Developing a privacy compliance program

The functions of a compliance program are to develop an organisation's privacy practices and help that organisation defend a complaint made to the Australian Information Commissioner.

The information on this page will help private sector organisations meet their obligations under the Privacy Act 1988 (Cth) (the Act).

If an organisation needs to comply it can choose to:

  • become bound by an approved industry code
  • apply to have its own code under the Act approved by the Australian Information Commissioner 
  • be bound by the Australian Privacy Principles (APPs).

Get started on your privacy policy

Use this privacy policy checklist to create your organisation's policy.

Nominate a privacy officer

Depending on the size of your organisation, you should consider nominating a staff member to act as a privacy officer. The privacy officer should be given clear authority to:

  • undertake a privacy review of existing systems to ascertain how the organisation uses personal information 
  • direct and implement a privacy strategy 
  • establish systems to ensure compliance with the new legislation 
  • maintain the privacy compliance system. 

Know the Australian Privacy Principles guidelines (APPS)

Be familiar with the APPS to understand the ways they’re likely to affect your organisation’s business practices.

Conduct a privacy review

You should carry out a privacy review to assess:

  • the type of information your organisation collects and keeps
  • how your organisation uses such information and with whom it shares such information (if at all).

The review should be in the form of a comprehensive questionnaire and at a minimum should address the following questions.

  • What personal information has been and will be collected and from whom? This question needs to be answered in two parts relating to personal information and sensitive information.
  • How is personal information collected? How this information in should be taken into account, for example: standard forms, surveys, mail, emails, call centres.
  • What is the reason for collecting personal information?
  • What are the functions or activities carried out by your business? Does the information collected relate to one of these functions or activities?
  • Who accesses and uses the personal information? (Within the organisation and third parties).
  • How is the personal information stored and disposed?
  • How can the personal information be accessed?
  • Who has access to what information?
  • What information is disclosed to third parties? (For example: mailing houses, business partners).
  • What consents are in place for use or disclosure of personal information collected?
  • How accurate and up to date is the information? (This will involve an assessment of what procedures there are to update information or delete irrelevant information and to ensure accurate date recording).
  • How are complaints handled?
  • Do you send or transmit information overseas or to related companies?
  • How can individuals access personal information that the business holds about them? And how can they correct this information?
  • How can individuals complain to the business about a breach of the Australian Privacy Principles and how will your business deal with such a complaint?
  • Does your business disclose personal information to overseas recipients?
  • Is your business likely to disclose personal information to overseas recipients – the countries in which such recipients are likely to be located (if it is practicable to specify those countries).

Implement a privacy compliance program

You should prepare a privacy compliance manual to minimise your exposure to privacy compliance risks. Consider the following three step process.

  1. Identify – privacy compliance issues which have been highlighted in the review. The privacy officer and senior management in consultation with lawyers should take responsibility for planning. 
  2. Implement – educate staff about their responsibilities for security and information management. 
  3. Maintain – update the contents of the manual according to changes in business practices law, regulation and industry codes and practices. Retrain and refresh staff in relation to their responsibilities. Undertake audits at regular intervals. 

Develop a privacy statement and policy

An organisation which is subject to the Act is required to develop a privacy policy which sets out clearly its approach on the management of personal information.

The policy is required to be made publicly available, free of charge.  The website is a good place to do that, although hard copies should also be available.

A business’ privacy policy must disclose:

  • the kinds of personal information it collects and holds
  • how it collects and holds personal information
  • the purposes for which it collects, holds, uses and discloses personal information
  • how an individual may access personal information about them that the business holds, and seek the correction of such information
  • how an individual may complain to the business about a breach of the APPs and how the business will deal with such a complaint;
  • whether the business is likely to disclose personal information to overseas recipients
  • if the business is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located (if it is practicable to specify those countries).

Develop privacy procedures

Your business must take reasonable steps to protect the personal information it holds from misuse and loss from unauthorised access, modification or disclosure. 

You must have procedures in place: 

  • to ensure data is removed, destroyed or cleared once it is no longer required 
  • for access request to records handling policy 
  • to handle complaints or incidents regarding breaches of privacy - a key means of achieving privacy compliance is the inclusion of appropriate provision
  • the government of information handling issues like security and confidentiality of personal information in contracts for service providers (two key areas identified by the Privacy Commissioner include cleaning services and counselling services).

For complaints handling you should:

  • train staff about your privacy policy and guidelines
  • monitor ongoing privacy procedures to ensure compliance
  • consider the need for external legal advice. 

Guidelines to support your privacy policy

Specific procedures that support the privacy policy include guidelines on:

  • the management of mailing lists 
  • the collection, management and use of contact lists 
  • provisions to include in contracts with consultants and suppliers including outsourcing where personal information may be handled 
  • the management of personal information access requests 
  • use of sensitive information 
  • conducting security reviews of current practices or procedures 
  • storing forms used to collect personal information (e.g. they’re not to be left in correspondence trays overnight) 
  • use of paper shredders for daily waste 
  • positioning computer screens at enquiry counters away from the public 
  • password protected computers and screen savers 
  • short time frames for activation of screen savers 
  • regular password changes 
  • restricted access to data by key staff only 
  • anti-virus software used for computers 
  • computer backup tapes to be stored securely away from the location of the relevant computer system 
  • removal of access rights for employees who leave the organisation 
  • internet and email usage policy distributed to staff.

Information and resources about privacy policies

CPA Australia has made every effort to ensure that, at the date of publication, the information contained on this page is free from errors and omissions.

The information and recommendations contained within it are considered to be consistent with the law and applicable guidelines at the time of publication. However, they do not constitute legal advice. This information is not intended to be comprehensive. Members concerned about their legal rights and obligations in relation to federal, state or territory privacy legislation may wish to seek their own independent legal advice.