A privacy policy is a statement that explains in simple language how an organisation or agency handles your personal information.

Any organisation or agency the Privacy Act 1988 covers must have a privacy policy.

The Privacy Act covers organisations with an annual turnover more than $3 million and operating in Australia, and some other organisations. A number of factors go into deciding if an organisation operates in Australia, including if they have a presence in Australia or carry on a business in Australia.

A privacy policy may be printed on paper, available on a website or displayed on a mobile device’s screen. If you don’t have access to the internet, you can phone the organisation or agency and ask for a paper copy.

What must be included

An organisation or agency’s privacy policy must tell you:

  • their name and contact details
  • what kinds of personal information they collect and store
  • how they collect personal information and where it is stored
  • the reasons why they need to collect personal information
  • how they’ll use and disclose personal information
  • how you can access your personal information, or ask for a correction
  • how to lodge a complaint if you think your information has mishandled, and how they’ll handle your complaint
  • if they are likely to disclose your information outside Australia and, if practical, which countries they are likely to disclose the information to.

If an organisation or agency’s privacy policy says that your personal information is likely to be sent overseas, if something goes wrong then they may be legally responsible.

A privacy policy may also include other information. For example, how long your personal information is kept and if it must be scanned.

If information handling practices change

An organisation or agency must update their privacy policy when their information handling practices change. They must publicise the updated privacy policy, for example on their website and through email or postal lists.

If you can’t understand an organisation or agency’s privacy policy, ask them to explain it.