Publication date: 5 May 2014

Download the poster

Poster of the six steps. Poster text follows image.

Australian Privacy Principle (APP) 1 requires private sector organisations and Australian Government agencies (called entities) to have a clearly expressed and up‑to-date privacy policy describing how they manage personal information. An APP privacy policy is a key tool for ensuring personal information is managed in an open and transparent way.

Your APP privacy policy must cover a number of specific topics, which are outlined in APP 1.4. However, below are some steps and tips to help you develop your policy and to keep it up-to-date.


1. Information gathering

Get an overview of the personal information you hold and how you handle it

Tip: Identify all your functions and activities that involve personal information handling

Tip: Conduct an audit of the personal information you hold and your information handling policies and procedures

2. Work out content and structure

The goal is to make it as easy as possible for individuals to find information most important to them

Tip: Take a layered approach — particularly for online publication, provide a summary version, with a link to the full policy

Tip: You may need to have more than one policy — different parts of your operation may collect and use information differently

3. Draft your privacy policy

Your privacy policy must be clearly expressed

Tip: Think about your audience — your privacy policy should provide helpful information on how you handle personal information and create trust. It is not a tool for managing legal risk

Tip: Keep it simple — use simple language, focus on what is important to the reader and don’t try to cover everything in precise detail

4. Test your privacy policy on the target audience

Test the readability of the policy

Tip: Consult — seek input on content, expression and format

Tip: Consider testing it on internal and external audiences

5. Make your policy easily available

Your privacy policy should be available for free, in appropriate formats and on your website.

Tip: Consider providing your privacy policy in multiple formats or locations

Tip: Your privacy policy is generally not a substitute for the notice requirements under APP 5.

6. Regularly review and update your privacy policy

Information handling practices change, and it’s important that your privacy policy changes with them and is up-to-date.

Please refer to the OAIC’s Guide to developing an APP privacy policy and the OAIC’s APP guidelines available on the OAIC website.