A privacy program is not a pile of templates. It's a lifecycle — seven stages that personal information moves through inside your business. Every document in our kits maps to a specific stage, and many recur across stages because they do different work at different times.
Counts shown are for the Privacy Program Starter Kit. Labels are grouped for readability: for example, the Collect stage includes the website privacy policy plus three collection notices. The Privacy & AI Governance Bundle adds 10 AI governance documents that extend Stages 1, 4, and 5. The AML/CTF Tranche 2 kit follows the same seven stages with reporting-entity-specific notices and procedures.
What happens at each stage, which documents do the work, and why each stage exists.
Before any personal information arrives, your governance foundation is in place. This is where you set the rules: the policies that govern your security controls, who has access to what, how staff use IT, what classification levels exist. The Privacy Management Plan is the program-level governance doc — it's how leadership sees the whole program before it touches a single person's data.
People arrive — clients, employees, website visitors. The first privacy obligation kicks in: tell them what you're collecting and why. APP 5 makes this notice mandatory at the point of collection. The Privacy Policy is the public-facing version. The three Collection Notices are the audience-specific versions you give people in engagement letters, onboarding packs, and on your website. Skip this stage and every later stage is built on a non-compliant foundation.
You're now holding personal information. APP 11 requires you to take reasonable steps to protect it. The Information Security Policy sets the principles. Access Control & Password Policy enforces who can see what. The Data Classification Guide tells your team how to handle different sensitivity levels. The Third Party Provider Register tracks every vendor that touches the data — because their breach is your breach.
Personal information collected for one purpose can only be used for that purpose — APP 6. New uses, new systems, new processes need assessment. The Privacy Management Plan governs this layer of the program: it's where you record decisions about purpose, secondary use, and impact. The PIA Template is the structured assessment you run when something material changes.
Two things happen at this stage. Individuals exercise their rights — access requests under APP 12, corrections under APP 13, complaints. And things go wrong — breaches happen. The Data Breach Response Plan covers the second; the Individual Rights Request Procedure covers the first. The Data Breach Incident Workbook is the live tracker your team fills in during an incident: containment, assessment, notification, and post-incident review.
A privacy program that exists only on paper is not a privacy program. The Compliance Monitoring Guide tells you what to check, when, and what good looks like. The Compliance Monitoring Log is where you record those checks each quarter. The Compliance Framework Tracker reports your overall % complete to leadership. This is what turns templates into operational evidence — the difference between "we have a policy" and "we can prove the policy is working".
Personal information has a use-by date. The Data Retention & Destruction Schedule sets retention periods for each type of record, mapped to the legal basis. The Excel companion turns it into a live destruction calendar with status dropdowns — current, due for destruction, destroyed. The principle: don't keep what you don't need, and prove you destroyed what you should.
Documents recur across stages on purpose. Your Information Security Policy is established at Stage 1 but actively protects at Stage 3. Your Privacy Management Plan governs at Stage 1 and is reviewed at Stage 6. Your Compliance Framework Tracker shows up at both Establish and Monitor because it does different work at each. The connections are intentional — nothing in the kit is orphaned.
Each kit is built around the lifecycle. Pick the one that matches where you are.
Lawyers, accountants, real estate, conveyancers, jewellers, trust services
All seven stages, with AML/CTF-specific notices, tipping-off carve-outs, and ID minimisation woven through.
Any business subject to — or about to be subject to — the Privacy Act
The full seven-stage lifecycle. 15 documents + 5 Excel trackers covering every stage, sector-agnostic.
For any business using AI or subject to the Privacy Act
The full lifecycle plus 10 AI governance documents that extend Stages 1, 4, and 5 for organisations using AI.