RosterElf Logo
Start trial
FREE HR TEMPLATE Last updated 27 June 2026

Data protection policy template

A free, ready-to-edit data protection policy template for Australian businesses. Set clear rules for how personal and business information is collected, stored, accessed, retained and destroyed — and meet your Privacy Act and Australian Privacy Principles obligations. No signup required.

Data protection policy

PDF format • Ready to download

Aligned with the Privacy Act 1988 & APPs
Covers data classification & security
Retention & secure disposal rules
Notifiable data breach response

By downloading, you agree to our template disclaimer

This data protection policy template reflects Australian privacy and data protection law at the time of publication and is provided as a general guide to adapt for your business — it is not legal advice. It does not constitute legal, HR, or professional advice and should not be relied on as a substitute for advice specific to your business, workforce, or circumstances.

Why your business needs a data protection policy

A data protection policy is an internal framework that sets out how your organisation collects, manages, stores and secures the personal and business information it holds. It turns your legal obligations into day-to-day practices your team can actually follow.

Under the Privacy Act 1988 and the Australian Privacy Principles (APPs), Australian organisations must handle personal information fairly, transparently and securely. A documented policy shows how you meet that duty — and gives every employee clear, consistent rules for handling data. It also reduces the risk and cost of a data breach, supports the Notifiable Data Breaches scheme, and builds customer and employee trust.

The policy applies to all employees, contractors and volunteers who handle data on your behalf — across every system, device and paper record. Store it alongside your information security policy and password policy, and capture acknowledgements in your HR software so you can prove every worker has read and understood it.

Data protection and security concept with a digital lock

What a data protection policy should cover

The building blocks of responsible data handling

Data classification

Categories of data and the sensitivity level of each, from public to highly confidential.

Collection principles

Lawful, fair and transparent methods for collecting personal and business information.

Storage & security

Technical and physical safeguards and access controls that protect data from misuse.

Access & sharing

Who can access data and the rules for sharing it internally and with third parties.

Retention periods

How long each type of record is kept based on legal and business requirements.

Secure disposal

Methods for permanently destroying data once it is no longer needed.

What's included in this template

Comprehensive coverage of Australian data protection requirements

Purpose & scope

Why the policy exists and the data, systems and people it applies to.

Policy statement

Your commitment to protecting information and respecting privacy rights.

Privacy Act & APP obligations

Reference to the Privacy Act 1988 and the Australian Privacy Principles.

Data classification

Categories of data based on sensitivity and business impact.

Data collection

Lawful and transparent ways to collect personal and business information.

Storage & security

Safeguards and access controls protecting data from unauthorised access.

Access & sharing

Approval processes and rules for internal and third-party data sharing.

Data retention

Retention schedules for different record types, including employee records.

Secure disposal

Destruction methods and certification for data no longer required.

Breach response

Detecting, containing, assessing and notifying eligible data breaches.

Roles & responsibilities

What employees, managers and any privacy officer must do.

Review & acknowledgement

Policy maintenance schedule and employee sign-off.

Meeting your Australian privacy obligations

What the Privacy Act and APPs expect of your business

Know when the Privacy Act applies

The Privacy Act 1988 generally applies to businesses with an annual turnover above $3 million, plus some smaller organisations such as health service providers. Even if you’re exempt, following the Australian Privacy Principles is best practice — and customers increasingly expect it. The OAIC sets out who must comply.

Be ready for a notifiable data breach

Under the Notifiable Data Breaches scheme, you must notify the OAIC and affected individuals about an eligible breach that is likely to cause serious harm — generally within 30 days of becoming aware. Your policy should name who leads the response and the steps to contain, assess and report an incident.

How to handle a suspected breach

Contain

Stop the breach and limit further access to the affected information.

Assess

Work out what data was involved and whether serious harm is likely.

Notify

Tell the OAIC and affected individuals if the breach is eligible.

Review

Record the incident and fix the gap so it can't happen again.

Set a retention schedule for every record type. Under the Fair Work Act, employee records must generally be kept for 7 years, while other data should only be held for as long as it’s needed — then securely destroyed.

Keep the policy practical: name a person responsible for privacy, train staff on safe data handling, and review the document at least annually or whenever your systems or the law change. For step-by-step help drafting and rolling it out, see our guide on how to write a workplace policy.

Who should use this template?

Essential for any organisation that collects personal information

Especially important for businesses handling sensitive data such as health, financial or identity information.

Manage your policies the easy way

RosterElf helps Australian businesses store policies, capture employee acknowledgements at onboarding and keep a secure audit trail of HR records — all in one place.

Start free trial See HR software
FAQ

Data protection policy FAQ

  • A data protection policy is an internal framework that sets out how an organisation collects, manages, stores and secures the personal and business information it holds. It explains the rules for handling data responsibly, complying with privacy laws like the Privacy Act 1988, and reducing the risk of a data breach.

  • A complete policy should cover its purpose and scope, a policy statement, your Privacy Act and Australian Privacy Principle obligations, data classification, collection principles, storage and security controls, access and sharing rules, retention periods, secure disposal, breach response, roles and responsibilities, and an employee acknowledgement.