Small Business
Does My Small Business Need a Privacy Policy?
Find out about privacy policies and whether your business needs one

What is a privacy policy?

A privacy policy is a statement, which may be legally binding, outlining how a business will handle any personal information provided to it by or on behalf of its customers, clients and users. Not only should it outline what information may be collected and how, but also how it will be stored and managed in the future. Privacy policies are often made available to the public as a paper document or are hosted on the business’ website. They are sometimes known as responsible use of data policies.

What is the purpose of a privacy policy?

Privacy policies are created to inform customers, clients and users of the types of information your business may collect and how you intend to keep their personal details secure. The personal information that your business collects could range from names, emails and phone numbers to payment details, medical records, biometric information and more. Whatever the type of information collected, your customers, clients and users need to be informed about how their information will be stored and used.

Who needs a privacy policy?

In Australia, a business is generally bound by the Privacy Act 1988 (the Act) and required to have a privacy policy if it collects any form of personal information and has an annual turnover of $3 million or more. Some businesses and organisations are bound by the Act even if they do not meet the $3 million threshold. You can use the Privacy Checklist for Small Business to confirm if your business is covered by the Act. Even if your business is not subject to the Privacy Act, it may still be a good idea to investigate drafting a policy to so that your business complies with it should your circumstances or the threshold for being bound by the Privacy Act change..

Is a website privacy policy required by law in Australia?

If your business is subject to the Privacy Act and your website collects personal information of any kind, whether that be contact details, payment details, customer addresses or any other sensitive information, you must have a privacy policy. The policy should comply with applicable laws (please consult your legal advisers) and be displayed somewhere on the site that can be easily accessed by its users.

How to write a privacy policy for a small business

Although the details included in a privacy policy may vary depending on the type of activities your business carries out, there are some key components that most policies will feature. These include (without limitation):

  • The name of the business the policy applies to
  • The business’ contact details
  • The contact details of the data protection or privacy officer of the business
  •  A description of the type of information the business will collect
  •  An outline of the methods used to collect information 
  •  An outline of how the collected information will be stored 
  •  An outline of how the collected information will be used, including, if applicable, how it will be shared with relevant third parties 
  •  A description of how the customer, client or user can access their information, request a correction or ask for their information to be deleted 
  •  A description of how the customer, client or user can lodge a complaint against the misuse of their information 
  •  An outline of any changes or amendments that have been made to the policy  
Please consult the Guide issued by the Office of the Australian Information Commissioner before preparing your policy. While you may be tempted to copy a privacy policy that’s currently in use by another business, it’s best to create your own document. There may be differences in the way that your business collects and handles information, or the policy you’ve found simply may not adhere to current Australian privacy legislation, leaving your business unwittingly exposed.  

Privacy policy templates

To create your own privacy policy, you may choose to consult a lawyer or use an online privacy policy template to get yours started. It’s important to remember that some businesses are legally required to have a privacy policy, so it may be a good idea to have a lawyer prepare your policy for you or review your policy when complete to ensure all state and national legislation is addressed. If your privacy policy does not adhere to the legislation, your business could be fined in the future. Some privacy policy templates to get you started are available from:

Interested in learning more about operating a small business? Head over to our small business blog to find more great resources.

Subscribe to SME Talk


Aon has taken care in the production of this document and the information contained in it has been obtained from sources that Aon believes to be reliable. Aon does not make any representation as to the accuracy of the information received from third parties and is unable to accept liability for any loss incurred by anyone who relies on it. The recipient of this document is responsible for their use of it.