An Australian Privacy Policy is a legally required document for organisations subject to the Privacy Act 1988 (Cth) that explains to individuals how the organisation collects, uses, discloses, stores, and protects their personal information. The Privacy Act — administered by the Office of the Australian Information Commissioner (OAIC) — imposes legally binding obligations on APP entities (Australian Government agencies and private sector organisations with annual turnover exceeding AUD $3 million, plus certain other entities) through the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of the Act.

Under APP 1, every APP entity must have a clearly expressed and up-to-date Privacy Policy that is freely available to the public, typically on the entity’s website. The Privacy Policy must describe: what personal information the entity collects and holds, how it collects that information, the purposes for which it collects, holds, uses, and discloses personal information, whether it is likely to disclose personal information to overseas recipients and (if so) the countries where they are located, and how an individual can access and seek correction of the personal information the entity holds about them, make a complaint about a breach of the APPs, and how the entity will deal with such complaints.

The Privacy Act 1988 (Cth) was significantly strengthened by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which increased maximum penalties for serious or repeated interferences with privacy from AUD $2.1 million to AUD $50 million (or three times the value of any benefit obtained, or 30% of adjusted turnover in the period of the contravention, whichever is greater) for bodies corporate. Individual officers can also face personal liability. This reflects the Australian Government’s commitment to strengthening privacy protections in line with international standards.

An Australian Privacy Policy is required in a wide range of circumstances. The most obvious requirement arises under the Privacy Act 1988 (Cth): if your organisation has an annual turnover exceeding AUD $3 million, APP 1 requires you to have a clearly expressed and up-to-date Privacy Policy that is freely available to the public.

However, a Privacy Policy is required or strongly recommended even if your organisation is below the $3 million turnover threshold, in several important situations. First, if your organisation trades in personal information for a benefit, service, or advantage — for example, a business model involving data brokering or selling customer data — the exemption for small businesses does not apply. Second, if you provide health services, you are subject to the Privacy Act regardless of turnover. Third, if you are a contracted service provider for the Commonwealth or a state government, contractual obligations may require privacy compliance. Fourth, major payment processors, app stores (including the Apple App Store and Google Play), and advertising platforms typically require you to have a Privacy Policy as a condition of using their services, regardless of your legal obligations.

Beyond legal and contractual requirements, having a transparent and comprehensive Privacy Policy is a fundamental element of customer trust. In an environment where data breaches are increasingly common and consumers are more privacy-conscious than ever, a well-drafted Privacy Policy demonstrates your commitment to handling personal information responsibly and can be a genuine competitive advantage.

If you operate a website, mobile app, e-commerce store, SaaS product, or any other digital service that collects personal information from Australian users — including names, email addresses, payment details, or usage data — you need an Australian-compliant Privacy Policy.

A compliant Australian Privacy Policy must address all 13 Australian Privacy Principles and include several key elements prescribed by APP 1.4.

The description of personal information collected and how it is collected is the starting point. Under APP 3, you may only collect personal information that is reasonably necessary for your functions or activities. Your Privacy Policy must clearly describe what types of personal information you collect (e.g. names, contact details, financial information, health information, usage data) and how you collect it (e.g. directly from the individual, through cookies, from third parties).

The purpose of collection, use, and disclosure under APP 5 and APP 6 must be clearly explained. Individuals are entitled to know why their information is being collected before or at the time of collection. Under APP 6, personal information may generally only be used or disclosed for the primary purpose of collection or a related secondary purpose the individual would reasonably expect.

The direct marketing section under APP 7 is required if your organisation uses personal information to market goods or services. It must explain how individuals can opt out of direct marketing. Compliance with the Spam Act 2003 (Cth) should also be addressed.

The cross-border disclosure section under APP 8 is essential for any organisation using overseas cloud services, international payment processors, or overseas group companies. It must disclose the countries where personal information may be sent and the steps taken to ensure APP compliance.

The security of personal information section under APP 11 must describe the technical and organisational measures you take to protect personal information from misuse, interference, loss, and unauthorised access. It should also address the Notifiable Data Breaches (NDB) scheme.

The access and correction rights sections under APP 12 and APP 13 must explain how individuals can request access to and correction of their personal information, and how the organisation will respond to such requests.

The complaint handling process under APP 1 must explain how individuals can make a privacy complaint and describe the role of the OAIC as the external complaints authority.