Contact

5 Steps to Ensure Your Privacy Policies are Effective

Published
22 Apr 2021
Read time
4 min read
Category
Law, Privacy, Privacy Practice

Our earlier article about Flight Centre’s 2017 privacy breach and OAIC investigation received quite a bit of interest. We’ve written this article as a follow up to outline how your business can ensure your privacy policies are effective.  

Privacy Policy Definition 

A privacy policy is a statement that explains how an organisation handles personal information. The statement should be written in clear, concise language. It should be formatted in a way that is easy to understand.  

As outlined by the OAICan organisation’s privacy policy must outline:  

  • The organisation’s name and contact details; 
  • The personal information they collect and store; 
  • How personal information is collected and where it is stored; 
  • Why it collects personal information; 
  • How it uses and discloses personal information; 
  • How you can access or correct your personal information. 
  • How you can lodge a complaint and how that complaint will be handled; and  
  • Whether it will disclose your information outside Australia and, if practical, where.  

A privacy policy isn’t a mechanism for gaining consent and it won’t usually outline specific processes or procedures relating to internal privacy hygiene. Instead, it’s a transparency measure – and a promise from an organisation to the individuals whose personal data is collected. This means that a privacy policy alone is not sufficient to protect the data held by an organisation. It’s just part of the puzzle.  

Effective Privacy Policies and the Boral Case: What a sexual harassment lawsuit can teach us about privacy.  

Von Schoeler v Allen Taylor and Company Ltd Trading as Boral Timber [No 2] (the Boral case considered when a company might be responsible for an employee illegally engaging in sexual harassment. The judgement outlined reasonable steps to be taken by employers to promote employee compliance with internal policies and processes.  

The Boral case judgement notes that employers often rely on training and internal policies when defending their actions. However, the judges in the Boral case determined that policies and training should act as a deterrent, by outlining the effects of the unlawful actions on the victim, as well as the consequences for both individual employees and for the company.  

5 Steps to Ensure Your Privacy Policies are Effective 

These 5 steps to ensure your privacy policies are effective are based on the Boral case judgement and the OAIC’s findings in the Flight Centre breach investigation.  

1. Your privacy policy must be clear – and clearly understood.  

It’s essential that your privacy policy is clear and easily accessible to your customers and your staff. Your staff should be aware of your privacy policies, as well as the practical implications of the policies. In practice, the privacy policy should be accompanied by helpful guidance that outlines company processes for collecting, using, storing, accessing, correcting, and deleting personal data.  

2. You must monitor compliance once policies are in place.  

Your team must understand that in order to be effective, policies need to be monitored and enforced. Policies shouldn’t be considered a standard to aspire to – or something to achieve if time or resources allow. Consumer trust is paramount and, if lost, it can be difficult to regain.  

3. Reduce human error by conveying the seriousness of a privacy breach. 

Without an adequate understanding of the consequences of a privacy breach, your employees may be more reckless with personal data. Your internal policies and processes should explicitly outline the importance of maintaining the personal privacy of staff and consumers. Consequences for staff who don’t demonstrate adequate privacy hygiene should also be made clear.  

4. Review and update your privacy policies and practices regularly.  

By regularly monitoring compliance, it’s likely that you’ll regularly identify areas for improvement. You should make a habit of routinely updating your existing privacy policies and practices. Additional updates should always be scheduled if you begin collecting or using personal data in a new way.  

5. Training is key when establishing effective privacy policies.  

The Flight Centre breach exposed serious deficiencies in its staff’s comprehension of data privacy. Credit card details and other personal information were stored in a manner contrary to company policy, resulting in a significant breach. The incidence of retention of these credit card details would have been reduced, or even eliminated, had employees been aware of the privacy implications. Training is essential in promoting employee comprehension of personal privacy and in reducing the incidence of human error.  

Workplace Privacy Training with Privacy 108 

Privacy 108 is a leading Australian privacy consultancy firm. Our workplace privacy training addresses:  

  • Why your employees should care about privacy,  
  • Why privacy is valuable,  
  • The potential consequences of failing to protect privacy, as well as  
  • Practical examples that demonstrate when privacy breaches may occur and how to prevent them. 

Reach out for an obligation-free discussion about how Privacy 108 can uplift your organisation’s privacy maturity. 

 

Oops! We could not locate your form.

 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.