Articles > Startups

What should a privacy policy include?

September 13, 2020   Brigid NelmesPhilip Evangelou

A privacy policy details how your business collects and handles personal information. A privacy policy is important for fulfilling your legal obligations as well as maintaining the reputation of your business and the trust of your clients.

In general, businesses and not-for-profits with an annual turnover of over $3 million must have a privacy policy according to the Privacy Act 1988 (Cth). However, some businesses under the $3 mil mark also need a privacy policy. For more detail, see our article ‘Does My Website Need A Privacy Policy?’ 

Even if you are not required by law to have a privacy policy, it may still be a good option for your business to ensure the transparent and responsible collection and use of personal information. 

What should a privacy policy include? 

Opening statement: The opening statement of a privacy policy will include your business’ commitment to maintain the privacy of the information it collects and its compliance with the Privacy Act and the Australian Privacy Principles as well as other privacy obligations relevant to your business, such as the Privacy (Credit Reporting) Code 2014

Collection  and use of personal information: This section details:

  • What personal information is (i.e. information which renders a person reasonably identifiable)
  • What personal information your business collects (i.e. name, email, employment history, social media). Businesses should be aware of and detail the information collected through websites and apps such as IP addresses, date and time of website access, location information and cookies.
  • How that information is collected (i.e. directly from the individual, third party, publicly available, cookies)
  • Why that information is collected (i.e. for the provision of products/services, marketing, personalisation etc.). 

Collection and use of sensitive information: Define sensitive information (information about the individual’s racial or ethnic origin, political opinion/association, religious beliefs, sexual orientation, membership of a trade/ professional association, criminal record, health information).State that sensitive information will only be collected with the individual’s consent and used for the original purpose of collection. 

Disclosure of personal and sensitive information: Describes the when, why and to whom personal information may be disclosed (i.e. contractors, marketers, data analysis such as Google Analytics, to authorities/courts as required by law). You should mention whether information may be disclosed overseas and the impact of that on the data protection. Focus on disclosures which are most likely to be of concern. 

Storage/Security of personal information: State how personal information is stored and protected (i.e. encryption) and for how long the information is kept. This includes whether personal information of individuals is combined in a file or stored separately. Details if and when the information is made anonymous. 

Access to and correction of personal information: This part should detail individuals rights to access personal information held by the business and request for that information to be corrected or updated. 

Enquiries and complaints: An enquiry and complaint process should be detailed, as well as additional steps where parties are unsatisfied with the outcome of an enquiry or complaint (e.g. first to an external dispute resolution scheme, then the Office of the Australian Information Commissioner). A generic phone number and email should be given so that it does not change based on the staff member in charge.

Review of privacy policy: A statement about the business’ commitment to keep the privacy policy up to date and to publish any changes to the privacy policy on particular mediums.

General tips:

  • Start by having a detailed understanding of the personal information collected, held and used by your business
  • Keep the language clear and simple – don’t write with legal jargon, it should be easily understandable
  • Tailor the policy to your business and its audience
  • Consider creative ways of communicating your policy that will appeal to your customers/clients
  • You may have a summary of the policy on your website which links to the detailed policy
  • Zoom in on aspects which will likely be of concern to your customers/clients
  • Make sure the privacy policy is free and easily available 


A privacy policy is meant to be tailored to your business and its particular collection,use,storage and disclosure of personal information. Businesses with an annual turnover of $3 million (as well as some others) are legally obliged to have a privacy policy. If you business has customers/ clients outside of Australia, you need to consider the privacy laws in those countries.

If you need assistance drafting a Privacy Policy, get in touch with us via the contact form or by calling 1300 337 997.

About Brigid Nelmes

Brigid NelmesBrigid is a legal intern at OpenLegal, working with our legal content team. She is currently completing her Bachelor of Laws and Bachelor of Arts (International Studies) at the University of Technology Sydney. Her interests are in digital/privacy and startup law.

About Philip Evangelou

phillipPhil is a director at OpenLegal. He has over 16 years experience working in private practice and in-house counsel in Sydney and London, giving him expertise in employment law, IP, finance, leases, dispute resolution, insurance and contracts.