Articles and legal news from the Atkinson Vinden Team.

  • Home
  • Blog
  • Commercial Law
  • It’s time to update your Privacy Policy (or draft your first one if you have not already)

It’s time to update your Privacy Policy (or draft your first one if you have not already)

Commercial Law


As you may be aware new privacy legislation comes into effect from 12 March 2014, requiring that all agencies and organisations (which is broadly defined and includes individuals, though there are some exceptions) comply with the new Australian Privacy Principles (APP). The APP requirements are far reaching, including how and when you may collect personal information and what you may do with it once you possess it. Certainly the changes go well beyond what can be covered in this article, so we will focus on one of the more immediate requirements.

The first obligation imposed by the APP is that organisations have procedures and systems in place to ensure compliance with the APP and to deal with any enquiries or complaints from individuals. This includes the obligation that organisations have a readily available privacy policy.

he simplest way to make your privacy policy readily available is to publish it on your website, though note that people are entitled to request a copy in another form. Of course, you should also take into account the potential requirements of your clients, including, for example, any disabilities which may make accessing your website difficult.

Not only must you have a privacy policy, but there are minimum requirements for what your privacy policy must include, as follows:

1.  What type of personal information your organisation might collect and keep;

2. How such information will be collected and kept (including, for example, if it is stored in the “cloud” on overseas servers and basic security information);

3. Why the information is being collected, held, used and disclosed;

4. How someone may access information about themselves and seek to correct such (we generally recommend creating a position of Privacy Officer, listing your main phone number and creating a generic email address e.g., to avoid having to update the policy due to staff changes);

5. How a person may complain about a breach of an APP or registered APP code (if any) by your organisation, and how you will deal with complaints;

6. Whether you are likely to disclose any information you hold to a foreign entity; and

7. If you are likely to disclose information to a foreign entity, what countries the foreign entities will be located in (if possible).

It should be noted that the above list is not supposed to be exhaustive. Other requirements may include how a person can deal with your organisation in an anonymous manner or by use of a pseudonym (the right of a person to communicate by these methods is granted under the APPs, where it is not impracticable to do so). You may also need to disclose if you intend to use personal information for marketing purposes (note in these cases other legislation still applies, e.g. the Spam Act 2003 (Cth)).

If you have any queries about what how to put together your privacy policy, or whether the new laws apply to you, please contact our Commercial Team on 9411 4466.


Protecting your reputation starts with simplifying the complex. This handy checklist should quickly point you in the right direction and help you understand whether you have a case, and where to start to secure the best possible outocme.