Reading time: 4 minutes

The Office of the Australian Information Commissioner (OAIC) recommends that Australian Privacy Principle (APP) entities put a privacy management plan in place. If your business is an APP entity, this plan will help you to meet your obligations under the APPs and broader privacy law requirements. In this article, we look at:

  • how you can comply with the APPs; and 
  • what to include in your privacy management plan.

The Legal Background

Certain businesses are legally required to comply with the APPs. These are called APP entities and include any business that:

  • has an annual turnover of more than $3 million;
  • provides health services; or
  • buys, sells or otherwise trades in personal information.

Even if your business does not meet any of these criteria, it is best practice to comply with the APPs. Creating a strong privacy policy helps to ensure a good relationship with clients and minimise privacy complaints.

APP entities need to clearly and transparently manage personal information. The OAIC has outlined four steps your business can take to comply with these guidelines. 

Step 1: Embed 

Creating a culture of privacy compliance within your organisation encourages team members to take responsibility for the businesses’ privacy obligations. This includes:

  • implementing a privacy management plan that aligns with your businesses’ privacy obligations and processes;
  • training your team about the importance of privacy and ensuring senior management is informed of any developments to the law; and
  • assigning responsibility to team members so that it’s clear who is accountable for privacy, such as appointing a privacy officer

Step 2: Establish

Your business must implement procedures and practices for dealing with private information, including:

  • privacy policy, which should tell website visitors what personal information you collect and how you use it;
  • ensure that the way you collect and handle the data of customers and employees complies with the APPs; and 
  • create a data breach response plan to ensure that you have a strategy in place if a breach occurs. 

Step 3: Evaluate

The plan should be subject to ongoing evaluation, involving:

  • a regular review of your privacy management plan to monitor compliance and relevance; and
  • feedback from customers and employees on your processes.

Step 4: Enhance

Your business should seek to amend and improve its processes to increase privacy and data security, by:

  • continually updating your privacy management plan, privacy policy and processes to account for changes to the law or your business; and
  • accounting for the privacy implications of new technologies and software. 

What to Include in Your Privacy Management Plan

Your plan should outline the measures that your business will put in place to comply with the APPs. In other words, it should include your goals to avoid a data breach and build a culture of privacy compliance within your organisation.

Depending on the size and nature of your business, your plan may include: 

  • your commitment to transparently manage personal information;
  • the contact information of the person responsible for your business’ privacy processes;
  • your internal processes for educating your team of recent privacy developments; 
  • the actions your business will take if there is a data breach; 
  • mechanisms that allow for feedback from both your clients and your team; and
  • your plans to continually monitor potential security threats. 

Your privacy management plan differs from your privacy policy, which is a document that informs website visitors what information you collect and how you will handle that information. A privacy policy is just one of many action points you will need to put in place when implementing your plan. 

Key Takeaways

Although your business is not legally required to have a plan, it is best practice to encourage customers’ and employees’ confidence in your processes. The OAIC has published a template privacy management plan, which you can adapt to your business. This includes the four essential steps of a plan: 

  • embed;
  • establish;
  • evaluate; and
  • enhance. 

If you are looking for advice on your privacy obligations or for a team of experts to draft and review your privacy management plan, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page. 


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Jessica Anderson
Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards