Data Access Request (Australia)

Create a formal Australian Complaint Letter to a business or government agency under the Australian Consumer Law and other applicable legislation. This template is designed for consumers and businesses lodging complaints about defective goods, deficient services, misleading conduct, billing errors, privacy breaches, government services, and financial products — covering the full scope of consumer protection rights in Australia. The Australian Consumer Law (ACL), set out in Schedule 2 to the Competition and Consumer Act 2010 (Cth) and applying as a law of each Australian state and territory, provides consumers with powerful and non-excludable rights. Sections 54 to 59 of the ACL establish consumer guarantees for goods — including that goods must be of acceptable quality (s 54), fit for a disclosed purpose (s 55), match their description (s 56), and be accompanied by full title (s 51). Sections 60 to 62 provide consumer guarantees for services — including that services must be rendered with due care and skill (s 60), be fit for any purpose made known to the supplier (s 61), and be completed within a reasonable time (s 62). These guarantees apply automatically to all supplies of goods or services to consumers (defined as individuals purchasing goods or services for personal, domestic, or household use, or businesses purchasing goods worth less than $100,000 for business use). They cannot be excluded, restricted, or modified by any contract term. Where a consumer guarantee failure has occurred, the consumer's remedies depend on whether the failure is major or minor. A major failure includes goods that are unsafe, substantially unfit for purpose, do not match their description, or a reasonable consumer would not have bought them knowing the problem. For a major failure, the consumer can reject the goods and choose between a full refund or replacement, or keep the goods and seek compensation for the reduction in value. For a minor failure, the supplier can choose to repair, replace, or refund. Similar remedies apply to failures in the supply of services under sections 267 and 268 of the ACL. Section 18 of the ACL prohibits conduct in trade or commerce that is misleading or deceptive, or likely to mislead or deceive. Section 29 prohibits specific false or misleading representations about goods or services, including representations about quality, standard, value, sponsorship, or approval. Sections 20 and 21 prohibit unconscionable conduct. A consumer who has suffered loss or damage because of a contravention of these provisions may recover compensation from the supplier under section 236 of the ACL. For financial products and services, the Australian Financial Complaints Authority (AFCA) provides a free, independent dispute resolution service. Consumers must first complain to the financial firm (following the firm's internal dispute resolution process) before lodging an AFCA complaint, unless the firm has failed to respond within 45 days. AFCA can deal with complaints about banking, insurance, superannuation, credit, investments, and financial advice. This complaint letter provides a clear, formal written record of the consumer's complaint — including the legal basis under the ACL, the factual description of the issue, prior resolution attempts, the specific remedy sought, a response deadline, and optional escalation warning to the ACCC, state fair trading agency, AFCA, NCAT, VCAT, or other relevant body. A formal written complaint is an important step before lodging with a regulator or commencing tribunal proceedings, as most regulators require evidence that the consumer first attempted to resolve the complaint directly with the business.

Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.

Create a formal cease and desist letter for Australia. Covers IP infringement (Copyright Act 1968, Trade Marks Act 1995, Patents Act 1990, Designs Act 2003), misleading or deceptive conduct (Australian Consumer Law s18), false representations (ACL s29), passing off, and breach of confidence. Includes demands to stop infringing conduct, destroy materials, provide undertakings, and pay compensation. For use in Federal Court or FCFCA proceedings.

Create a formal Australian Demand Letter for contract breaches, defective works, misrepresentation, misleading conduct, or other civil wrongs — distinct from a simple debt collection letter. This template covers the full spectrum of pre-litigation civil demands under Australian law, including the Australian Consumer Law (ACL s 18, s 20–21), common law breach of contract, and the civil procedure requirements of all Australian states and territories. A demand letter of this type is a critical pre-litigation step used whenever a party has breached a contractual obligation beyond simply failing to pay an invoice. Common examples include: a builder or contractor who has abandoned works or delivered defective construction; a supplier who has failed to deliver goods as specified or has supplied goods that do not conform to the contract description; a party who has made misrepresentations that induced the other to enter into a contract; a business that has unlawfully terminated a service or supply agreement; a party who has breached confidentiality obligations; or a business whose conduct has been misleading or deceptive in trade or commerce contrary to section 18 of the Australian Consumer Law. The Australian Consumer Law, set out in Schedule 2 to the Competition and Consumer Act 2010 (Cth), applies throughout Australia and provides powerful rights for both consumers and businesses. Section 18 prohibits conduct in trade or commerce that is misleading or deceptive, or likely to mislead or deceive. Sections 20 and 21 prohibit unconscionable conduct. Where a breach of these provisions has caused loss or damage, the affected party is entitled to recover compensation under section 236 of the ACL. A formal demand letter is the appropriate first step before commencing proceedings in the applicable court. For contract breaches at common law, the innocent party is entitled to sue for damages representing the loss suffered as a result of the breach — either expectation damages (putting the innocent party in the position they would have been in had the contract been performed) or reliance damages (reimbursing expenditure wasted in reliance on the contract). In some cases, specific performance or an injunction may be available. A demand letter is the appropriate vehicle to put the breaching party on notice, demand specific performance or damages, and provide a deadline before proceedings are commenced. The applicable civil courts in each state and territory are: the Local Court (NSW, up to $100,000), Magistrates Court (VIC, up to $100,000; QLD, up to $150,000; WA, SA, TAS), District Court or County Court (intermediate claims), and Supreme Court (high-value claims). The Australian Capital Territory and Northern Territory have their own court hierarchy. Tribunals such as NCAT (NSW) and VCAT (VIC) handle consumer and home building disputes. The limitation period for contract claims in most Australian states is 6 years from the date the cause of action arose (Limitation Act 1969 (NSW), Limitation of Actions Act 1958 (VIC), Limitation of Actions Act 1974 (QLD) and equivalent). Issuing a formal demand letter well within the limitation period is important both to preserve rights and to comply with any pre-action requirements of the applicable court. This demand letter template is suitable for use throughout Australia in all states and territories. It includes space for a full factual background, identification of the legal basis of the claim under both common law and the ACL, a precise statement of the remedy demanded (payment of damages, completion of works, rectification, delivery of goods, or specific performance), a compliance deadline, an optional legal action warning identifying the intended court, and supporting documentation references. The letter may optionally be marked 'Without Prejudice' where settlement negotiations are intended to follow.

As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.