Privacy Policies, Consent Forms and Collection Notices

07 DEC 2018


Privacy Policies

Organisations that are regulated by the Privacy Act 1988 (Cth) include:

  1. Australian government agencies;
  2. businesses and non-profits with an annual turnover of more than $3 million per annum;
  3. private sector health service providers; and
  4. contracted service providers to Australian government agencies.

These organisations must comply with thirteen (13) Australia Privacy Principles (APPs). The APPs create obligations across the entire life cycle of personal information, from how, when and whether personal information can be collected, through restrictions on its use and disclosure, to its eventual disposal.

APP 1 is known as the Accountability principle, and it requires organisations to have a privacy policy, which must be ‘clearly expressed and up-to-date’ and be made publically available.

Under APP 1, a privacy policy must explain, in plain language:

  1. the general types of categories of personal information that the organisation collects and holds;
  2. the purposes for which personal data is used or disclosed;
  3. whether the organisation is likely to disclose personal information to overseas recipients;
  4. how an individual can exercise their right to access or correction of the personal information held about them; and
  5. how an individual may complain about a breach of privacy, and how the organisation will deal with their complaint.

The guidance from the Privacy Commissioner is that a privacy policy should avoid ‘jargon, legalistic and in-house terms’, be easy to navigate, and ‘only include information that is relevant to the management of personal information’.

There is no requirement on organisations to make their customers read, acknowledge, agree to or consent to a privacy policy. The policy must simply exist and be easily found, including on an organisation’s website.

Consent Forms

An organisation might need to seek a customer’s consent in certain circumstances, including:

  1. when collecting certain categories of personal information known as ‘sensitive information’ such as person’s religion, ethnicity or sexuality, or
  2. when planning to use or disclose personal information for a purpose unrelated to the purpose for which it was collected, and no other law or exemption requires or allows that use or disclosure.

When consent is needed, a privacy policy will not suffice. This is because, in order to rely on a person’s consent as the lawful basis for the collection, use or disclosure of their personal information, that consent must meet certain requirements to be considered valid.

Consent cannot be bundled into standard Terms and Conditions; and it cannot be a condition of doing business with an organisation. Consent cannot be inferred from a purchase or from browsing a website or from being presented within a privacy policy.

If you require assistance in respect to your contractual arrangements and commercial related matters, contact our Business Law Accredited Specialists and Partners, Justin Thornton at or Rahul Lachman at or on (02) 4626 5077.

The contents of this publication are for reference purposes only. This publication does not constitute legal advice and should not be relied upon as legal advice. Specific legal advice should always be sought separately before taking any action based on this publication.

Posts you may find interesting


POSTED: 16 May 2019
New protections for whistle-blowers will commence on 1 July 2019 under the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2018. In the past, many businesses have treated whistl...
Read more