Whether it is customer lists, customer preferences, patient medical records or customer financials, personal information and data are the all-important “DNA” of many organisations.

As data volumes increase at an exponential rate and the landscape becomes increasingly complex with the use of the third-party service providers, cloud enabled technology, personal profiling, sophisticated analytics and multijurisdictional data flows, tackling questions regarding privacy can be daunting.

Certain organisations are required to comply (APP entities) with the Privacy Act 1988 (Cth). Key obligations include that such organisations:

  • manage personal information in an open and transparent way (APP 1 - Open and transparent management of personal information) (see Understanding the relationship between privacy, cybersecurity and data resilience);
  • take reasonable steps to implement practices, procedures and systems that will

    View all Privacy by design guidance

In order to mitigate the risk of privacy issues, cyber security threats and achieve data resilience, it is important to take a proactive approach to privacy.

This means thinking critically about privacy during the planning and implementation stages of a project. As discussed in Implementing a privacy by design approach, privacy by design is essential to proactive management of privacy issues.

A privacy impact assessment (PIA) is an essential part of implementing new projects in order to achieve privacy by design.

A PIA is a systematic evaluation of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

See Conducting a privacy impact assessment.

For any new project

View all Planning and implementing new projects guidance

At the most basic level, direct marketing involves the use of personal information to promote goods and services.

Direct marketing can occur via many different channels and take on many different forms, from:

  • sophisticated targeted online campaigns;
  • promoting a new product range via electronic message; or
  • soliciting customer feedback (and gently spruiking a new service) via phone to good old-fashioned snail mail.

Whether you are advising a client on the launch of a new product range, or the organisation you work for is rolling out a global client feedback survey with an option to upgrade to the latest software service package, direct marketing is likely to be an issue you are going to have to tackle at some point.

The direct marketing landscape provided for under

View all Engaging in direct marketing guidance

Today, organisations have access to more data than ever before. “Big data” is the new normal as organisations collect data across a broad range of channels such as apps, email, and web browsing. That data is then harnessed to provide valuable business insight.

Online behavioural advertising describes a wide range of activities companies engage in to collect information about users’ online activity (such as webpages visited, links clicked and online transaction history) which is subsequently used to show more tailored or relevant content and advertisements.

See Identifying the form(s) of online behavioural advertising.

Sometimes the data collected is not personal information in the traditional sense (such as your name, phone and contact details), but rather generic information linked to an online identifier which

View all Using cookies and other emerging forms of online behavioural advertising guidance


Overview of privacy by design

Privacy by design

Implementing a privacy by design approach

What is privacy by design? | Benefits of implementing a privacy by design approach | Seven key principles of privacy by design

Securing personal information across the information life cycle

APP 11 and the requirement to take active security measures | What is the information lifecycle? | What are reasonable steps to protecting personal information held?

Show all guidance


Checklist for Complying with both the Privacy Act and the GDPR

S. Sharma, S. Field and B. Tomlinson, Maddocks

Privacy - Checklist for Privacy policy

S. Sharma, Special Counsel, Maddocks

Data Breach Assessment Guideline

P. Fair and S. Lee, Baker McKenzie

Checklist for Ensuring data protection compliance

P. Fair and S. Lee, Baker McKenzie

Privacy - Internal privacy guidelines for staff

S. Sharma, Special Counsel, Maddocks

EU General Data Protection Regulation (GDPR) - Compliance checklist

S. Sharma, S. Field and B. Tomlinson, Maddocks

Checklist for computer and device use

P. Fair and S. Lee, Baker McKenzie

Checklist for Data breach response guideline

P. Fair and S. Lee, Baker McKenzie

Privacy - Checklist for direct marketing

S. Sharma and E. Lau, Maddocks

EU general data protection regulation (GDPR) - Checklist for controller versus processor

S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks

Threshold compliance checklist - GDPR and the Privacy Act

S. Sharma, S. Field and B. Tomlinson, Maddocks

Workflow Checklist: Content of notification

D. Kneller, Madgwicks Lawyers


Forms and Precedents

Securing personal information across the information life cycle

Identifying the form(s) of online behavioural advertising