Contact

How to Write a Better Privacy Policy: Best Practices for Privacy Policies

Published
26 Mar 2022
Read time
4 min read
Category
Privacy, Privacy Practice, Training

Australia’s Privacy Act 1988 requires APP entities to have a clear and up-to-date privacy policy in place. But while some organisations are required to have privacy policies, others choose to create one to access the benefits that come with transparency and strong data handling practices. But these documents aren’t all created equal – and some are clearer and more concise than others. In this post, we’ll outline privacy policy best practices and information about what yours must include.  

How to Write an APP-friendly Privacy Policy 

Your privacy policy should explain in simple language how your organisation handles the personal information it collects and stores. The requirements for privacy policies are set out in APP 1.  

Broadly, APP 1 introduces the requirement for APP entities to implement open and transparent management of personal information. An element of this is that APP entities have an up-to-date privacy policy.  

APP 1 requires that privacy policies include:  

  • The organisation’s name and contact details. 
  • What kinds of personal information being collected and stored. 
  • How personal information is collected and where it is stored. 
  • Why personal information is collected.  
  • How the personal information will be used or disclosed. 
  • How to access your personal information, or ask for a correction. 
  • How to lodge a complaint. 
  • If they are likely to disclose your information outside Australia and, if practical, which countries they are likely to disclose the information to. 

Privacy Policy Best Practices in Australia 

Here are some privacy policy best practices to help you draft a compliant, helpful, and trust-inspiring privacy policy: 

Develop your privacy policy after mapping your data flows 

Data mapping shows the journey of an organisation’s data from collection to destruction or de-identification, and all the steps in between. Engaging in data mapping before you write your privacy policy is the best way to ensure you accurately reflect your data handling in it.  

Write your privacy policy with your audience in mind 

Your audience is unlikely to be comprised of lawyers and privacy professionals. The language you use in the privacy policy must reflect this to comply with the Privacy Act and to improve trust.  

We understand that it’s not possible to avoid jargon entirely. Your privacy policy is likely to use industry jargon like cookies, IP addresses, HTML5, data controller, and so on. Whenever you use a technical term or legal or industry jargon, you should include a hyperlink to either an external webpage defining the term (in clear, simple language) or an FAQ or Glossary page on your website.  

Format the privacy policy in a way that promotes clarity 

The way an organisation’s privacy policy is formatted and designed impacts how clear it is to readers. You should ensure the way your privacy policy looks and the way it’s formatted promote clarity.  

The OAIC highlights that many organisations include the following headings 

  • Scope — describes what the policy applies to 
  • Collection of personal information — provides the key information about what personal information is collected and why. Focus on areas that are most sensitive or that the reader would least expect 
  • Disclosure (sharing) — describes the key disclosures and the conditions around those disclosures. This is a good place to mention overseas disclosures. Disclosures of personal information are usually the most important to individuals, but unexpected uses could be mentioned too 
  • Rights and choices — describes any key choices that individuals can make, including the right to request access and correction of personal information held about them 
  • How to make a complaint — briefly describes how to make a complaint about privacy and what to do if they are not satisfied with the outcome 
  • Contact details — including (at least) a generic telephone and email address that won’t change with personnel. 

Privacy Policy document on a desk with a person about to sign it. There's coffee on the desk too.

Quick Drafting Tips to Improve Clarity in Your Privacy Policy 

  • Use short sentences of 20 words or less.  
  • Use the active voice.  
  • Break text up into paragraphs of 3-4 sentences, or fewer.  
  • Use clear headings. 
  • Number paragraphs under headings.  
  • Use a table of contents.  
  • Avoid acronyms.  
  • Avoid unnecessary synonyms.  
  • Aim for a Flesch Readability Score of 60 or higher. The Microsoft Editor has this functionality built in.  

View the OAIC’s guidance on drafting privacy policies for more information. 

While updates to your organisation’s privacy policy may not lead to the exodus of customers (like the Whatsapp update), it’s important to get it right. If not, you are risking your reputation and potential compliance issues.  

Don’t hesitate to reach out for guidance developing your organisation’s privacy policy. Or if you’re reading this article as a privacy professional, consider joining one of our upcoming CIPM training courses 

Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Jodie Siganto
Privacy, security and training
Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.