Privacy Policies

Additional laws apply to “sensitive information”. The way businesses deal with the security of that information has also been beefed up. You also must provide access to personal information.

The Commissioner’s powers to investigate and enforce have been significantly increased. They can seek Court injunctions against people who engage in conduct that might breach the Privacy Act and seek penalties against them.

Direct marketing has also become a focus, as certain conditions will now need to be met without falling foul of the new laws.

Further guidelines on APP are available on the Office of the Australian Information Commissioner website.

The intention is that this is a summary guide only of some of the changes, and it is not exhaustive or provided as legal advice. Please contact us if you want to discuss further or obtain advice.

So, what should be included in a Privacy Policy?

Collection, use and retention of personal information should be minimised to that reasonably required as notified in a privacy policy or otherwise with a user’s consent.

In addition to other matters listed in APPs 1.4 and 5.2, APP 5 requires organisations to notify individuals about the access, correction and complaints processes in their APP privacy policies, and also the location of any likely overseas recipients of individuals’ information.

APP 11 (Security) requires organisations to take reasonable steps to protect PI from misuse, interference and loss and unauthorised access, modification or disclosure.

A privacy policy will need to include details as to:

  1. Specific kinds of personal information that the entity collects and holds and how it is collected and held;
  2. Purposes (both primary and secondary) for which the entity collects, holds, uses and discloses personal information;
  3. How an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
  4. How an individual may complain about a breach of the APPs or an applicable registered APP code; and
  5. How the entity will deal with a complaint (entities will also need to ensure that internal procedures are implemented consistently with this description, including by appropriate training of staff).

Direct Marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. Broadly, direct marketing:

  1. is use or disclosure of personal information to communicate directly with an individual to promote goods and services;
  2. may only be undertaken where an individual would reasonably expect it, such as with informed consent;
  3. must provide a prominent statement about a simple means to opt out;
  4. must be stopped when an individual opts-out.


An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
An entity has obligations to destroy or de-identify personal information in certain circumstances.

Access to Personal Information

An APP entity must provide access when an individual requests to be given access to personal information held about them by the entity.

Some limited, specific exceptions apply.

It is also important to note that APP 8, which deals with the cross-border disclosure of personal information from Australia to outside Australia, is not limited in its application by the nationality of the individual whose PI is the subject of the transfer. In other words, APP 8 will apply to a cross-border disclosure of personal information collected in Australia, irrespective of whether the information relates to an Australian citizen or Australian resident or not.