Create a compliant Australian Privacy Policy for your business or website. Our template is drafted in accordance with the Privacy Act 1988 (Cth) and covers all 13 Australian Privacy Principles (APPs), including APP 1 (open management), APP 5 (notification), APP 6 (use and disclosure), APP 7 (direct marketing), APP 8 (cross-border disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). Includes the Notifiable Data Breaches scheme, OAIC complaint process, and the $3 million turnover threshold explanation.

Create a comprehensive Australian General Consent Form for activities, programs, events, and services. This template covers participant consent, assumption of risk, medical disclosure, emergency contact, photography consent, and liability limitation, drafted in accordance with the Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010 (Cth)), applicable state civil liability legislation, and the Privacy Act 1988 (Cth). A general consent form is a foundational legal document for any Australian business, club, organisation, or institution that provides services or organises activities involving participants, customers, or clients. The form documents the participant's informed agreement to participate, their acknowledgement of the risks involved, their disclosure of relevant medical information, and the organisation's liability position — all of which are essential elements of a defensible risk management framework. Informed consent is a principle that runs across Australian law in many contexts. In the context of recreational activities and commercial services, consent is relevant to both the contract between the organisation and the participant and to the law of negligence. A participant who freely and voluntarily agrees to participate in an activity with knowledge of its risks may be taken to have assumed the inherent risks of that activity, which can defeat or reduce a negligence claim. Under the Civil Liability Act 2002 (NSW), the Wrongs Act 1958 (Vic), the Civil Liability Act 2003 (Qld), the Civil Liability Act 2002 (WA), the Civil Liability Act 1936 (SA), the Civil Liability Act 2002 (Tas), and the Civil Law (Wrongs) Act 2002 (ACT), Australian states have codified the voluntary assumption of risk defence, but require that the plaintiff was actually aware of and voluntarily accepted the specific risk that caused the loss. Because of this requirement of actual knowledge, a well-drafted risk disclosure section in a consent form is legally significant. Simply including a blanket exclusion clause is not sufficient — the form must specifically identify the known risks of the activity in plain language. A participant who signs a form that clearly and specifically describes the risks of the activity, and who proceeds to participate, is in a much weaker position to claim they were unaware of those risks. This is why this form includes a dedicated risk acknowledgement section inviting the organisation to describe the known hazards in specific terms. The Australian Consumer Law (ACL), which applies in all states and territories as Schedule 2 of the Competition and Consumer Act 2010 (Cth), imposes important limits on an organisation's ability to exclude liability. Under section 60 of the ACL, there is a consumer guarantee that services will be provided with due care and skill. Under section 61, services must be reasonably fit for any particular purpose the consumer makes known. An organisation cannot exclude these guarantees if the participant is a consumer under the ACL (broadly, where the services are for personal use and cost less than $100,000). Section 64A of the ACL allows an organisation to limit its liability for non-personal injury losses to resupply of the services, but section 64 prohibits any term purporting to exclude the consumer guarantees entirely. Liability for death or personal injury caused by negligence cannot be excluded in consumer transactions under the ACL. For recreational service providers, state legislatures have created specific risk warning regimes. In Queensland, the Tourism and Events Queensland Act 2012 and the Civil Liability Act 2003 allow recreational service providers who give a compliant risk warning to seek a waiver from a participant's rights under the Australian Consumer Law for personal injury. Other states have similar provisions. This general consent form provides a framework that can be adapted to include a compliant risk warning where required. The Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) apply to organisations with an annual turnover of more than $3 million, and to certain smaller organisations in specific sectors. When a consent form collects personal information — including the participant's name, contact details, date of birth, and particularly medical information — the organisation must comply with APP 3 (collection of solicited personal information), APP 5 (notification of collection), and APP 11 (security of personal information). This form includes a privacy notice directing participants to the organisation's privacy policy. This form is suitable for adventure tourism and recreational activities, fitness and wellness businesses, sports clubs and associations, community programs and events, workshops and training programs, therapy and allied health services, arts and cultural programs, and any other activity where an organisation seeks documented participant consent before providing services.

Create a comprehensive Australian Medical Consent for Minor form for healthcare providers, schools, organisations, and parents. This template covers informed consent under Rogers v Whitaker, medical history, allergy disclosure, Medicare details, emergency treatment authorisation, and parental responsibility under the Family Law Act 1975 (Cth). Compliant with AHPRA professional standards, Privacy Act 1988 (Cth), and applicable state health privacy legislation. In Australia, the legal requirement to obtain parental or guardian consent before treating a minor arises from the intersection of common law, state and territory legislation, and the professional ethical standards of registered health practitioners regulated under the Health Practitioner Regulation National Law Act 2009 (Cth) and overseen by the Australian Health Practitioner Regulation Agency (AHPRA). The common law requires informed consent for medical treatment. This principle was authoritatively established in Rogers v Whitaker (1992) 175 CLR 479, in which the High Court of Australia held that a medical practitioner owes a duty of care to disclose all material risks of a proposed treatment — defined as risks that a reasonable person in the patient's position would want to know about, or that the particular patient would want to know about even if a reasonable person would not. Failure to disclose a material risk, and the patient suffering that undisclosed risk, gives rise to a claim in negligence. For minor patients, this duty to inform is owed to the parent or guardian, who makes the treatment decision on the child's behalf. The landmark High Court decision in Secretary, Department of Health and Community Services v JWB and SMB [Marion's Case] (1992) 175 CLR 218 established the framework for medical consent for children in Australia. The Court held that parental consent is required for medical treatment of a child, but recognised that a minor may be capable of giving consent independently if they have sufficient maturity and understanding to appreciate the nature and consequences of the proposed treatment — the 'Gillick competency' principle, adopted from the English House of Lords decision in Gillick v West Norfolk and Wisbech Area Health Authority [1985] 3 All ER 402. However, for significant or irreversible procedures, Marion's Case confirmed that neither parental consent nor the Gillick-competent minor's consent is sufficient, and court authorisation may be required. Parental responsibility for medical consent is governed by the Family Law Act 1975 (Cth). Under section 61C, each parent of a child has parental responsibility for the child — meaning all duties, powers, responsibilities, and authority which, by law, parents have in relation to children. Following separation, both parents generally retain equal shared parental responsibility unless a court order provides otherwise. For routine or day-to-day medical treatment, consent by one parent is generally considered sufficient. For major elective procedures, it is good practice to obtain consent from both parents, particularly where there is known family law conflict. State-based child protection legislation also governs medical treatment of children. In New South Wales, the Children and Young Persons (Care and Protection) Act 1998 (NSW) grants the Secretary of the Department of Communities and Justice the power to consent to medical treatment for children in certain circumstances. The Children, Youth and Families Act 2005 (Vic), the Child Protection Act 1999 (Qld), and equivalent legislation in other states contain similar provisions for children under protective orders. The National Immunisation Program (NIP) Schedule, administered by the Australian Government Department of Health and Aged Care, sets the standard vaccination schedule for children in Australia. The No Jab, No Pay policy (under the Social Services Legislation Amendment (No Jab, No Pay) Act 2015 (Cth)) and No Jab, No Play policies in applicable states and territories link child care and kindergarten access to vaccination compliance. Immunisation consent forms are one of the most common uses of a medical consent for minor form. Health information about a child is sensitive information under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Healthcare providers must handle this information in accordance with APP 3 (collection), APP 6 (use and disclosure), APP 11 (security), APP 12 (access), and APP 13 (correction). State-based health privacy legislation — including the Health Records Act 2001 (Vic) and the Health Records and Information Privacy Act 2002 (NSW) — imposes equivalent obligations and sets minimum health record retention periods. This form is suitable for general practices, paediatric clinics, hospitals, dental practices, allied health providers, school immunisation programs, sports medicine clinics, schools and early childhood services, and any organisation that provides health services or activities involving minor participants.

As Australian businesses increasingly outsource data-intensive functions to third-party service providers — cloud platforms, payroll processors, CRM vendors, IT support companies, and analytics firms — the need for a formal Data Processing Agreement (DPA) has become critical. An Australian Data Processing Agreement is a contract that governs how a service provider (the Processor) handles personal information on behalf of an APP entity (the organisation responsible for that information), ensuring compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Australia does not have a regulation precisely equivalent to the European Union's GDPR Article 28, which mandates a written data processing agreement between controllers and processors. However, the Privacy Act 1988 (Cth) imposes obligations on APP entities that effectively require them to ensure service providers handling personal information on their behalf are contractually bound to appropriate privacy standards. Australian Privacy Principle 11 requires APP entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. APP 2.1 provides that an individual must have the option of not identifying themselves or of using a pseudonym where lawful and practicable. The OAIC's Guide to Securing Personal Information identifies contractual arrangements with third parties as a key technical and organisational measure that APP entities should implement. The Notifiable Data Breaches (NDB) scheme, introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) and now in Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when an Eligible Data Breach occurs — that is, a breach likely to result in serious harm to one or more individuals. Where personal information is held by a service provider on behalf of an APP entity, the service provider may discover the breach first. A DPA should establish clear contractual obligations on the service provider to notify the APP entity promptly (the DPA should specify a timeframe shorter than the OAIC notification deadline) so the APP entity can assess whether the breach is notifiable and take required action. Cross-border disclosure of personal information is governed by Australian Privacy Principle 8. Before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient will handle the information in a manner consistent with the APPs. This is a particularly important consideration for Australian businesses using US-based cloud services (such as AWS, Azure, Google Cloud, or Salesforce), as the United States does not have a national privacy law equivalent to the APPs. A DPA should address whether the Processor may transfer or disclose personal information to overseas sub-processors and what safeguards must be in place. Under APP 8.2(b), an alternative is for the individual to consent to the overseas disclosure, but this is not always practicable. The Privacy Act 1988 (Cth) distinguishes between 'personal information' (broadly defined in s 6(1) as information or an opinion about an identified individual or an individual who is reasonably identifiable) and 'sensitive information' (a subset defined in s 6(1) to include health information, biometric information, genetic information, information about racial or ethnic origin, criminal records, religious beliefs, and other specified categories). Sensitive information attracts heightened protection under the APPs, particularly APP 3 (which requires consent for collection in most circumstances) and APP 6 (which restricts secondary use and disclosure). Where a Processor will handle sensitive information, the DPA should expressly acknowledge this and require enhanced security measures. The Australian Government released a revised Privacy Act Review Report in 2023, recommending significant reforms to the Privacy Act 1988 (Cth), including the introduction of a statutory tort of serious invasion of privacy, enhanced individual rights, and stronger enforcement powers for the OAIC. Businesses should monitor developments in Australian privacy law, as some of the recommended reforms may require updates to existing DPAs when legislation is enacted. Best practice for an Australian DPA — informed by the OAIC's guidance and aligned with international standards — includes: documented handling instructions from the APP entity to the Processor; restrictions on using personal information for the Processor's own purposes; security obligations aligned with APP 11 and the OAIC's Guide to Securing Personal Information; sub-processor controls; cross-border disclosure restrictions consistent with APP 8; breach notification obligations that dovetail with the NDB scheme; access and correction assistance for APPs 12 and 13; data destruction or de-identification obligations under APP 11.2 on termination; and audit rights for the APP entity. This Australian Data Processing Agreement template addresses all of these requirements. It uses Australian legal terminology (APP Entity rather than Controller, personal information rather than personal data, OAIC rather than ICO), references to the Privacy Act 1988 (Cth) and APPs, the NDB scheme under Part IIIC, and Australian business conventions including ABN identification and AUD pricing.