation Suburb], [Organisation State] [Organisation Postcode]
Effective Date: [Effective Date]
Next Review Date: [Review Date]
Policy Owner: [Privacy Officer]
1. PURPOSE
1.1 This Data Retention Policy (the “Policy”) sets out how [Organisation Name] (ABN [Organisation ABN]) (“the Organisation”) collects, holds, retains, and destroys or de-identifies personal information and business records.
1.2 This Policy is designed to ensure the Organisation complies with its obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) — in particular APP 11 (Security of personal information) and APP 3 (Collection of solicited personal information) — as well as its record-keeping obligations under applicable legislation including the Corporations Act 2001 (Cth), the Fair Work Act 2009 (Cth), the Tax Administration Act 1953 (Cth), and the Telecommunications (Interception and Access) Act 1979 (Cth).
1.3 The Organisation recognises that retaining personal information beyond what is necessary for the purposes for which it was collected creates unnecessary risk of data breach, non-compliance, and reputational harm.
2. SCOPE
2.1 This Policy applies to all employees, contractors, volunteers, board members, and other persons who handle personal information or business records on behalf of the Organisation, whether in digital or physical form.
2.2 The categories of personal information and business records covered by this Policy include:
[Data Categories]
2.3 The primary systems and locations in which this data is held include:
[Data Storage Locations]
3. LEGAL FRAMEWORK
3.1 Privacy Act 1988 (Cth) and APPs: APP 11.1 requires the Organisation to take active measures to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. APP 11.2 requires the Organisation to take reasonable steps to destroy or de-identify personal information that: (a) is no longer needed for any purpose for which it was collected or may be used or disclosed under the APPs; and (b) is not required to be retained under an Australian law or a court or tribunal order.
3.2 Notifiable Data Breaches (NDB) Scheme: Part IIIC of the Privacy Act 1988 (Cth) requires entities covered by the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of an eligible data breach. An eligible data breach is one that is likely to result in serious harm to any individuals whose information was involved. Limiting retention of personal information reduces the Organisation’s exposure to notifiable data breach obligations.
3.3 Telecommunications (Interception and Access) Act 1979 (Cth): Section 187AA of the TIA Act requires carriers, carriage service providers, and internet service providers to retain telecommunications data (metadata) for a minimum period of two years. This obligation applies independently of this Policy to the extent the Organisation is a regulated entity under the TIA Act.
3.4 Corporations Act 2001 (Cth): Section 286 requires companies to retain financial records for at least seven years from the date the transactions they record are completed, so that those records correctly record and explain the company’s transactions and financial position.
3.5 Fair Work Act 2009 (Cth): Section 535 requires employers to make and keep employee records (including payroll records, leave records, and overtime records) for seven years.
3.6 Tax Administration Act 1953 (Cth): Entities must retain records relevant to their tax obligations for a minimum of five years from the date the records are prepared, obtained, or the transactions completed, as required by the Australian Taxation Office.
4. RETENTION SCHEDULE
4.1 The Organisation will retain different categories of records for the following minimum periods, after which the records must be reviewed for destruction or de-identification unless a retention exception applies:
4.2 Employee Records (including payroll, leave, performance, and personnel files): [Employee Records Period] years from termination of employment. This reflects the minimum retention period required by the Fair Work Act 2009 (Cth) s 535.
4.3 Financial Records (including accounts, invoices, tax records, and bank statements): [Financial Records Period] years from the date of the transaction. This reflects the requirements of the Corporations Act 2001 (Cth) s 286 and the Tax Administration Act 1953 (Cth).
4.4 Customer Records (including names, contact details, transaction history, and correspondence): [Customer Records Period] years from the date of the last transaction or the end of the commercial relationship. Records should be reviewed before this period expires to assess whether continued retention serves a legitimate purpose.
4.5 Communications Records (including emails, internal messaging, and telephone records): [Communications Records Period] years. Telecommunications metadata retained by carriers under the Telecommunications (Interception and Access) Act 1979 (Cth) must be held for at least two years.
4.6 Contract Records (including agreements, correspondence, and related documents): [Contract Records Period] years from the expiry, termination, or completion of the contract. This reflects the applicable limitation periods under state and territory Limitation of Actions Acts (generally 6 years for simple contracts).
4.7 Records whose retention period has expired must be brought before the Privacy Officer for review. The Privacy Officer will determine whether: (a) a retention exception applies; (b) the records should be de-identified; or (c) the records should be destroyed in accordance with clause 5.
5. DESTRUCTION AND DE-IDENTIFICATION
5.1 When personal information is no longer required in accordance with the retention schedule in clause 4 and no exception in clause 6 applies, the Organisation must take reasonable steps to destroy or permanently de-identify that information.
5.2 The approved methods of destruction and de-identification are:
[Destruction Method]
5.3 The Privacy Officer will conduct a review of records for destruction or de-identification [Destruction Frequency]. Following each review, the Privacy Officer will maintain a destruction log recording: the categories of records destroyed or de-identified; the date of destruction; the method used; and the name of the person who authorised and carried out the destruction.
5.4 De-identification means the process by which personal information is altered in such a way that the individual’s identity can no longer reasonably be ascertained. De-identified information ceases to be personal information and is no longer subject to the APPs. The Organisation will apply de-identification only where the information retains analytical or business value and the de-identification is robust and irreversible.
5.5 Third-party service providers that hold personal information on behalf of the Organisation (including cloud storage providers, data processors, and managed service providers) must be required by contract to destroy or return personal information in accordance with this Policy on the termination of their engagement or on request.
6. RETENTION EXCEPTIONS
6.1 Personal information or business records must not be destroyed if:
(a) their retention is required by an Australian law or a court or tribunal order (including subpoenas, notices to produce, and preservation orders);
(b) the records are relevant to a pending or reasonably anticipated legal claim, regulatory investigation, complaint, or audit, and destruction might constitute contempt of court or obstruction of justice;
(c) the records are subject to an access request under the Privacy Act 1988 (Cth) or a Freedom of Information Act and the request has not been finally determined; or
(d) the Privacy Officer has determined that continued retention serves a legitimate and proportionate organisational purpose and the retention is consistent with the APPs.
6.2 Where an exception applies, the Privacy Officer must document the reason for continued retention and must schedule a further review at a date not more than twelve months from the date the exception is noted.
7. DATA BREACH RESPONSE
7.1 If the Organisation becomes aware of a suspected or actual data breach involving personal information retained under this Policy, it must follow the Organisation’s Data Breach Response Plan and assess whether the breach constitutes an “eligible data breach” for the purposes of Part IIIC of the Privacy Act 1988 (Cth).
7.2 An eligible data breach must be notified to the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable and in any event within 30 days of the Organisation becoming aware of the breach (or the reasonable belief that a breach has occurred).
7.3 Privacy enquiries, complaints, or reports of suspected data breaches should be directed to the Privacy Officer at: [Breach Contact Email].
8. ACCESS, TRAINING, AND ACCOUNTABILITY
8.1 Access to personal information held by the Organisation will be limited to staff and contractors who require that access to perform their role. Access controls will be reviewed [Destruction Frequency] by the Privacy Officer.
8.2 All staff and contractors who handle personal information must receive training on this Policy and the APPs as part of their induction and on an annual refresher basis.
8.3 The Privacy Officer is responsible for: administering this Policy; maintaining the retention schedule and destruction log; overseeing data breach response; responding to individual access and correction requests under APP 12 and APP 13; and reporting to the board or senior management on privacy and data retention compliance.
8.4 This Policy will be reviewed on or before [Review Date] and will be updated as required to reflect changes to law, business operations, or best practice guidance from the OAIC.
9. GOVERNING LAW
This Policy is governed by the laws of [Governing State], Australia, and the applicable Commonwealth legislation referenced above. Any dispute arising in connection with this Policy will be subject to the jurisdiction of the courts of [Governing State] and the Federal Court of Australia.
POLICY APPROVAL
Organisation: [Organisation Name]
ABN: [Organisation ABN]
Privacy Officer / Policy Owner: [Privacy Officer]
Effective Date: [Effective Date]
Next Review Date: [Review Date]
Authorised by:
Signature: ____________________________
Name: ________________________________
Title: ________________________________
Date: ________________________________
Authorised Signatory
________________
Signature
Date: ________________
What Is a Data Retention Policy (Australia)?
A Data Retention Policy in Australia sets the organisation's rules and expectations on data retention and the responsibilities of staff and users, supporting compliance with the Corporations Act 2001 (Cth).
The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) apply to Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, all health service providers, credit reporting bodies, and certain other entities. APP 11.1 requires these organisations to take active measures to protect personal information from misuse, interference, loss, and unauthorised access. APP 11.2 goes further, requiring organisations to take reasonable steps to destroy or permanently de-identify personal information that is no longer needed for any purpose for which it may lawfully be used, and that is not required to be retained by law.
The Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act, requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of an eligible data breach — one likely to result in serious harm — within 30 days. A sound data retention policy directly reduces the organisation's risk under the NDB scheme by confirming personal information is destroyed when no longer required, minimising the number of individuals who could be affected by a breach.
Australian law also imposes specific statutory minimum retention periods for many categories of records. The Corporations Act 2001 (Cth) requires companies to retain financial records for at least seven years. The Fair Work Act 2009 (Cth) requires employers to retain employee and payroll records for seven years. The Tax Administration Act 1953 (Cth) requires tax records to be kept for five years. The Telecommunications (Interception and Access) Act 1979 (Cth) requires carriers and internet service providers to retain certain telecommunications metadata for two years. A data retention policy must reconcile these mandatory minimum retention periods with the APP 11.2 obligation to destroy personal information when no longer needed.
The Privacy Act reforms currently before the Australian Parliament — implementing recommendations of the 2022 Privacy Act Review — are expected to introduce significant changes, including removal of the small business exemption, enhanced individual rights, a direct right of action, and mandatory privacy impact assessments for high-risk activities. Organisations that establish strong data retention policies now will be better positioned to comply with these reforms when they take effect.
The legal framework governing the Data Retention Policy (Australia) in Australia draws on several key statutes and regulatory bodies. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Parties executing a Data Retention Policy (Australia) in Australia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Corporations Act 2001 (Cth) sets the foundational requirements.
When Do You Need a Data Retention Policy (Australia)?
Every organisation that holds personal information about customers, employees, or other individuals in Australia should have a written Data Retention Policy. The policy is particularly critical in the following circumstances.
Any organisation covered by the Privacy Act 1988 (Cth) — including businesses with a turnover exceeding $3 million, all health service providers, and any organisation contracted to the Australian Government — is legally required by APP 11 to take reasonable steps to destroy or de-identify personal information when it is no longer needed. A documented retention policy is strong evidence that the organisation has taken such steps. Without a policy, an organisation may retain personal information indefinitely, which increases both the risk of a data breach and regulatory exposure to the OAIC.
Businesses that handle sensitive personal information — such as health records, financial information, government identifiers, or information about children — face heightened obligations because a breach involving sensitive information is more likely to cause serious harm and therefore more likely to trigger notification obligations under the NDB scheme. A rigorous data retention policy that limits retention to what is strictly necessary directly reduces the scope of exposure.
Employers should adopt a data retention policy to manage employee records in accordance with the Fair Work Act 2009 (Cth), the Privacy Act 1988 (Cth), and state long service leave legislation. Employee records — which typically include payslips, leave records, performance reviews, and disciplinary records — must be retained for seven years under the Fair Work Act, but should generally be destroyed promptly after that period to comply with APP 11.2 and to limit the organisation's liability in the event of a breach.
Companies that engage third-party cloud providers, software-as-a-service (SaaS) platforms, or other data processors must confirm those processors handle and destroy personal information in accordance with the organisation's data retention policy. Under APP 8, an organisation that discloses personal information to an overseas recipient remains accountable for that recipient's compliance with the APPs. Including data retention and destruction requirements in contracts with third-party processors is essential.
Government contractors and entities bidding for government work at federal, state, or territory level must comply with the Privacy Act regardless of their turnover. The Australian Government's procurement guidelines increasingly require suppliers to demonstrate privacy and data governance frameworks, including documented retention policies, as a condition of contract.
What to Include in Your Data Retention Policy (Australia)
A thorough Australian Data Retention Policy should include the following key elements to achieve effective legal compliance and operational clarity.
Purpose and Scope — Clearly identify the organisation's name, ABN, and the categories of personal information and business records covered by the policy. The policy should apply to all employees, contractors, and third parties who handle personal information on behalf of the organisation, whether in digital or physical form.
Legal Framework — Reference the specific legislative obligations that underpin the policy, including the Privacy Act 1988 (Cth), the APPs, the Notifiable Data Breaches scheme (Part IIIC), the Corporations Act 2001 (Cth), the Fair Work Act 2009 (Cth), the Tax Administration Act 1953 (Cth), and the Telecommunications (Interception and Access) Act 1979 (Cth). This demonstrates that the retention periods specified in the policy are grounded in law, not arbitrary choices.
Retention Schedule — Specify minimum retention periods for each category of records, aligned with the applicable mandatory minimum periods. The schedule should address employee records (7 years under the Fair Work Act), financial records (7 years under the Corporations Act), tax records (5 years), telecommunications metadata (2 years), contracts (6 years from expiry for simple contracts, 12 years for deeds), and customer and marketing data (as long as commercially necessary and proportionate, then destroy).
Retention Exceptions — Document the circumstances in which personal information must not be destroyed notwithstanding the retention schedule. These include records subject to a legal hold (pending or anticipated litigation, regulatory investigation, or subpoena), records subject to an outstanding access request under the Privacy Act, and records whose retention is required by law or court order.
Approved Destruction and De-identification Methods — Specify the methods that may be used to destroy or de-identify records, with reference to the OAIC's APP guidelines and the ACSC's advice on secure data destruction. For digital records, specify secure overwriting, degaussing, or physical destruction. For paper records, specify cross-cut shredding or incineration by a certified destruction service. The policy should require a destruction log to be maintained.
Notifiable Data Breaches Response — Reference the organisation's data breach response plan and the obligation under Part IIIC of the Privacy Act to notify the OAIC and affected individuals within 30 days of an eligible data breach. Provide the privacy officer's contact details for reporting suspected breaches.
Accountability and Review — Designate a Privacy Officer responsible for administering the policy, maintaining the retention schedule, overseeing destruction activities, and reporting to senior management. Specify a review date (at minimum annually) and commit to updating the policy to reflect changes in law, technology, or business operations.
Additional compliance elements for a Data Retention Policy (Australia) used in Australia include: Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Retention Policy (Australia) (Australia) [Legal document template]. Forms Legal. https://forms-legal.com/australia/business/policies/data-retention-policy-australia
"Data Retention Policy (Australia) (Australia)." Forms Legal, 2026, https://forms-legal.com/australia/business/policies/data-retention-policy-australia.
@misc{formslegal-data-retention-policy-australia,
author = {{Forms Legal}},
title = {Data Retention Policy (Australia) (Australia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/australia/business/policies/data-retention-policy-australia}},
note = {Free legal document template. Based on Corporations Act 2001 (Cth)}
}Also available for these jurisdictions:
Frequently Asked Questions
The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) apply to 'APP entities', which are broadly defined as: (1) Australian Government agencies; (2) private sector organisations and not-for-profit organisations with an annual turnover of more than $3 million; (3) health service providers, regardless of turnover; (4) credit reporting bodies; (5) organisations that trade in personal information; and (6) organisations that have opted in. Small businesses with turnover of $3 million or less are generally exempt, but this threshold may be removed by upcoming reforms to the Privacy Act. Importantly, all organisations — regardless of size — must comply with the Privacy Act if they are contracted to provide services to the Australian Government. The Office of the Australian Information Commissioner (OAIC) has the power to investigate complaints, conduct assessments, and seek civil penalties of up to $50 million for serious or repeated interferences with privacy.
Australian Privacy Principle 11 (Security of personal information) imposes two key obligations on APP entities. APP 11.1 requires entities to take active measures to protect personal information they hold from misuse, interference, loss, and unauthorised access, modification, or disclosure — essentially a data security obligation. APP 11.2 requires an entity to take reasonable steps to destroy or permanently de-identify personal information if: (a) the entity no longer needs the information for any purpose for which it may be used or disclosed under the APPs; and (b) the information is not required to be retained by or under an Australian law or a court or tribunal order. 'Destroy' means to irreversibly eliminate the information. 'De-identify' means to remove or alter information so that the individual's identity is no longer reasonably identifiable. Failure to comply with APP 11.2 by retaining personal information longer than necessary is an interference with privacy that can result in regulatory action by the OAIC.
Australian law prescribes mandatory minimum retention periods for many categories of business records. Under the Corporations Act 2001 (Cth) s 286, companies must retain financial records for at least seven years from the date the transactions are completed. The Fair Work Act 2009 (Cth) s 535 requires employers to retain employee records — including payroll records, leave records, and any other record required by the Fair Work Regulations 2009 — for seven years. Under the Tax Administration Act 1953 (Cth), entities must retain records relevant to their tax obligations for five years from the date the records are prepared, obtained, or the relevant transactions are completed. Pursuant to the Telecommunications (Interception and Access) Act 1979 (Cth) s 187AA, carriers and internet service providers must retain certain telecommunications data (metadata) for two years. For contracts, the applicable limitation periods under state and territory Limitation of Actions Acts (generally six years for simple contracts and twelve years for deeds) determine the prudent minimum retention period.
Under Part IIIC of the Privacy Act 1988 (Cth), APP entities must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable — and in any event within 30 days of becoming aware of an 'eligible data breach' (or of reasonable grounds to believe one has occurred). An eligible data breach is defined as one that: (a) involves unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the entity; and (b) is likely to result in serious harm to any individual whose information is involved. Serious harm is determined by reference to factors including the nature and sensitivity of the information, the number of individuals affected, and whether the information could be used for fraud or identity theft. If the entity suspects a breach has occurred, it has 30 days to carry out an assessment of whether the incident constitutes an eligible data breach. The notification to affected individuals must include the name of the entity, a description of the breach, the kinds of information involved, and steps individuals should take to protect themselves.
The OAIC's guidance on APP 11.2 makes clear that 'reasonable steps' to destroy personal information require a method that is irreversible and that eliminates all copies of the information, including backups and data held by third-party processors. For digital records, reasonable methods include secure overwriting (for non-magnetic media), degaussing (for magnetic media), and physical destruction of storage devices — using a reputable certified destruction service that provides a certificate of destruction. For paper records, cross-cut or micro-cut shredding (to security level P-4 or above under ISO 15713) or incineration is appropriate. De-identification requires that any information remaining after the process cannot reasonably identify the individual, either directly or in combination with other data. The OAIC and the Australian Cyber Security Centre (ACSC) both publish guidance on acceptable destruction methods. Maintaining a destruction log — recording what was destroyed, when, by what method, and by whom — is strongly recommended as evidence of compliance.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Privacy Policy (Australia)
Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.
Data Processing Agreement (Australia)
As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.
Non-Disclosure Agreement (NDA) (Australia)
Protect your confidential business information under Australian common law with a legally sound Non-Disclosure Agreement (NDA). Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted Australian NDA keeps your sensitive information under strict legal protection. Our template complies with Australian contract law principles and includes provisions addressing the Privacy Act 1988 (Cth) and the Australian Privacy Principles.