Privacy Policy for Website or Mobile Application

If a website or application collects and/or uses information from users for a benefit, service or advantage, then Australian law requires the owner of the website or application to have a privacy policy which explains how users' information is going to be collected, stored and used.

The privacy policy should outline:

- which personal information is being collected
- if and how cookies are used
- how the information will be used
- how the information will be protected
- the fact that data transmitted via the internet may not be secure, and that the website owner disclaims liability in this regard
- how to unsubscribe from email lists
- how to lodge a complaint
- how to contact the owner of the website or application
- if the site/application may be used by children, what information will be collected, and how parental controls work
- how to update personal information and preferences
- how third party advertisements may be used
- what information may go to third parties

Some industries have additional privacy rules. These are discussed in the "Applicable law" section below.

A privacy policy is one of several documents which are required for businesses using a website and/or mobile application. In addition to a privacy policy, online businesses are required to have terms and conditions for use of the website or application. If the business is selling goods or services, then it will also require a set of terms and conditions for sale of goods, or terms and conditions for sale of services respectively. We have each of these documents available for purchase separately, although business owners are free to organise them however they like.

How to use this document

Privacy law is complex and having an up to date privacy policy is not the end of the website or application owner's responsibility. In order to comply with Australian privacy law, the owner will then need to actually do what the privacy policy says they are going to do. Owners of websites or applications may find useful information and guidance on the website of the Office of the Australian Information Commissioner.

Therefore, before preparing this document, the owner may need to consult various people or departments within their organisation, in order to determine how best to deal with privacy. Once the privacy policy has been prepared, the owner may also need to educate various people within the organisation about the terms of the policy. Procedures may need to be set in place to ensure that privacy obligations are met.

For example, in connection with the privacy policy, the owner needs to provide contact details to be included in the document. The owner will need to monitor those communication channels (such as email addresses).

Once it has been prepared, the Privacy Policy needs to be published on the website or application and needs to be made freely available for users.

If the owner has not already organised terms and conditions for use of a website or mobile application, or terms and conditions for the sale of goods or for sale of services (if applicable), then these may also need to be purchased.

Applicable law

The primary legislation in relation to privacy law in Australia is the Commonwealth Privacy Act 1988. This has been amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 also sets out a set of Australian Privacy Principles which apply to Australian organisations and provide guidance as to what should be included in a privacy policy. Further information about the Australian Privacy Principles is available via the Office of the Australian Information Commissioner.

Other relevant laws include the Privacy Regulation 2013, and the Privacy (Credit Reporting) Code 2014. A number of industries also have additional privacy rules. For example, specific laws may impose additional privacy requirements in relation to:

- email marketing
- telemarketing
- surveillance
- telecommunications
- criminal records
- data matching
- anti-money laundering
- health records, Medicare, the pharmaceutical benefits scheme, or the eHealth system
- biometric information
- the Personal Property Securities Register
- credit reporting
- financial services
- children
- tax file numbers
- information relating to racial or ethnic origin
- information relating to political opinions
- membership of a political association, professional or trade association or trade union
- religious beliefs or affiliations
- philosophical beliefs
- sexual orientation or practices

This privacy policy satisfies basic requirements of the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 but does not contemplate the full range of specific privacy matters that may apply in some situations (including those additional matters that may arise under the other privacy laws listed above).

As of 25 May 2018, the European Union General Data Protection Regulation (GDPR) contains new data protection requirements that may apply to Australian businesses.

Australian businesses (regardless of size) may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

This privacy policy does not deal with the GDPR. It is only designed for compliance under Australian law. We have a GDPR compliant policy (which operates under UK law rather than Australian law), available on our UK site.

Further information about how the GDPR may affect Australian businesses is available through the Office of the Australian Information Commissioner.

How to modify the template

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.