Privacy Policy (Australia)
Effective Date: [Effective Date]
This Privacy Policy explains how [Organisation Name] ([ABN/ACN]) (“we”, “us”, or “our”) collects, uses, discloses, stores, and protects personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of that Act.
This Policy applies to all personal information we collect through our website at [Website URL], our products and services, and any other means by which you interact with us. By using our website or services, you acknowledge that you have read and understood this Privacy Policy.
1. ABOUT THIS POLICY (APP 1)
1.1 We are committed to managing personal information in an open and transparent manner, as required by Australian Privacy Principle 1 (APP 1). This Privacy Policy is publicly available on our website and sets out how we manage personal information.
1.2 If you have any questions or concerns about how we handle your personal information, or if you wish to make a complaint, you may contact our Privacy Officer using the contact details set out in clause 12 of this Policy.
2. PERSONAL INFORMATION WE COLLECT (APP 3)
2.1 We collect only such personal information as is reasonably necessary for our functions and activities, in accordance with Australian Privacy Principle 3 (APP 3). The types of personal information we collect include: [Personal Information Types].
2.2 We collect personal information in the following ways: [Collection Methods].
2.3 Where it is reasonable and practicable to do so, we collect personal information directly from the individual concerned. Where we collect personal information about an individual from a third party, we will take reasonable steps to ensure the individual is aware that we have collected that information and the circumstances of collection.
2.4 You are not obliged to provide us with your personal information. However, if you choose not to provide certain information, we may not be able to provide you with some or all of our products and services.
3. HOW WE USE YOUR PERSONAL INFORMATION (APP 5 & APP 6)
3.1 We use personal information for the following primary purposes: [Collection Purpose].
3.2 We may also use your personal information for secondary purposes that are directly related to a primary purpose listed above and where you would reasonably expect us to use it for that secondary purpose, or where we have obtained your consent.
3.3 We will not use or disclose personal information collected for one purpose for another purpose (an unrelated secondary purpose) without your consent, unless otherwise required or authorised by law.
4. DISCLOSURE OF PERSONAL INFORMATION (APP 6)
4.1 We may disclose your personal information to third parties in the following circumstances:
- to our employees, contractors, and related bodies corporate who require access to perform our functions and activities;
- to service providers engaged to assist us in providing our services, such as IT service providers, payment processors, and analytics providers, who are bound by confidentiality and data protection obligations;
- to government agencies, regulators, or law enforcement bodies where required or authorised by law;
- with your consent; or
- where permitted or required under the Privacy Act 1988 (Cth).
4.2 We require all third parties to whom we disclose personal information to protect that information in a manner consistent with this Privacy Policy and the Australian Privacy Principles.
5. SECURITY OF PERSONAL INFORMATION (APP 11)
5.1 We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and unauthorised access, modification, or disclosure, in accordance with Australian Privacy Principle 11 (APP 11). Our security measures include: [Security Measures].
5.2 Despite our reasonable security measures, no data transmission over the internet or electronic storage system is entirely secure. We cannot guarantee the absolute security of personal information transmitted to or from us.
5.3 We retain personal information only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our general data retention practices are: [Retention Period]. When personal information is no longer required, we will take reasonable steps to destroy or de-identify it.
5.4 In the event of a data breach that is likely to result in serious harm to any individual, we will comply with our obligations under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988 (Cth), including notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.
6. ACCESS TO YOUR PERSONAL INFORMATION (APP 12)
6.1 Under Australian Privacy Principle 12 (APP 12), you have the right to access personal information we hold about you. To make an access request, please contact us using the details in clause 12 of this Policy.
6.2 We will respond to your access request within 30 days. In some circumstances, we may refuse access or limit the information we provide, for example where access would be unlawful, would prejudice an investigation or enforcement activity, or would unreasonably affect the privacy of other individuals. If we refuse or limit access, we will give you written notice explaining our reasons.
6.3 We do not generally charge a fee for making an access request. However, if responding to your request involves significant time and resources, we may charge a reasonable fee. We will inform you of any applicable fee before proceeding with your request.
7. CORRECTION OF PERSONAL INFORMATION (APP 13)
7.1 Under Australian Privacy Principle 13 (APP 13), you have the right to request that we correct personal information we hold about you that you believe is inaccurate, out of date, incomplete, irrelevant, or misleading. To request a correction, please contact us using the details in clause 12.
7.2 We will consider your correction request and take reasonable steps to correct the information within 30 days. If we refuse to correct the information, we will give you written notice explaining our reasons and informing you that you may associate a statement with the information noting that you requested the correction.
8. CONTACT US AND COMPLAINTS PROCESS
8.1 For any privacy enquiries, access or correction requests, or complaints about how we handle your personal information, please contact our Privacy Officer:
[Organisation Name] Postal address: [Contact Address] Email: [Privacy Email] Phone: [Phone Number]
8.2 We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 2001 Phone: 1300 363 992 Website: www.oaic.gov.au
8.3 The OAIC can investigate complaints and require us to take action to remedy any breach of the Australian Privacy Principles. Complaints to the OAIC are free of charge.
9. APPLICABILITY OF THE PRIVACY ACT 1988 (CTH)
9.1 The Privacy Act 1988 (Cth) and the Australian Privacy Principles generally apply to organisations with an annual turnover of more than AUD $3 million, and to all Commonwealth agencies. Certain small businesses with an annual turnover of AUD $3 million or less are exempt from the Act unless they engage in specified activities (such as trading in personal information, operating a health service, or being a contracted service provider for a Commonwealth contract).
9.2 Even if an organisation is not legally required to comply with the Privacy Act 1988 (Cth), we voluntarily commit to complying with the Australian Privacy Principles as a matter of best practice and to build trust with our customers and users.
10. CHANGES TO THIS PRIVACY POLICY
10.1 We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will notify you by posting the updated Privacy Policy on our website at [Website URL] and updating the Effective Date at the top of this Policy.
10.2 We encourage you to review this Privacy Policy periodically. Your continued use of our website or services after the publication of any updated Privacy Policy constitutes your acceptance of the updated terms.
What Is a Privacy Policy (Australia)?
A Privacy Policy in Australia sets the organisation's rules and expectations on privacy and the responsibilities of staff and users, supporting compliance with the Corporations Act 2001 (Cth).
Under APP 1, every APP entity must have a clearly expressed and up-to-date Privacy Policy that is freely available to the public, typically on the entity’s website. The Privacy Policy must describe: what personal information the entity collects and holds, how it collects that information, the purposes for which it collects, holds, uses, and discloses personal information, whether it is likely to disclose personal information to overseas recipients and (if so) the countries where they are located, and how an individual can access and seek correction of the personal information the entity holds about them, make a complaint about a breach of the APPs, and how the entity will deal with such complaints.
The Privacy Act 1988 (Cth) was significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which increased maximum penalties for serious or repeated interferences with privacy from AUD $2.1 million to AUD $50 million (or three times the value of any benefit obtained, or 30% of adjusted turnover in the period of the contravention, whichever is greater) for bodies corporate. Individual officers can also face personal liability. This reflects the Australian Government’s commitment to strengthening privacy protections in line with international standards.
The legal framework governing the Privacy Policy (Australia) in Australia draws on several key statutes and regulatory bodies. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Parties executing a Privacy Policy (Australia) in Australia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Corporations Act 2001 (Cth) sets the foundational requirements.
When Do You Need a Privacy Policy (Australia)?
An Australian Privacy Policy is required in a wide range of circumstances. The most obvious requirement arises under the Privacy Act 1988 (Cth): if your organisation has an annual turnover exceeding AUD $3 million, APP 1 requires you to have a clearly expressed and up-to-date Privacy Policy that is freely available to the public.
However, a Privacy Policy is required or strongly recommended even if your organisation is below the $3 million turnover threshold, in several important situations. First, if your organisation trades in personal information for a benefit, service, or advantage — for example, a business model involving data brokering or selling customer data — the exemption for small businesses does not apply. Second, if you provide health services, you are subject to the Privacy Act regardless of turnover. Third, if you are a contracted service provider for the Commonwealth or a state government, contractual obligations may require privacy compliance. Fourth, major payment processors, app stores (including the Apple App Store and Google Play), and advertising platforms typically require you to have a Privacy Policy as a condition of using their services, regardless of your legal obligations.
Beyond legal and contractual requirements, having a transparent and thorough Privacy Policy is a fundamental element of customer trust. In an environment where data breaches are increasingly common and consumers are more privacy-conscious than ever, a well-drafted Privacy Policy demonstrates your commitment to handling personal information responsibly and can be a genuine competitive advantage.
If you operate a website, mobile app, e-commerce store, SaaS product, or any other digital service that collects personal information from Australian users — including names, email addresses, payment details, or usage data — you need an Australian-compliant Privacy Policy.
Parties in Australia should prepare a Privacy Policy (Australia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Privacy Policy (Australia)
A compliant Australian Privacy Policy must address all 13 Australian Privacy Principles and include several key elements prescribed by APP 1.4.
The description of personal information collected and how it is collected is the starting point. Under APP 3, you may only collect personal information that is reasonably necessary for your functions or activities. Your Privacy Policy must clearly describe what types of personal information you collect (e.g. names, contact details, financial information, health information, usage data) and how you collect it (e.g. directly from the individual, through cookies, from third parties).
The purpose of collection, use, and disclosure under APP 5 and APP 6 must be clearly explained. Individuals are entitled to know why their information is being collected before or at the time of collection. Under APP 6, personal information may generally only be used or disclosed for the primary purpose of collection or a related secondary purpose the individual would reasonably expect.
The direct marketing section under APP 7 is required if your organisation uses personal information to market goods or services. It must explain how individuals can opt out of direct marketing. Compliance with the Spam Act 2003 (Cth) should also be addressed.
The cross-border disclosure section under APP 8 is essential for any organisation using overseas cloud services, international payment processors, or overseas group companies. It must disclose the countries where personal information may be sent and the steps taken to confirm APP compliance.
The security of personal information section under APP 11 must describe the technical and organisational measures you take to protect personal information from misuse, interference, loss, and unauthorised access. It should also address the Notifiable Data Breaches (NDB) scheme.
The access and correction rights sections under APP 12 and APP 13 must explain how individuals can request access to and correction of their personal information, and how the organisation will respond to such requests.
The complaint handling process under APP 1 must explain how individuals can make a privacy complaint and describe the role of the OAIC as the external complaints authority.
Additional compliance elements for a Privacy Policy (Australia) used in Australia include: Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Australia) (Australia) [Legal document template]. Forms Legal. https://forms-legal.com/australia/business/policies/privacy-policy-australia
"Privacy Policy (Australia) (Australia)." Forms Legal, 2026, https://forms-legal.com/australia/business/policies/privacy-policy-australia.
@misc{formslegal-privacy-policy-australia,
author = {{Forms Legal}},
title = {Privacy Policy (Australia) (Australia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/australia/business/policies/privacy-policy-australia}},
note = {Free legal document template. Based on Corporations Act 2001 (Cth)}
}Also available for these jurisdictions:
Frequently Asked Questions
The Privacy Act 1988 (Cth) requires organisations with an annual turnover of more than AUD $3 million to have a clearly expressed and up-to-date Privacy Policy under Australian Privacy Principle 1 (APP 1). However, even if your business has a turnover below $3 million, you may still be required to comply with the Privacy Act if you provide health services, trade in personal information, are a Commonwealth contracted service provider, or operate a residential tenancy database. Additionally, many state and territory-based laws, as well as contractual obligations from payment processors, app stores, and business partners, may independently require you to have a Privacy Policy regardless of your turnover. Under Australia law, Corporations Act 2001 (Cth), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.
The 13 Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) set out legally binding standards for how APP entities (organisations and Commonwealth agencies subject to the Act) must handle personal information. APP 1 requires open and transparent management of personal information and a publicly available Privacy Policy. APP 2 allows individuals to use a pseudonym or remain anonymous where lawful and practicable. APP 3 restricts collection of personal information to what is reasonably necessary. APP 4 deals with unsolicited personal information. APP 5 requires notification of the collection of personal information. APP 6 restricts use and disclosure of personal information. APP 7 regulates direct marketing. APP 8 governs cross-border disclosure. APP 9 restricts use of government-related identifiers. APP 10 requires accuracy of personal information. APP 11 requires security of personal information. APP 12 gives individuals the right to access their personal information. APP 13 gives individuals the right to correction of their personal information.
The Notifiable Data Breaches (NDB) scheme, introduced in Part IIIC of the Privacy Act 1988 (Cth) in February 2018, requires organisations covered by the Privacy Act to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm to any individual. A data breach is an eligible data breach if it involves unauthorised access to, disclosure of, or loss of personal information that is likely to result in serious harm. The OAIC must be notified as soon as practicable after the entity becomes aware of the breach. Failure to comply with the NDB scheme can result in civil penalties of up to AUD $2.22 million for serious or repeated interferences with privacy under the Privacy Act 1988 (Cth). Under Australia law, Corporations Act 2001 (Cth), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.
Direct marketing in Australia is regulated by two overlapping frameworks. Australian Privacy Principle 7 (APP 7) under the Privacy Act 1988 (Cth) restricts how organisations may use personal information for direct marketing — generally requiring either consent or a direct relationship with the individual and the provision of an opt-out mechanism. The Spam Act 2003 (Cth) separately regulates commercial electronic messages (including emails, SMS, and MMS), requiring that such messages are only sent with consent (express or inferred), identify the sender, and include a functional unsubscribe mechanism. The Australian Communications and Media Authority (ACMA) enforces the Spam Act and can impose substantial penalties for breaches. A Privacy Policy should address both APP 7 and the Spam Act if your organisation sends marketing communications.
Australian Privacy Principle 8 (APP 8) applies when an Australian APP entity discloses personal information to an overseas recipient — which includes uploading personal information to servers located overseas, using overseas cloud services, or sharing personal information with overseas subsidiaries or service providers. Before disclosing personal information overseas, the Australian entity must take reasonable steps to requires the overseas recipient does not breach the APPs in relation to that information (APP 8.1). This typically means entering into contractual arrangements that require overseas recipients to comply with standards equivalent to the APPs. Alternatively, the Australian entity may obtain the individual's consent to the cross-border disclosure after informing them that the usual APP protections may not apply (APP 8.2(b)). Importantly, even where personal information is shared with an overseas recipient with whom the entity has an APP 8.1 arrangement, the Australian entity remains accountable if the overseas recipient breaches the APPs.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Mobile App Privacy Policy (Australia)
Generate a compliant Mobile App Privacy Policy for Australian iOS and Android apps. Covers the Privacy Act 1988 (Cth), all 13 Australian Privacy Principles, device permissions disclosure, push notifications, in-app purchases, analytics SDKs, children's data protection, App Tracking Transparency (iOS), Google Play Data Safety compliance, and the OAIC complaint process. Tailored for both Apple App Store and Google Play requirements.
Non-Disclosure Agreement (NDA) (Australia)
Protect your confidential business information under Australian common law with a legally sound Non-Disclosure Agreement (NDA). Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted Australian NDA keeps your sensitive information under strict legal protection. Our template complies with Australian contract law principles and includes provisions addressing the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Mutual Non-Disclosure Agreement (Australia)
Protect your confidential business information on a bilateral basis with an Australian Mutual Non-Disclosure Agreement. When both parties are sharing sensitive information with each other — as commonly occurs in joint venture negotiations, merger discussions, or technology partnerships — a mutual NDA provides equal protection for both sides. Our template complies with Australian common law and addresses the Privacy Act 1988 (Cth), ensuring enforceable bilateral confidentiality obligations across all Australian states and territories.