Privacy & AI Governance Bundle
Complete compliance program — privacy + AI governance before the December deadline
Two regulatory changes are heading your way. The small business exemption is being removed from the Privacy Act — 2.3 million businesses will need to comply. And from 11 December 2026, all APP entities must disclose in their privacy policies when and how they use automated decision-making that could significantly affect individuals. If your business uses AI tools, that means you.
The privacy half of this bundle formalises what you're already doing — documenting your data handling, publishing collection notices, putting security policies in writing. The AI governance half builds what most organisations haven't done yet: acceptable use policies, vendor risk assessments, an AI systems register, and the governance framework you'll need to demonstrate ADM transparency.
25 documents + 5 Excel trackers. Privacy compliance to prove what you're already doing. AI governance to build what you haven't — before the deadline hits.
Two tiers of guidance in the AI documents. Blue boxes provide practical implementation guidance for all organisations. Purple boxes add ISO/IEC 42001, EU AI Act, and NIST AI RMF alignment for mid-market and enterprise. Use what you need — both tiers are included.
Part 1: Privacy, Information Security & Governance (15 Documents)
Privacy Compliance
1. Privacy Policy
Public-facing policy covering all 13 APPs. Ready to publish on your website.
2. Client Collection Notice
APP 5 compliant notice for client onboarding. Provide in engagement letters or intake forms.
3. Employee Collection Notice
Privacy notice for staff and contractors. Include in onboarding materials.
4. Website Collection Notice
Covers contact forms, cookies, analytics, and third-party links.
5. Data Breach Response Plan
Contain, assess, notify, review. Full NDB scheme compliance with post-incident review process.
6. Individual Rights Request Procedure
Access (APP 12) and correction (APP 13) request handling with 30-day timeframes and refusal grounds.
7. Data Retention & Destruction Schedule
Retention periods mapped to legal basis. Destruction methods and annual review process.
8. Privacy Impact Assessment Template
Four-section PIA with pre-populated risk matrix for new projects and systems.
Information Security (APP 11)
9. Information Security Policy
Overarching framework: technical, administrative, and physical controls. ACSC Essential Eight aligned. Links to all supporting policies.
10. Access Control & Password Policy
Least privilege, MFA requirements, 12+ character passphrases, user lifecycle, privileged access, periodic reviews.
11. Acceptable Use of IT Policy
Email, internet, cloud, removable media, printing, social media. Addresses shadow IT and misdirected email risk.
12. Remote Working & BYOD Policy
Home Wi-Fi, VPN, physical workspace, two BYOD options (prohibit or permit with MDM), video conferencing.
13. Data Classification Guide
Four-level scheme (Public, Internal, Confidential, Restricted) with handling rules matrix covering AI tools.
Governance & Monitoring
14. Privacy Management Plan
Internal governance document. Roles, responsibilities, personal information holdings register, compliance framework tracker, training, third-party management, complaints, and annual review. What the OAIC expects under APP 1.2.
15. Compliance Monitoring Guide
Seven quarterly checks and ten annual reviews with instructions and benchmarks. Includes a monitoring log with pre-filled examples. Your evidence that the program is working.
Part 2: AI Governance (10 Documents)
BLUE GUIDANCE — ALL ORGANISATIONS
Practical implementation for SMBs. What each section means, why it matters, how to get it done.
PURPLE GUIDANCE — ENTERPRISE / MID-MARKET
ISO/IEC 42001 clause references, EU AI Act mapping, NIST AI RMF alignment. Optional for SMBs.
16. AI Acceptable Use Policy
Rules for staff using AI tools. Includes approved tools register table with data classification columns, mandatory rules for data protection and human oversight, prohibited uses, and incident reporting. The most important AI governance document — prevents data leakage and shadow AI from day one.
17. AI Vendor Risk Assessment
Six-section due diligence tool. Explicit questions on model training vs. inference, opt-out rights, data deletion. 10-clause contractual protections checklist including AI/ML training restrictions and model deletion obligations. Addresses the gaps most vendor assessments miss.
18. AI Impact Assessment Template
Goes beyond a standard PIA: privacy, fairness, bias, transparency, explainability, safety, reliability. Mapped to Australia's AI Ethics Principles. Enterprise guidance for EU AI Act Annex III conformity assessment.
19. Model Card Template
Document AI model provenance, training data, performance, limitations, and deployment context. Based on Mitchell et al. (2019), referenced by ISO 42001, NIST, and the EU AI Act.
20. AI Governance Framework
Overarching governance structure. Principles (mapped to AI Ethics Principles), roles and responsibilities, AI lifecycle governance (identification through decommissioning), risk register concept, and regulatory landscape overview.
21. AI Systems Register
Single authoritative record of all AI systems: vendor, use case, data classification, training status, risk rating, approval status. Includes blank register template ready for spreadsheet use. You can't govern what you can't see.
22. AI Training & Awareness Program
Four-module training outline: AI Awareness (all staff, 45 mins), AI Safe Use (tool users, 30 mins), Governance Deep Dive (risk/privacy/IT, 90 mins), and Board Briefing (30 mins). Topics, delivery methods, and assessment approach for each.
23. AI Incident Response Addendum
Extends your Breach Response Plan for AI-specific incidents: data leakage to AI tools, training pipeline exposure, output errors, discriminatory outcomes, shadow AI, and vendor AI breaches. Assessment criteria and response actions for each type.
24. AI Contract Review Checklist
When a vendor sends you their standard terms, this checklist tells you what to look for and what's missing. Tables covering data handling and training, transparency, liability, security, and IP — each with "what good looks like" and "red flag" columns. Plus 10 questions to ask the vendor in writing before signing.
25. AI Contractual Clauses Library
When you're procuring AI, these are the clauses to insert. Modular library covering: data use and training restrictions, transparency and change notification, privacy and subprocessor controls, breach notification, human oversight, IP ownership, termination and model deletion, and AI-specific warranties. Informed by the DTA AI Model Clauses v2.0 and the EU MCC-AI. Pick what you need, attach as a schedule.
Excel Companion Files (5 Spreadsheets)
These spreadsheets ship alongside the Word documents. They turn static references into operational tools with dropdowns, dashboards, and tracking.
Compliance Monitoring Log
Quarterly/annual monitoring log with dropdown validation, pre-filled examples, and a checklist tab.
Data Retention Schedule
Operational tracker with "Next Destruction Due" dates and status dropdowns.
Compliance Framework Tracker
All 25 documents mapped to APP coverage with status dropdowns and a dashboard showing % complete.
Third Party Provider Register
Track all service providers handling personal information. Contract status and risk rating dropdowns.
AI Systems Register
All AI tools and systems with dropdowns for category, data classification, training status, risk rating, and approval status. Dashboard auto-calculates totals and flags.
How It Works
- Download — 25 Word documents + 5 Excel trackers, delivered instantly
- Start with privacy — formalise what you're already doing: publish the privacy policy, issue collection notices, document your security practices
- Layer in AI governance — this is the new capability: roll out the AI Acceptable Use Policy, assess your vendors, build your register
- Use the contractual clauses — when procuring AI, attach the relevant clauses as a schedule to vendor agreements
- Train your team — use the training program outline to build AI awareness
Who This Is For
- Any Australian business subject to the Privacy Act that uses AI tools
- Organisations procuring AI-powered software or services
- Risk, compliance, and privacy teams building integrated governance programs
- Technology teams rolling out AI tools to staff
- Organisations preparing for ISO/IEC 42001 certification
- Boards and executives seeking oversight frameworks
Designed for businesses with up to ~15 staff. If your operations are straightforward, these documents will get you compliant on privacy and set up your AI governance from scratch. The implementation guidance scales to mid-sized organisations — and the tiered AI guidance (blue for SMBs, purple for enterprise) means you can grow into the documents over time. If you have complex data flows, multiple jurisdictions, or high-risk AI deployments, these are still a strong foundation — but consider tailored advice for the specifics.
Why bundle? Your AI Acceptable Use Policy references your Data Classification Guide. Your AI Incident Response Addendum extends your Breach Response Plan. Your AI Vendor Risk Assessment references your Third Party privacy standards. These documents are designed to work together — not as standalone silos.