Australia Privacy Policy Template: Privacy Act 1988 Guide (2026)

Q: Who needs a privacy policy in Australia?

Under the Privacy Act 1988, Australian Privacy Principle 1 (APP 1) requires any 'APP entity' to have a clearly expressed and up-to-date privacy policy. APP entities include businesses with an annual turnover over AUD $3 million, all private sector health service providers, credit reporting bodies, and businesses that trade in personal information. Businesses below the $3 million threshold may still need a policy under other regulations or if they handle health information.

Q: What must an Australian privacy policy include?

Under APP 1.4, an Australian privacy policy must include: the kinds of personal information you collect, how you collect and hold personal information, the purposes for which you collect it, how individuals can access and correct their information, how to make a complaint, whether you are likely to disclose personal information to overseas recipients, and which countries those recipients are located in.

Q: What is a notifiable data breach in Australia?

Under Australia's Notifiable Data Breaches (NDB) scheme, APP entities must notify the OAIC (Office of the Australian Information Commissioner) and affected individuals when a data breach is likely to result in serious harm. Notification must occur as soon as practicable. Your privacy policy should reference your obligations under the NDB scheme.

Q: Do small Australian businesses need a privacy policy?

The Privacy Act 1988 generally applies to businesses with annual turnover over AUD $3 million. Small businesses below this threshold are usually exempt unless they: are health service providers, trade in personal information, are related to a large business, or handle certain types of sensitive information. However, even exempt businesses benefit from having a privacy policy to build customer trust.

Who Needs a Privacy Policy in Australia?

Australia's Privacy Act 1988 requires APP entities to have a privacy policy. You are likely an APP entity if any of the following apply:

Annual turnover over AUD $3 million
You are a private sector health service provider
You trade in personal information
You are related to a body corporate that is an APP entity
You are a credit reporting body or credit provider

Australia's Privacy Act 1988 Overview

The Privacy Act 1988 is the primary federal privacy legislation in Australia. It was substantially updated in 2014 with the Australian Privacy Principles (APPs) replacing the previous National Privacy Principles and Information Privacy Principles.

The Privacy Act regulates how personal information is handled by Australian Government agencies and certain private sector organisations. The Office of the Australian Information Commissioner (OAIC) enforces the Act and can investigate complaints and impose civil penalties.

The Privacy Act may be amended with broader scope - the Australian Government has consulted on reforms that could extend the Act's reach to smaller businesses. Check the OAIC website for the latest updates.

Did you know?

The Australian Government is actively reviewing the Privacy Act with proposed reforms that could significantly expand its coverage, including removing the small business exemption entirely. Even if your business is currently exempt, implementing a privacy policy now prepares you for upcoming changes.

The 13 Australian Privacy Principles (APPs)

The APPs are the foundation of privacy compliance in Australia. Your privacy policy must reflect compliance with the relevant principles.

APP	Principle	Policy Implication
APP 1	Open and transparent management	Must have a privacy policy
APP 2	Anonymity and pseudonymity	Offer anonymous options where practicable
APP 3	Collection of solicited information	Only collect reasonably necessary data
APP 5	Notification of collection	Notify at point of collection
APP 6	Use or disclosure of personal information	Use only for collection purpose
APP 8	Cross-border disclosure	Disclose overseas transfers
APP 11	Security of personal information	Describe security measures
APP 12	Access to personal information	Explain access request process
APP 13	Correction of personal information	Explain correction process

Notifiable Data Breaches (NDB) Scheme

The Notifiable Data Breaches (NDB) scheme requires APP entities to notify affected individuals and the OAIC when a data breach is likely to result in serious harm.

When Does a Breach Require Notification?

Unauthorized access to personal information
Unauthorized disclosure of personal information
Loss of personal information where access or disclosure is likely
The breach is likely to result in serious harm to individuals

Notification Timeline

Once you become aware of an eligible data breach, you must notify the OAIC and affected individuals as soon as practicable. There is no fixed statutory period, but the OAIC expects prompt action. Your privacy policy should reference your NDB obligations.

What to Include in an Australian Privacy Policy

APP 1.4 sets out the minimum content required in your privacy policy. Your policy must include:

Kinds of personal information collected and held

Describe categories: contact details, financial information, health information, government identifiers, sensitive information, etc.

How personal information is collected and held

Forms, cookies, third parties, analytics, referrals. Describe storage: servers, cloud services, paper records.

The purposes for collection, holding, use, and disclosure

Be specific about why you collect each type of information and how you use it.

How individuals can access and correct their information

Describe the process: submit a written request to privacy@yourcompany.com.au, response within 30 days.

How to make a privacy complaint

Internal complaint process and that unresolved complaints can be referred to the OAIC.

Whether personal information is disclosed overseas

If you use cloud services, analytics tools, or payment processors based overseas, you must disclose the countries involved.

Australian Privacy Policy: Template Section Examples

Here are example sections written in plain language for an Australian business privacy policy.

Personal Information We Collect

We collect personal information including your name, email address, postal address, phone number, and payment details when you purchase from us or contact us. We may also collect information about how you use our website through analytics tools.

How We Use Your Information

We use your personal information to process orders, provide customer support, send transactional emails, and (with your consent) marketing communications. We do not use your information for purposes other than those described in this policy without your consent.

Overseas Disclosure

We use third-party service providers that may store or process your personal information outside Australia. These include: Stripe (United States) for payment processing, Google Analytics (United States) for website analytics, and Mailchimp (United States) for email marketing. We take reasonable steps to ensure overseas recipients handle your information in accordance with the Australian Privacy Principles.

How to Make a Complaint

If you believe your privacy has been compromised, contact our Privacy Officer at privacy@yourcompany.com.au. We will respond within 30 days. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Disclosing Overseas Data Transfers (APP 8)

APP 8 requires you to take reasonable steps to ensure that overseas recipients handle personal information in accordance with the APPs. Under APP 8.2(a), the disclosing entity remains accountable for the overseas recipient's handling of the information.

Your privacy policy must disclose:

Common Overseas Recipient	Country	Data Shared
Stripe	United States	Payment and billing data
Google Analytics	United States	Website usage data, IP addresses
Mailchimp	United States	Email addresses, email engagement
AWS / Cloudflare	US, EU, various	Hosted application and user data

Did you know?

Under APP 8, if you disclose personal information to an overseas recipient and that recipient breaches the APPs, your Australian business can be held liable as if you committed the breach yourself. List every overseas service provider in your privacy policy and include contractual terms requiring APP compliance.

5 Common Australian Privacy Policy Mistakes

Not disclosing overseas service providers

Most Australian businesses use US-based cloud services (Google, Stripe, Mailchimp). Failing to disclose these overseas disclosures in your privacy policy violates APP 8 and APP 1.4.

Missing the complaint process

APP 1.4(f) requires your privacy policy to describe how to make a complaint about a breach of the APPs, including how the entity will deal with such a complaint. Many policies omit this entirely.

Not referencing the OAIC

Your complaint process should mention that unresolved complaints can be referred to the Office of the Australian Information Commissioner (OAIC). This is a standard APP compliance requirement.

Using a US or EU template without adapting it

Privacy policies written for GDPR or CCPA compliance use different terminology and cover different rights than Australian law requires. Using an unadapted foreign template leaves you non-compliant with the APPs.

Assuming the small business exemption will always apply

The Australian Government has proposed removing the small business exemption entirely. Businesses relying on the $3M threshold exemption should prepare a privacy policy now rather than scrambling if reforms pass.

Frequently Asked Questions

Who needs a privacy policy in Australia?

Under the Privacy Act 1988, APP entities need a privacy policy. You are likely an APP entity if your annual turnover exceeds AUD $3 million, you are a health service provider, you trade in personal information, or you handle credit reporting information.

What must an Australian privacy policy include?

Under APP 1.4: kinds of personal information collected and held, how it is collected and held, purposes for collection and use, access and correction procedures, complaint process (including OAIC referral), and whether information is disclosed overseas and to which countries.

What is a notifiable data breach in Australia?

Under the NDB scheme, a notifiable data breach involves unauthorized access to, disclosure of, or loss of personal information that is likely to result in serious harm to individuals. You must notify the OAIC and affected individuals as soon as practicable.

Do small Australian businesses need a privacy policy?

The Privacy Act generally exempts businesses with turnover under AUD $3 million, with exceptions for health providers and those trading in personal information. However, proposed reforms may remove this exemption. Good practice is to have a privacy policy regardless of size.

Does GDPR apply to Australian businesses?

GDPR applies to Australian businesses that offer goods or services to EU residents or monitor their behavior. If your business has EU customers or EU website visitors you analyze, you may need to comply with both the Privacy Act and GDPR.

Generate Your Australian Privacy Policy

Create a complete privacy policy compliant with Australia's Privacy Act 1988 and the Australian Privacy Principles in under 2 minutes.

APP 1.4 compliant with all required disclosures
Overseas disclosure section included
NDB scheme reference included
Free to generate, no account required

Related Resources

GDPR Privacy Policy Template

EU-compliant privacy policy template

PIPEDA Privacy Policy Template

Canada's privacy law template

UK GDPR Privacy Policy Template

Post-Brexit UK privacy requirements

LGPD Privacy Policy Template

Brazil's privacy law template

CCPA Privacy Policy Example

California consumer privacy compliance

CalOPPA Privacy Policy Template

California Online Privacy Protection Act

Small business privacy requirements

Is a Privacy Policy Legally Required?

When privacy policies are mandatory by law