What is a Privacy Policy Australia

A general overview of a Privacy Policy

What is a Privacy Policy?

A privacy policy is a document that explains how an organisation or agency collects, uses, stores and discloses personal information. In Australia, privacy policies are a central part of the Privacy Act 1988 (Cth), which sets out rules for how personal information must be handled under the Australian Privacy Principles (APPs).

Who Has Rights Under the Privacy Act?

The Privacy Act regulates how individuals’ personal information is handled. It gives individuals greater control over their data and provides the right to:

  • Know why their personal information is being collected, how it will be used, and who it will be disclosed to

  • Choose not to identify themselves, or to use a pseudonym in certain circumstances

  • Ask for access to their personal information (including health information)

  • Stop receiving unwanted direct marketing

  • Request corrections if their personal information is incorrect

  • Make a complaint about an organisation or agency covered by the Act if they believe their personal information has been mishandled

 Who Has Responsibilities Under the Privacy Act?

The Privacy Act applies to:

  • Australian Government agencies (including the Norfolk Island administration)

  • Private sector organisations and not-for-profits with an annual turnover of more than $3 million (subject to some exceptions)

What is an Organisation?

For the purposes of the Privacy Act, an ‘organisation’ can include:

 

  • An individual, such as a sole trader (though generally, individuals acting in a personal capacity are excluded)

  • A body corporate

  • A partnership

  • Any other unincorporated association

  • A trust

 

Excluded from this definition are:

 

  • Small business operators (unless exceptions apply)

  • Registered political parties

  • State or territory authorities

  • Prescribed instrumentalities of a state

 

What Small Businesses Are Covered?

While most small business operators (turnover of $3 million or less) are exempt, the Privacy Act still applies to some, including:

  • Private health service providers (e.g. private hospitals, day surgeries, medical practitioners, pharmacists, allied health professionals, naturopaths, chiropractors, gyms, weight loss clinics, child care centres, private schools, and private tertiary education providers)

  • Businesses that sell or purchase personal information

  • Credit reporting bodies

  • Contractors delivering services under an Australian Government contract

  • Employee associations registered under the Fair Work (Registered Organisations) Act 2009

  • Businesses accredited under the Consumer Data Right system

  • Small businesses that have opted in to the Privacy Act

  • Businesses related to a larger business already covered by the Act

  • Businesses prescribed under the Privacy Regulation 2013

Why Privacy Policies Matter

A privacy policy is how an organisation demonstrates compliance with the Privacy Act and provides transparency to individuals. It explains what information is collected, how it is handled, and what rights people have in relation to their personal information.

The OAIC recommends that a privacy policy include:

  • What kinds of personal information are collected

  • How the information is collected

  • The purposes for which it is used

  • How the information is stored and secured

  • How individuals can access or correct their information

  • How complaints can be made

A privacy policy must be accessible, up to date, and written in plain English.

Reforms and Enforcement

Recent reforms to the Privacy Act introduce new penalties and expanded OAIC enforcement powers. Privacy policies that are inaccurate, misleading, or out of date may expose organisations to significant regulatory risk. What was once seen as a formality is now a critical compliance tool.

A privacy policy in Australia is both a legal requirement (for applicable entities) and a practical way to build transparency. It sets out how personal information is managed, and it reflects the rights and responsibilities that exist under the Privacy Act.

Disclaimer: The information provided is general in nature and subject to change. It does not constitute legal advice. You should seek independent legal advice before acting on any of the information published.