Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

How to comply

If you're collecting personal information from someone - for example a customer - principle 3 of the Privacy Act says that you need to let them know what you're doing. The best way to do so is through a clear, written privacy statement. 

Build your own privacy statement in minutes with the Priv-o-matic

Sometimes, of course, it's obvious that you are collecting the information and what you're going to use it for. You may not intend to disclose it to anyone. But people are still understandably cautious about giving out their personal information. They need to know they can trust you. They are more likely to do so if you tell them, up front, what you're doing with their information and why. People are particularly concerned that their information may be passed on to other agencies without them knowing.

Occasionally, it may not be obvious that you are collecting information at all unless you say so. For example, you may have a CCTV system, or your website may place a cookie on visitors' computers.

A privacy statement ensures that people are aware:

  • that you're collecting information about them (if it's not obvious)
  • why you're collecting the information;
  • what you're going to use it for;
  • who you're going to give it to (if anyone);
  • whether the person has to give you the information and what will happen if they don't;
  • that they can access the information you hold about them, and they can correct it if it's wrong.

Also, be prepared to answer people's questions about how you will handle their personal information. They're entitled to ask.

There are times when you don't have to provide a privacy statement - check principle 3 for a list of these exceptions.


Giving notice to website visitors about how your agency collects and uses personal information is good practice. We've built a tool that creates a basic statement for you. 

Create a basic privacy statement with the Priv-o-matic

If your information systems are more complicated, you may need to adopt a layered privacy statement. We recommend you read 'Ten steps to develop a multilayered privacy notice' as a source of detailed information. 

Additional Resources

 'Questions and Answers about Layered Privacy Notices'.

Center for information policy leadership
Ten steps to develop a multilayered privacy notice

OECD (Organisation for Economic Cooperation and Development)

Making Privacy Notices Simple: An OECD Report and Recommendations
Report annexes

APEC (Asia-Pacific Economic Cooperation)

Multi-Layered Notices - A Developing Standard