Privacy Program Starter Kit

For any Australian business subject to — or about to be subject to — the Privacy Act 1988

The small business exemption is going. The Australian Government has agreed in principle to remove the $3 million turnover threshold that currently shields approximately 2.3 million businesses from the Privacy Act. The exact timing is expected in the second tranche of reforms — but it's been signalled, the OAIC is pushing for it, and it's a question of when, not if.

When it happens, every business that collects personal information — client details, employee records, website enquiries, invoices — will need to comply with the Australian Privacy Principles. That means documented policies, procedures, and safeguards. Not just doing the right thing, but being able to prove it.

This kit lets you get ahead of that for $397 and an afternoon's work. 15 documents covering privacy compliance and information security, plus 4 Excel trackers. Sector-agnostic by design — they work for professional services, retail, technology, manufacturing, health, education, or any other industry.

You're probably already doing most of the right things. You protect client data. You don't share information without reason. You keep records secure. The gap isn't in what you do — it's in what you can prove. These documents close that gap. Every document includes blue guidance boxes explaining what each section means and how to adapt it. Customise with your name and logo, remove the guidance, and you've got professional compliance documentation — plus a foundation to mature your program over time.

What's Included

1. Privacy Policy
Public-facing policy covering all 13 APPs. Describes what personal information you collect, why, how you use and disclose it, overseas transfers, security, retention, access and correction rights, and how to complain. Ready to publish on your website.
2. Client / Customer Collection Notice
APP 5 compliant notice for clients or customers. Provide at the point of collection — in engagement letters, intake forms, or as a handout. Covers purpose, types of information, disclosures, consequences of not providing, and rights.
3. Employee Collection Notice
Privacy notice for staff and contractors. Include in your onboarding pack or employment contract. Covers payroll, superannuation, performance, and workplace information.
4. Website Collection Notice
Notice for website visitors covering contact forms, cookies, analytics, and third-party links. Includes guidance on cookie consent best practice and analytics provider disclosure.
5. Data Breach Response Plan
Step-by-step procedure: contain, assess (within 30 days), notify (OAIC and individuals), and review. Includes key contacts table, breach examples, assessment criteria, and post-incident review process.
6. Individual Rights Request Procedure
Internal procedure for handling access (APP 12) and correction (APP 13) requests. Covers identity verification, 30-day timeframes, grounds for refusal, fees, and record keeping.
7. Data Retention & Destruction Schedule
Retention periods for client records, employee records, financial records, insurance, website data, and more — mapped to the legal basis for each. Includes destruction methods and annual review process.
8. Privacy Impact Assessment Template
Simple PIA for new projects, systems, or process changes. Four sections: project overview, personal information mapping, risk assessment (with pre-populated risk matrix), and approval.

Information Security Policies (APP 11)

APP 11 requires reasonable steps to protect personal information. These five policies give you the security framework to demonstrate compliance — covering technical, administrative, and physical controls.

9. Information Security Policy
Overarching security policy establishing principles (confidentiality, integrity, availability), technical controls (patching, encryption, backups), administrative controls (training, least privilege, departing staff), and physical controls (locked cabinets, clean desk, visitor management). References the ACSC Essential Eight. Links to all supporting policies below.
10. Access Control & Password Policy
Least privilege access, MFA requirements, user account lifecycle (provisioning, role changes, deprovisioning), password standards (12+ character passphrases, password managers, no mandatory rotation), privileged access controls, and periodic access reviews.
11. Acceptable Use of IT Policy
Rules for email, internet, cloud services, removable media, printing, and social media. Addresses shadow IT risk, misdirected email (the most common breach type), and unapproved cloud/AI tool use. Practical and enforceable.
12. Remote Working & BYOD Policy
Security requirements for working from home or other locations: home Wi-Fi security, VPN, physical workspace, device standards. BYOD section with two options (prohibit or permit with conditions including MDM). Video conferencing security guidelines.
13. Data Classification Guide
Four-level classification scheme (Public, Internal, Confidential, Restricted) with clear examples and handling rules for each level. Covers email, cloud storage, printing, external sharing, disposal, remote access, and AI tools. Simple enough for every staff member to apply consistently.

Governance & Monitoring

14. Privacy Management Plan
Your internal governance document — the plan behind your public privacy policy. Governance structure, roles and responsibilities, personal information holdings register, compliance framework status tracker, training requirements, third-party management, complaints handling, and annual review process. This is what the OAIC expects under APP 1.2.
15. Compliance Monitoring Guide
What to check, when, and how to record the results. Seven quarterly checks and ten annual reviews — each with "How to Check It" instructions and "What Good Looks Like" benchmarks. Includes a monitoring log with pre-filled example entries. This is how you prove your privacy program is actually working, not just sitting in a folder.

Excel Companion Files

These spreadsheets ship alongside the Word documents. They turn static references into operational tools.

Compliance Monitoring Log (Excel)
Spreadsheet version of the monitoring log with dropdown validation (Q1–Q4, Annual), pre-filled examples, and a quarterly checklist tab.
Data Retention Schedule (Excel)
Operational tracker with "Next Destruction Due" date column and conditional status dropdowns (Current, Due for Destruction, Destroyed). Turns the reference document into a live destruction calendar.
Compliance Framework Tracker (Excel)
Lists every document in the kit mapped to its APP coverage, with status dropdowns (In Place, Draft, Needed). Dashboard tab auto-calculates your % complete — the number you report to leadership.
Third Party Provider Register (Excel)
Track all service providers handling personal information. Dropdown validation for contract status and risk rating. Pre-filled with common examples (Xero, Microsoft 365).

How It Works

  • Download — 15 Word documents + 4 Excel trackers, delivered instantly
  • Customise — find-and-replace [Organisation Name], add your logo, set the date
  • Read the guidance — blue boxes explain every section and help you adapt
  • Publish — remove guidance notes, approve internally, and you're done

Who This Is For

  • Businesses with annual turnover over $3 million
  • Health service providers
  • Organisations handling Commonwealth Government contracts
  • Organisations that have opted in to the Privacy Act
  • Any business that wants a professional privacy program foundation

Designed for businesses with up to ~15 staff. If your operations are straightforward — a small team, standard client relationships, typical data handling — these documents will get you compliant. The implementation guidance inside each document scales to mid-sized organisations (15–50+ staff). If you have complex data flows, multiple jurisdictions, or high-risk processing (health, biometric, criminal records), these are still a strong starting point — but consider tailored professional advice for the specifics.

Need AML/CTF-specific documents?
If you're a lawyer, accountant, real estate agent, or conveyancer affected by Tranche 2 reforms, you need documents tailored to the AML/CTF privacy obligations — including tipping-off carve-outs and CDD collection notices.
View the AML/CTF Tranche 2 Kit →
$397 AUD + GST
Get the Starter Kit →
FormatWord documents (.docx) + Excel spreadsheets (.xlsx)
Documents15 Word files + 4 Excel trackers + Kit Guide
DeliveryInstant download
LicenceSingle organisation use
UpdatedApril 2026
AuthorBetter Privacy — CIPP/E, CIPM, CIPT, AIGP, CISM certified team
$397AUD + GST
Get Started →