Privacy Policy (Australia)

A Privacy Policy in Australia is a legally binding written instrument.

Under APP 1, every APP entity must have a clearly expressed and up-to-date Privacy Policy that is freely available to the public, typically on the entity’s website. The Privacy Policy must describe: what personal information the entity collects and holds, how it collects that information, the purposes for which it collects, holds, uses, and discloses personal information, whether it is likely to disclose personal information to overseas recipients and (if so) the countries where they are located, and how an individual can access and seek correction of the personal information the entity holds about them, make a complaint about a breach of the APPs, and how the entity will deal with such complaints.

The Privacy Act 1988 (Cth) was significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which increased maximum penalties for serious or repeated interferences with privacy from AUD $2.1 million to AUD $50 million (or three times the value of any benefit obtained, or 30% of adjusted turnover in the period of the contravention, whichever is greater) for bodies corporate. Individual officers can also face personal liability. This reflects the Australian Government’s commitment to strengthening privacy protections in line with international standards.

The legal framework governing the Privacy Policy (Australia) in Australia draws on several key statutes and regulatory bodies. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Parties executing a Privacy Policy (Australia) in Australia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Corporations Act 2001 (Cth) sets the foundational requirements.

An Australian Privacy Policy is required in a wide range of circumstances. The most obvious requirement arises under the Privacy Act 1988 (Cth): if your organisation has an annual turnover exceeding AUD $3 million, APP 1 requires you to have a clearly expressed and up-to-date Privacy Policy that is freely available to the public.

However, a Privacy Policy is required or strongly recommended even if your organisation is below the $3 million turnover threshold, in several important situations. First, if your organisation trades in personal information for a benefit, service, or advantage — for example, a business model involving data brokering or selling customer data — the exemption for small businesses does not apply. Second, if you provide health services, you are subject to the Privacy Act regardless of turnover. Third, if you are a contracted service provider for the Commonwealth or a state government, contractual obligations may require privacy compliance. Fourth, major payment processors, app stores (including the Apple App Store and Google Play), and advertising platforms typically require you to have a Privacy Policy as a condition of using their services, regardless of your legal obligations.

Beyond legal and contractual requirements, having a transparent and thorough Privacy Policy is a fundamental element of customer trust. In an environment where data breaches are increasingly common and consumers are more privacy-conscious than ever, a well-drafted Privacy Policy demonstrates your commitment to handling personal information responsibly and can be a genuine competitive advantage.

If you operate a website, mobile app, e-commerce store, SaaS product, or any other digital service that collects personal information from Australian users — including names, email addresses, payment details, or usage data — you need an Australian-compliant Privacy Policy.

Parties in Australia should prepare a Privacy Policy (Australia) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A compliant Australian Privacy Policy must address all 13 Australian Privacy Principles and include several key elements prescribed by APP 1.4.

The description of personal information collected and how it is collected is the starting point. Under APP 3, you may only collect personal information that is reasonably necessary for your functions or activities. Your Privacy Policy must clearly describe what types of personal information you collect (e.g. names, contact details, financial information, health information, usage data) and how you collect it (e.g. directly from the individual, through cookies, from third parties).

The purpose of collection, use, and disclosure under APP 5 and APP 6 must be clearly explained. Individuals are entitled to know why their information is being collected before or at the time of collection. Under APP 6, personal information may generally only be used or disclosed for the primary purpose of collection or a related secondary purpose the individual would reasonably expect.

The direct marketing section under APP 7 is required if your organisation uses personal information to market goods or services. It must explain how individuals can opt out of direct marketing. Compliance with the Spam Act 2003 (Cth) should also be addressed.

The cross-border disclosure section under APP 8 is essential for any organisation using overseas cloud services, international payment processors, or overseas group companies. It must disclose the countries where personal information may be sent and the steps taken to confirm APP compliance.

The security of personal information section under APP 11 must describe the technical and organisational measures you take to protect personal information from misuse, interference, loss, and unauthorised access. It should also address the Notifiable Data Breaches (NDB) scheme.

The access and correction rights sections under APP 12 and APP 13 must explain how individuals can request access to and correction of their personal information, and how the organisation will respond to such requests.

The complaint handling process under APP 1 must explain how individuals can make a privacy complaint and describe the role of the OAIC as the external complaints authority.

Additional compliance elements for a Privacy Policy (Australia) used in Australia include: Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.