What should a Privacy Policy Look Like?


A few weeks’ ago, I wrote an article on the new national privacy law requirements, and in particular how privacy policies are not as complex or difficult to put together as many businesses may think.


I’ve had a few discussions since posting that article from managers wanting to get more detail on the structure of a privacy policy. They were all fine to draft it, they just were just finding it very difficult to start creating or updating their policy without a template or skeleton structure to work from.


Hopefully, this quick blog post will help answer some of those questions, not that I don’t like speaking to you on the phone about this kind of stuff.


This is just my view on these things too. Ask another lawyer in this area and they’ll likely tell you my outline is terrible and theirs is so much better. To them I say ‘meh’, and to you I say ‘look, this is just one that I have used with clients in the past and they seemed to like to start from, so enjoy’.


  1. Our business collects the following information on you

[Here’s where you list all the stuff you might collect from individuals. Go all out here, and if you think you might collect some piece of information in the future but aren’t currently collecting it, include it anyway. And yes, because I have been asked this, someone’s gender and address is personal information. You are also collecting personal information if your website uses some form of location tracking service, IP logging, device ID capture or recording and other similar analytical tools.]

  1. Methods used to collect your personal information

[The heading should say it all for this one. Again, put a full list of all the methods you use to collect (or may in the future use to collect) the information you listed in point 1 above.]

  1. The purpose for us collecting this information

[You can’t mess around or avoid reality here. You must set out clearly and fully why you’re collecting this information, how you are or may use it, and who else you do or might disclose it to. You don’t have to divulge corporate secrets, but you can’t just say ‘to optimise your shopping experience’ if what you’re really doing is collecting information to do spam emails. You have to say (in appropriate language) that you’re going to spam them if they tell you their email address.]

  1. Who do we show or disclose your personal information to?

[Again, hopefully pretty straightforward here. For good practice and to avoid issues, I recommend that you also include other business units or other companies in your corporate group in this list, as well as the obvious ones such as third parties or government organisations.]

  1. Use of information outside Australia

[This one has also given rise to many questions from clients. In short, you have to say whether you do or might disclose personal information to any people, companies or governments outside of Australia. You have to list these countries and who you do or might disclose to.]



This shouldn’t be seen as a fixed list – you are free to break the above up into as many different headings or categories as you think appropriate for your business.


You should also do things like include contact details for your privacy officer/s, and make sure those contact details are up-to-date at all times.


As usual, any questions on any of this stuff, drop me an email or give me a call and we can discuss your specific circumstances.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s