Privacy Policies: What are they and why does your business need one?

19 February 2019
Posted by Jennifer Tutty and Megan O’Halloran

What is a Privacy Policy?

A Privacy Policy is a legal notice that explains what kinds of personal information an organisation will collect and how they will keep it secure.

According to Australian privacy laws, personal information includes information or opinions that identify or could reasonably identify an individual. Some examples of this are name, address, telephone number, date of birth, medical records, bank account details, and opinions. However, this is not an exhaustive list.

Is your business legally required to have a Privacy Policy?

Whether or not a business is required to have a privacy policy is subject to the Australian Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs). The APPs took effect in 2014 and organisations that must comply are required to have a privacy policy. If your business handles personal information, there is a good chance that you are legally obligated to have a privacy policy in place.

The following organisations must comply with the APPs and thus have a privacy policy in relation to their handling of personal information:

– Businesses with an annual turnover of more than $3 million;
– Businesses trading in personal information;
– Health service providers (this includes a wide range of businesses such as hospitals, doctors’ clinics, and other traditional health service providers, but also gyms, weight loss clinics, child care centres and private schools);
– Employee associations under the Fair Work (Registered Organisations) Act 2009;
– Credit reporting bodies;
– Businesses that have opted into be covered by the APPs; and
– Other types of businesses prescribed by regulations.

In addition to the above, businesses may enter into a contract with another business or organisation and agree to comply with the Privacy Act and the APPs (even if they are not otherwise legally required to).  This is why it is VERY important to read the fine print especially around Privacy and Data Security, when entering into a contract.

Even if your business is not required by law to have a privacy policy, it is good practice to have a policy in place ensuring personal information is securely collected and handled.

What should be included in a Privacy Policy?

Open and transparent management of personal information is a fundamental principle of the APPs. A privacy policy should engender trust in individuals that their personal information held by a business is being handled in a safe and secure manner. A privacy policy must be clearly expressed, up to date, and freely available to members of the public. Most businesses achieve this through publishing their privacy policy on their website.

Essentially, a privacy policy should explain in simple terms, how personal information is handled. It should set out the kinds of personal information that your business collects, how and why it is collected and held, the circumstances in which it may be disclosed and how a consumer may access this information or make a complaint about a breach of the APPs.

So, does your business need one?

A privacy policy is an important legal document and many businesses are unaware that they are legally required to have one. If you have questions or are unsure whether your business needs a privacy policy, get it touch with us.

This blog is limited to your requirements to have a privacy policy in Australia. If your business engages in overseas trade and promotion (such as in the EU), your business may have further legal obligations in overseas jurisdictions and it is important to seek formal legal advice to ensure you comply with all relevant international law (you can check out our earlier blog on the GDPR here).


The information in this article is of a general nature. It does not constitute formal legal advice, and should not be relied on as such. Please see the full disclaimer in our website terms. Please contact Studio Legal if you are seeking advice about a specific legal matter.