What is a Privacy Policy Australia
A general overview of a Privacy Policy
What is a Privacy Policy?
A privacy policy is a document that explains how an organisation or agency collects, uses, stores and discloses personal information. In Australia, privacy policies are a central part of the Privacy Act 1988 (Cth), which sets out rules for how personal information must be handled under the Australian Privacy Principles (APPs).
Who Has Rights Under the Privacy Act?
The Privacy Act regulates how individuals’ personal information is handled. It gives individuals greater control over their data and provides the right to:
Know why their personal information is being collected, how it will be used, and who it will be disclosed to
Choose not to identify themselves, or to use a pseudonym in certain circumstances
Ask for access to their personal information (including health information)
Stop receiving unwanted direct marketing
Request corrections if their personal information is incorrect
Make a complaint about an organisation or agency covered by the Act if they believe their personal information has been mishandled
Who Has Responsibilities Under the Privacy Act?
The Privacy Act applies to:
Australian Government agencies (including the Norfolk Island administration)
Private sector organisations and not-for-profits with an annual turnover of more than $3 million (subject to some exceptions)
What is an Organisation?
For the purposes of the Privacy Act, an ‘organisation’ can include:
An individual, such as a sole trader (though generally, individuals acting in a personal capacity are excluded)
A body corporate
A partnership
Any other unincorporated association
A trust
Excluded from this definition are:
Small business operators (unless exceptions apply)
Registered political parties
State or territory authorities
Prescribed instrumentalities of a state
What Small Businesses Are Covered?
While most small business operators (turnover of $3 million or less) are exempt, the Privacy Act still applies to some, including:
Private health service providers (e.g. private hospitals, day surgeries, medical practitioners, pharmacists, allied health professionals, naturopaths, chiropractors, gyms, weight loss clinics, child care centres, private schools, and private tertiary education providers)
Businesses that sell or purchase personal information
Credit reporting bodies
Contractors delivering services under an Australian Government contract
Employee associations registered under the Fair Work (Registered Organisations) Act 2009
Businesses accredited under the Consumer Data Right system
Small businesses that have opted in to the Privacy Act
Businesses related to a larger business already covered by the Act
Businesses prescribed under the Privacy Regulation 2013
Why Privacy Policies Matter
A privacy policy is how an organisation demonstrates compliance with the Privacy Act and provides transparency to individuals. It explains what information is collected, how it is handled, and what rights people have in relation to their personal information.
The OAIC recommends that a privacy policy include:
What kinds of personal information are collected
How the information is collected
The purposes for which it is used
How the information is stored and secured
How individuals can access or correct their information
How complaints can be made
A privacy policy must be accessible, up to date, and written in plain English.
Reforms and Enforcement
Recent reforms to the Privacy Act introduce new penalties and expanded OAIC enforcement powers. Privacy policies that are inaccurate, misleading, or out of date may expose organisations to significant regulatory risk. What was once seen as a formality is now a critical compliance tool.
A privacy policy in Australia is both a legal requirement (for applicable entities) and a practical way to build transparency. It sets out how personal information is managed, and it reflects the rights and responsibilities that exist under the Privacy Act.
Disclaimer: The information provided is general in nature and subject to change. It does not constitute legal advice. You should seek independent legal advice before acting on any of the information published.