5 Steps to Ensure Your Privacy Policies are Effective

Our earlier article about Flight Centre’s 2017 privacy breach and OAIC investigation received quite a bit of interest. We’ve written this article as a follow up to outline how your business can ensure your privacy policies are effective.  

Privacy Policy Definition 

A privacy policy is a statement that explains how an organisation handles personal information. The statement should be written in clear, concise language. It should be formatted in a way that is easy to understand.  

As outlined by the OAICan organisation’s privacy policy must outline:  

  • The organisation’s name and contact details; 
  • The personal information they collect and store; 
  • How personal information is collected and where it is stored; 
  • Why it collects personal information; 
  • How it uses and discloses personal information; 
  • How you can access or correct your personal information. 
  • How you can lodge a complaint and how that complaint will be handled; and  
  • Whether it will disclose your information outside Australia and, if practical, where.  

A privacy policy isn’t a mechanism for gaining consent and it won’t usually outline specific processes or procedures relating to internal privacy hygiene. Instead, it’s a transparency measure – and a promise from an organisation to the individuals whose personal data is collected. This means that a privacy policy alone is not sufficient to protect the data held by an organisation. It’s just part of the puzzle.  

Effective Privacy Policies and the Boral Case: What a sexual harassment lawsuit can teach us about privacy.  

Von Schoeler v Allen Taylor and Company Ltd Trading as Boral Timber [No 2] (the Boral case considered when a company might be responsible for an employee illegally engaging in sexual harassment. The judgement outlined reasonable steps to be taken by employers to promote employee compliance with internal policies and processes.  

The Boral case judgement notes that employers often rely on training and internal policies when defending their actions. However, the judges in the Boral case determined that policies and training should act as a deterrent, by outlining the effects of the unlawful actions on the victim, as well as the consequences for both individual employees and for the company.  


Male employer wearing a white jumper showing a female employee a laptop in a workplace


5 Steps to Ensure Your Privacy Policies are Effective 

These 5 steps to ensure your privacy policies are effective are based on the Boral case judgement and the OAIC’s findings in the Flight Centre breach investigation.  

1. Your privacy policy must be clear – and clearly understood.  

It’s essential that your privacy policy is clear and easily accessible to your customers and your staff. Your staff should be aware of your privacy policies, as well as the practical implications of the policies. In practice, the privacy policy should be accompanied by helpful guidance that outlines company processes for collecting, using, storing, accessing, correcting, and deleting personal data.  

2. You must monitor compliance once policies are in place.  

Your team must understand that in order to be effective, policies need to be monitored and enforced. Policies shouldn’t be considered a standard to aspire to – or something to achieve if time or resources allow. Consumer trust is paramount and, if lost, it can be difficult to regain.  

3. Reduce human error by conveying the seriousness of a privacy breach. 

Without an adequate understanding of the consequences of a privacy breach, your employees may be more reckless with personal data. Your internal policies and processes should explicitly outline the importance of maintaining the personal privacy of staff and consumers. Consequences for staff who don’t demonstrate adequate privacy hygiene should also be made clear.  

4. Review and update your privacy policies and practices regularly.  

By regularly monitoring compliance, it’s likely that you’ll regularly identify areas for improvement. You should make a habit of routinely updating your existing privacy policies and practices. Additional updates should always be scheduled if you begin collecting or using personal data in a new way.  

5. Training is key when establishing effective privacy policies.  

The Flight Centre breach exposed serious deficiencies in its staff’s comprehension of data privacy. Credit card details and other personal information were stored in a manner contrary to company policy, resulting in a significant breach. The incidence of retention of these credit card details would have been reduced, or even eliminated, had employees been aware of the privacy implications. Training is essential in promoting employee comprehension of personal privacy and in reducing the incidence of human error.  

Workplace Privacy Training with Privacy108 

Privacy108 is a leading Australian privacy consultancy firm. Our workplace privacy training addresses:  

  • Why your employees should care about privacy,  
  • Why privacy is valuable,  
  • The potential consequences of failing to protect privacy, as well as  
  • Practical examples that demonstrate when privacy breaches may occur and how to prevent them. 

Reach out for an obligation-free discussion about how Privacy108 can uplift your organisation’s privacy maturity. 


  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.