Drafting a privacy policy

Download page as PDF

This information sheet is designed to provide general guidance to organisations that are bound by the Privacy and Data Protection Act 2014 (PDPA) – that is, Victorian public sector organisations, including local councils and contracted service providers to Victorian public sector organisations.[1]

The PDPA contains 10 Information Privacy Principles (IPPs) that govern the way that an organisation collects and handles personal information.

Personal information is recorded information or an opinion (whether true or not) about an individual whose identity is apparent or can reasonably be ascertained from the information or the opinion [2]. Examples of personal information include a person’s name, sex, date of birth, address, financial details, marital status and education and employment history. Some personal information is classed as ‘sensitive information’. Sensitive information is information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or a trade union, sexual preferences or practices and criminal record.

This information sheet explains why Victorian public sector organisations must develop a privacy policy.

What is a privacy policy?

A privacy policy is a general statement about how personal information is managed by an organisation. IPP 5.1 states that any organisation must set out in a document clearly expressed policies on its management of personal information. The policy must be made available to anyone who asks for it. IPP 5.2 additionally requires an organisation, if asked, to generally inform people about the sort of personal information it holds and for what purpose, and how it collects, holds, uses and discloses that information.

In addition to meeting the requirements of IPP 5, an organisation’s privacy policy relates to a key object of the PDPA – the responsible and transparent handling of personal information in the Victorian public sector. [3] Creating and maintaining a thorough and up to date privacy policy provides a number of benefits to an organisation. It promotes greater confidence in its handling of personal information and assists in deterring the unnecessary collection or unlawful use or disclosure of information.

In some cases, depending on the range and diversity of its core functions, an organisation may need more than one privacy policy, for example to cover the activities of individual business units which have distinct functions. It may be appropriate for an organisation to have a set of policies to cover different types of information or information handling practices. A separate website policy, email monitoring policy or social media policy are examples.

What is the difference between a privacy policy and a collection notice?

There is an important distinction between a privacy policy and a collection notice. Organisations will generally need to produce both. Privacy policies speak to an organisation’s information management practices in a broad sense. Collection notices outline the information handling practices of organisations for a specific purpose (under IPP 1.3). For example, a local council’s privacy policy may be written in light of its functions under the Local Government Act 2004 or the Planning and Environment Act 1987, but a collection notice will need to be provided when personal information is collected for each of the Council’s separate functions. For further information on collection notices, please see CPDP Information Sheet Collection notices.

What should a privacy policy contain?

Typically, preparing to write a privacy policy involves examining the way personal information is gathered and flows through an organisation. While a privacy policy must address the IPPs, it should not simply reproduce them. It should be concise, targeted to the general public, written in plain English and easy to read. A policy should deal with all forms of personal information that an organisation collects, including electronic, telephonic and paper-based collection of information.

At a minimum, a privacy policy should include:

  • • the identity of the organisation and how to contact it
  • • the organisation’s main functions and the sorts of personal information the organisation generally collects and holds to fulfil those functions
  • • how personal information is used and to whom it is routinely disclosed (consider including specific examples)
  • • whether collection of personal information is compulsory or optional (including referring to any legislation whichauthorises the collection, use or disclosure of the information, such as the Local Government Act 2004)
  • • how the information is stored securely and access is properly managed
  • • how privacy is protected if the information is transferred or stored outside Victoria
  • • the date and version reference of the policy.

Although many privacy policies may look similar, given that all Victorian public sector agencies have the same privacy obligations, organisations should take care not to directly replicate another organisation’s policy. As each organisation has its own functions and enabling legislation, and collects information relevant to its needs, its privacy policy should reflect its individual authorising environment and operational practices.

An organisation should ensure that its actual practice accords with its privacy policy. If there is any doubt about compliance with privacy obligations, an internal audit or assessment of practices should be undertaken.

Layering privacy policies

Where appropriate, an organisation may decide to ‘layer’ its privacy policies. For example, a brief outline of the organisations’ privacy policy may be provided on a form, sign or poster, referring to the full privacy policy contained on the organisation’s website or in a brochure. This alerts individuals to the existence of a privacy policy and allows them to seek out further information if they wish. Layered policies may be regarded as compliance with IPP 5.2, which requires an organisation to, on request, let a person know generally about its information handling practices.

Health information

Some organisations may collect and handle health information in addition to other personal information, however this does not necessarily require two separate privacy policies. The Health Records Act 2001 (HRA) contains Health Privacy Principles (HPPs) that are similar to the IPPs in the PDPA. Organisations may prefer to develop one privacy policy that addresses the principles in both Acts.

It is worth noting that the HRA includes two additional principles that are specific to health information:

  • • HPP 10: Transfer or closure of the practice of a health service provider.
  • • HPP 11: Making information available to another health service provider.
  • For more information, contact the Health Services Commissioner.

Publishing a privacy policy

There is no specific requirement under the PDPA to publish a privacy policy, only to make it available to anyone who asks. However most organisations will find it practical and cost effective to publish it.

Some effective ways to publicise an organisation’s privacy policy include:

  • • featuring the privacy policy on the organisation’s website, with appropriate links to more detailed information
  • • including a copy of the privacy policy in mail correspondence or providing a web link in emails
  • • recording a brief message that telephone callers can opt to hear, or that plays while a caller is on hold
  • • placing a privacy policy prominently at an organisation’s reception desk, in a waiting room or meeting area.
When should an organisation review its privacy policy?

An organisation should periodically review its privacy policy, especially where it has been given new functions, has undergone a restructure, or has changed its practices. If an organisation begins to collect more information or uses or discloses information in new ways, this should be immediately reflected in the organisation’s privacy policy.


Commissioner for Privacy and Data Protection

Level 6, 121 Exhibition Street

PO Box 24274

Melbourne Victoria 3001

Telephone: 1300 666 444 Email: This email address is being protected from spambots. You need JavaScript enabled to view it. Website: www.cpdp.vic.gov.au

Health Services Commissioner

Level 26, 570 Bourke Street

Melbourne Victoria 3000

Telephone: 1300 582 113

Email: This email address is being protected from spambots. You need JavaScript enabled to view it. Website: www.health.vic.gov.au


1 A contracted service provider is a person or body who provides services under a State contract: Privacy and Data Protection Act 2014, s3.

2 Privacy and Data Protection Act 2014, s3.

3 Privacy and Data Protection Act 2014, s5(d).


Please note that the contents of this information sheet are for general information purposes only, and should not be relied upon as legal advice. CPDP does not guarantee or accept legal liability whatsoever arising from, or connected to the accuracy and reliability of the contents of this document. We encourage your organisation to obtain independent legal advice as necessary.