Annual privacy policy review checklist (AU)
Privacy risk is rising — higher penalties, an active OAIC, and reform expanding the scope of personal information and individual rights. This checklist covers the 12 areas most commonly tested in an OAIC review.
This is a 12-step annual review checklist for an Australian organisation's privacy policy and privacy program. It covers APP 1 policy currency, the Notifiable Data Breaches (NDB) scheme, cross-border disclosure under APP 8, children's data, and the Privacy Act reforms progressing in 2024 and beyond. Use it as an annual board-level review.
The checklist
APP 1 — open and transparent management
Confirm the privacy policy remains clear, current, and genuinely available — not buried behind a stale footer link.
Information asset register
Audit the personal information register — categories, purposes, storage, retention, sensitive information flags.
APP 5 — collection notices
Review collection notices at each collection point for currency (forms, websites, apps, call centre scripts).
Consent mechanisms
Review where consent is relied on (especially sensitive information and direct marketing) — is consent informed, voluntary, and specific?
APP 6 — use and disclosure
Confirm use and disclosure aligns with primary purpose or valid secondary purpose. Audit common use cases — marketing, analytics, AI training.
APP 8 — cross-border disclosure
Audit cross-border flows (cloud, group companies, service providers) and ensure APP 8 accountability or contractual mitigation.
Data retention and destruction
Confirm retention schedules exist and are enforced for each data class. Destroy or de-identify when no longer needed.
APP 11 — security
Review technical and organisational security — access, encryption, logging, incident response, vendor assurance.
NDB scheme playbook
Review the NDB response playbook — assessment, OAIC and affected individual notification, evidence capture.
Direct marketing and Spam/Do Not Call
Confirm direct marketing under APP 7, Spam Act and Do Not Call Register obligations, and unsubscribe processes.
Children's privacy
For services used by children, review the current OAIC guidance and forthcoming Children's Online Privacy Code expectations.
2024 reforms and AI uses
Track reform progress on statutory tort, automated decision-making, and fair and reasonable test; review AI use cases.
When this checklist applies
Use this checklist as an annual privacy governance review. Refresh the collection notices and privacy policy on any material change (new product, vendor, data flow).
Common pitfalls
- Stale privacy policy — last updated years ago
- Missing APP 8 accountability for offshore cloud providers
- No NDB playbook — scrambling during a breach
- Direct marketing relying on bundled/implied consent without APP 7 compliance
- AI use cases processing personal information without a documented assessment
Run this checklist on a real matter
Quillio audits the privacy program against the APPs, generates a gap remediation plan, and drafts the NDB response playbook. See /practice-areas/commercial-lawyers or start a free trial.
Privacy law is under active reform. Use this checklist alongside current OAIC guidance and track progress on the Privacy Act reforms.
Use this checklist on your matter.
Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.
Start your free trial