APP 1.3 — what an APP entity's privacy policy must contain in 2026

What APP 1.3 requires

Australian Privacy Principle 1.3 of Schedule 1 to the Privacy Act 1988 (Cth) mandates that APP entities maintain a privacy policy. This policy must be clearly expressed and kept up-to-date.

The privacy policy must detail the types of personal information an entity collects and holds. It also needs to explain the methods used to collect and store this personal information.

Furthermore, the policy must clearly explain the purposes for which personal information is collected, held, used, and disclosed.

Access, correction and complaints

An APP entity’s privacy policy must detail the process by which an individual can access their personal information held by the entity and request corrections to that information. The policy should clearly outline the steps an individual needs to take to exercise these rights.

The policy must also explain how an individual may lodge a complaint regarding a suspected breach of the Australian Privacy Principles (APPs). This includes providing contact details for the relevant complaint handling officer or department.

Finally, the policy must describe how the entity will handle and respond to complaints received. This explanation should cover the entity’s approach to investigating complaints and resolving them. Note that these requirements are in addition to the baseline content required by APP 1.3 and are mandated by APP 1.4.

Overseas disclosures

An APP entity’s privacy policy must state whether it is likely to disclose personal information to overseas recipients. This requirement is outlined in APP 1.4(f). The policy should provide this information in a clear and accessible manner for individuals.

Where practicable, the policy must also specify the countries where those overseas recipients are likely to be located. “Practicable” acknowledges that identifying all potential recipient locations may not always be possible.

It is important to note that overseas disclosure obligations are also separately governed by APP 8 — overseas disclosure of personal information. This section addresses the specific requirements for ensuring personal information is protected when transferred overseas.

2026 expansion — ADM and statutory tort context

The Privacy and Other Legislation Amendment Act 2024 introduces new requirements for privacy policies, specifically concerning automated decision-making. From 10 December 2026, APP entities utilising automated decision-making (Privacy Act 2024 ADM transparency obligations) must include details within their privacy policies. These details must specify the types of personal information used and the types of decisions (or substantially made decisions) using ADM that significantly affect individuals.

The inclusion of this information is crucial for transparency and accountability. Failure to accurately reflect ADM practices in a privacy policy could expose an entity to increased scrutiny and potential liability.

The commencement of the statutory tort of serious invasions of privacy on 10 June 2025 further underscores the importance of accurate and comprehensive privacy policy disclosures. Entities must ensure their policies are current and reflect their actual data handling practices to mitigate legal risk.