Your Privacy Policy

The privacy policy is the public face of your privacy compliance program. The Privacy Policy Template provides a privacy policy drafted specifically for small law firms providing designated services.

Important note

This information is part of our broader privacy program. You can learn more in our Privacy Program overview.

Find out more

The privacy policy is the public face of your privacy compliance program.

APP 1 requires every APP entity to have a clearly expressed and up-to-date privacy policy that explains how it manages personal information.[1] This section explains how to develop and maintain your privacy policy using the Privacy policy template (linked below).

Important: The Privacy Policy needs careful review. It must both guide and reflect your actual processes, and it should not bind your firm to deal with all personal information as if it were regulated personal information unless this is considered decision.

[1]Australian Privacy Principle 1.3.

Purpose and mandatory elements

The privacy policy serves two key functions: it informs individuals about how you handle their personal information, and it informs internal procedures. The policy must be made available free of charge in an appropriate form — for most law firms, this means publishing it on your website. Drafting hint: do not conflate information better contained in a Retainer Agreement.

APP 1.4 specifies six mandatory content requirements for privacy policies:[2]

[2] Australian Privacy Principle 1.4.

#

Required Content (APP 1.4)

(a)

Kinds of personal information collected and held

(b)

How personal information is collected and held

(c)

Purposes of collection, holding, use and disclosure

(d)

How to access personal information and seek correction

(e)

How to complain and how complaints will be handled

(f)

Likely overseas disclosures and countries involved

From 10 December 2026, an additional requirement will apply: if the entity uses substantially automated systems to make decisions that could significantly affect individuals' rights or interests, this must be disclosed in the privacy policy.[3]

[3]Privacy and Other Legislation Amendment Act 2024 (Cth), Schedule 1, item 17, inserting new APP 1.4(fa), commencing 10 December 2026.

Using the Privacy Policy Template

The Privacy Policy Template provides a privacy policy drafted specifically for small law firms providing designated services. Drafting notes are contained in blue panels. These should be deleted prior to publication.

The template includes content relevant to most small law firms providing designated services. However, the Privacy Policy must be a living document. It must reflect actual practice and be the starting point for how your firm actually deals with regulated information.

It must be drafted with clarity in mind. For that reason, it is “layered,” with the initial paragraph containing a simple overview with room for more specifics [long form additions] where applicable.

Review each section to ensure it accurately reflects your firm's practices.

Privacy Policy Template

Publication and accessibility

Once finalised, your privacy policy must be made available in an appropriate form, free of charge.[4] The OAIC recommends:[5]

  • Publish the full policy on your website, with a clear link from the homepage;
  • Make a copy available at your office for anyone who requests it;
  • Be prepared to provide the policy in alternative formats (e.g., large print) if requested;
  • Reference the policy in engagement letters and collection notices.

[4]OAIC, Guide to developing an APP privacy policy (September 2024), Part 3: Making your APP privacy policy available.

[5]Australian Privacy Principle 1.5, (policy must be available free of charge and in appropriate form).

Keeping the policy current

The privacy policy must be 'up to date'. This requires periodic review and updating whenever there are material changes to your information handling practices.[6]

Events that might trigger a policy review include:

  • Changes to the types of personal information collected;
  • Changes to the purposes for which information is used;
  • Engagement of new service providers who will access personal information;
  • Changes to overseas disclosure practices (new countries, new service providers);
  • Introduction of new technologies (AI tools, new software systems);
  • Changes to privacy legislation or OAIC guidance;
  • Annual review (as a minimum).

[6] OAIC, Chapter 1: APP 1 — Open and transparent management of personal information, APP Guidelines (October 2025), [1.50]-[1.55] (keeping the policy up to date).

Practical tip: version control

Include a version number and date on your privacy policy (the template includes a placeholder for this). When you update the policy, increment the version number and update the date. Keep a copy of superseded versions for your records — they may be relevant if a complaint is made about historical practices.