A growing business approached SLB Legal to assist them with updating their legal documents. We asked about their privacy policy.

They realised the policy had been in place since the business started over six years ago and had not been thought about since.

But since then, the way the business handled personal information had changed. On top of this, there has also been significant developments in Australian privacy law under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). This meant our client was at risk of non-compliance with Australian privacy laws.

How we helped identify the privacy risks?

First, through a series of questions, we worked out what kind of personal information the client used, handled and stored in their business. The client's business had grown and evolved, as had their technology use. It was clear the existing Privacy Policy no longer reflected how the business actually collected, used or disclosed personal information.

With the client's actual use of personal information in mind, we completed a full legal review of their privacy policy to identify compliance gaps with the Privacy Act and APPs.

Key gaps included:

• failure to meet APP 1 requirements (open and transparent management of personal information), including having an up-to-date and clearly expressed privacy policy which complies with the APPs;
• no disclosure about overseas personal information and data handling, raising issues under APP 8 (cross-border disclosure of personal information);
• no information regarding security measures the business takes to protect personal information from disclosure, which was inconsistent with APP 11 (reasonable steps to protect personal information from unauthorised disclosure);
• outdated and incomplete descriptions of the kinds of personal information collected, the collection practices, the purpose of collection and how the information is used by the business and its third parties, inconsistent with APP 1.4 (required privacy policy content), APP 3 (collection of solicited information) and APP 6 (use or disclosure of personal information);
• no transparency around use of third-party computer systems or AI technologies, that handle personal information and could involve computer-assisted decision making about an individual (to be captured in updates to APP 1 in December 2026 relating to technology use transparency).

The gaps in this privacy policy created a compliance risk to the business. With the Office of the Australian Information Commissioner (OAIC) announcing a compliance sweep in January, which would specifically assess whether privacy policies meet APP 1.4 requirements, this was a risk that could no longer be ignored by our client.

How we updated the privacy policy to reduce risk of non-compliance?

A thorough update to the privacy policy was required. We drafted amendments and added new items to create a customised privacy policy for our client that: 

• accurately reflects the client's actual personal information handling and storage practices;
• clearly explains how personal information is collected, used and disclosed by the business;
• addresses use of third-party platforms and cross-border personal information use and disclosure practices; 
• includes transparent information regarding internal use of AI tools and computer assisted decision making and processing of personal information; and
• is written in plain English so it is easy for customers to understand while also meeting the current OAIC expectations.

The result: Less worry about regulator action and legal non-compliance

We delivered a privacy policy that is aligned with current legal requirements and the client's operations.

The updated policy:

• complies with the APPs and the Privacy Act;
• aligns with guidance from the Office of the Australian Information Commissioner; 
• improves privacy transparency with customers; and
• reduces the risk of non-compliance and complaints and positions the business for future privacy law reforms. 

The client now has a privacy policy that reflects how their business operates today and is prepared for how privacy regulation is evolving. Our client also gained a better understanding of their privacy requirements under the current and upcoming privacy law reforms.

How long has it been since you had your privacy policy reviewed? 

Privacy policies often get little airtime in a small or medium business. They are created and forgotten about just as quickly. But they must be regularly reviewed and updated to remain compliant. As legal requirements and business practices change, outdated policies can create unnecessary risk. 

With Australia's privacy regulator recently making it clear it will hold businesses to account, that outdated privacy policy can no longer be ignored.

If you have an old privacy policy that has not been reviewed in the last 12 months, get in contact with SLB Legal to review it for your business today.