All templates
Privacy Act / APPs · APP 1.2

Privacy Management Plan Template — APP 1.2

The internal governance plan required by APP 1.2. Sets out the Privacy Officer's role, the practices, procedures and systems implemented to comply with the APPs, training, risk management, and the privacy register that tracks complaints, requests and breaches.

Privacy Act 1988Australian Privacy PrinciplesOAIC APP Guidelines6 pages, Word format

Download this free template

Enter your email to download the Privacy Management Plan template in Word format.

No spam. We'll only send you compliance tips relevant to your practice. Unsubscribe any time.

What's in this template?

This free Privacy Management Plan template gives Australian healthcare practices the internal governance plan required by Australian Privacy Principle 1.2 of the Privacy Act 1988. It is built directly from the structure of the OAIC's Privacy Management Plan template and the consolidated APP Guidelines, then tailored for medical and allied health settings.

The template covers 14 sections plus a sign-off block:

  1. Purpose — links the plan to APP 1.2 and the practice's privacy obligations
  2. Scope — every form of personal information, every system, every worker
  3. Privacy governance and accountability — Privacy Officer, practice owner and worker duties
  4. Personal information we hold — categories of information and APPs that apply
  5. Practices, procedures and systems — the document set that implements APP 1.2
  6. Privacy risk management — risk register and PIA triggers
  7. Training and awareness — induction, refresher, role-specific training
  8. Privacy enquiries, access, correction and complaints — links to the access/correction procedure
  9. Data breach response — link to the response plan, escalation rules
  10. Monitoring, review and reporting — quarterly Privacy Officer reports
  11. Privacy register — log of requests, complaints, breaches and PIAs
  12. Related documents — full document set
  13. Definitions — APP entity, eligible breach, health information, Privacy Officer
  14. Approval and review — formal sign-off table

Editable placeholder fields

  • {{practice_name}}, {{abn}}, {{practice_address}}, {{phone}}, {{email}}
  • {{privacy_officer}} and {{privacy_officer_email}} — your nominated Privacy Officer
  • {{training_records_owner}} — who holds training records
  • {{review_date}}, {{next_review_date}}

Who needs a Privacy Management Plan?

Every Australian healthcare practice that holds health information is an APP entity under the Privacy Act 1988, regardless of turnover. APP 1.2 requires every APP entity to take reasonable steps to implement practices, procedures and systems to comply with the APPs. The plan is the document that records those steps.

That includes:

  • General practices of any size, including solo GPs
  • Specialist medical practices
  • Allied health practices (physiotherapy, podiatry, psychology, optometry, dental, etc.)
  • NDIS providers holding participant information
  • Pharmacies, pathology and diagnostic imaging providers
  • Aboriginal Community Controlled Health Organisations
  • Private hospitals, day surgeries and aged care providers

A patient-facing Privacy Policy alone does not satisfy APP 1.2 — the management plan is the internal companion document that proves the policy is being implemented.

APP 1.2 at a glance

Australian Privacy Principle 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems that:

  • Ensure compliance with the APPs and any registered APP code that binds the entity
  • Enable the entity to deal with enquiries or complaints from individuals about its compliance with the APPs

The OAIC's APP Guidelines say "reasonable steps" depends on the entity's size, the nature of the information held, and the possible adverse consequences of a breach. For healthcare practices that hold sensitive health information, the OAIC's expectation is high — the management plan should be documented, reviewed annually, and supported by training, breach response and audit.

Privacy Act requirement

The Privacy Act binds every healthcare provider that holds health information, regardless of revenue (the small business exemption does not apply to health service providers — section 6D(4)). Failure to take reasonable steps under APP 1.2 can result in:

  • An OAIC determination requiring corrective action
  • Civil penalties of up to $50 million for serious or repeated breaches (post 2022 amendments)
  • Reputational damage and complaints to the OAIC
  • Loss of accreditation status with RACGP, ISO 9001 or NDIS Practice Standards

Accreditors increasingly look for a documented Privacy Management Plan — RACGP Criterion C6.3 evidence and NDIS Information Management quality indicator both reference the structures this plan establishes.

How to customise this template

  1. Download the Word document and replace every {{placeholder}} with your details
  2. Nominate your Privacy Officer — typically the practice principal, practice manager, or a senior clinician
  3. List your practices, procedures and systems in section 5 — link to the documents you actually have, replace any you don't yet hold
  4. Tailor the information categories in section 4 to what your practice actually collects (CCTV? visitor logs? research databases?)
  5. Set your training cadence — annual is the OAIC default
  6. Have it approved by the Privacy Officer and practice owner and signed in the approval table
  7. Communicate it to all workers and include privacy in onboarding
  8. Schedule annual review — and review immediately after any material privacy incident

Related templates and tools

This management plan is the governance backbone. Pair it with the rest of the Privacy Act library:

  • Data Breach Response Plan — the operational playbook referenced in section 9
  • Privacy Impact Assessment Template — used whenever a new system or project is in scope
  • Patient Data Collection Notice — the APP 5 notice given at registration
  • Data Retention and Destruction Policy — APP 11.2 destruction obligations
  • Patient Access and Correction Procedure — APP 12 and APP 13 requests
  • Third-Party Data Sharing Agreement — APP 6 and APP 8 disclosures

For the patient-facing equivalent, see the Privacy Policy in the RACGP library. For My Health Record, see the Rule 42 Security and Access Policy.

Frequently asked questions

Is a Privacy Management Plan mandatory for healthcare practices?

Yes. Australian Privacy Principle 1.2 requires every APP entity, including all healthcare providers that hold health information, to implement practices, procedures and systems to comply with the APPs. The OAIC's Guide to Health Privacy and its Privacy Management Framework treat a documented privacy management plan as the standard way of evidencing APP 1.2.

How is a Privacy Management Plan different from a Privacy Policy?

The Privacy Policy is the patient-facing document required by APP 1.3 — it tells individuals how the practice handles their information. The Privacy Management Plan is the internal governance document required by APP 1.2 — it tells the practice (and an auditor or the OAIC) how privacy is actually managed. Most practices need both.

Who should be the Privacy Officer?

The Privacy Officer is the person nominated to coordinate privacy compliance and act as the contact point for individuals and the OAIC. In a small general practice this is usually the practice principal or practice manager. In a larger practice or MSP it is a dedicated role. The Privacy Officer must have authority to investigate breaches, suspend access, and brief the practice owner.

How often does the plan need to be reviewed?

The OAIC recommends review at least annually and immediately after any material privacy incident, change in practices, or change in the law. The template includes a built-in review schedule. Reviews are generally documented in the privacy register.

Does the Privacy Act apply to small healthcare practices?

Yes. The small business exemption that exempts most businesses with turnover under $3 million does not apply to "health service providers" (section 6D(4) of the Privacy Act). Every solo GP, allied health practice and small clinic that provides health services and holds health information is a fully-bound APP entity.

Do NDIS providers need a Privacy Management Plan?

Yes. NDIS providers are APP entities and the NDIS Practice Standards (Information Management) require formal privacy governance. This template is suitable for NDIS providers and complements the NDIS Information Management and Privacy Policy in our NDIS library.

What happens if we don't have one?

The most common consequence is an OAIC determination requiring corrective action. After the 2022 Privacy Act amendments, penalties for serious or repeated interferences with privacy can reach $50 million. Accreditors (RACGP, NDIS Quality and Safeguards Commission, ISO 27001 auditors) routinely ask for the plan, and not having one is increasingly cited in non-conformance reports.

Related templates

Part IIIC

Data Breach Response Plan

Operational response plan for the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act. Covers the four-step response (Contain, Assess, Notify, Review), 30-day assessment timeline, OAIC notification statement under section 26WK, individual notification options, and a 7-year breach register.

View template
APP 1.2

Privacy Impact Assessment Template

Structured PIA template aligned to the OAIC's Guide to undertaking privacy impact assessments. Includes APP-by-APP analysis, information flow mapping, risk register, health-specific considerations (My Health Record, state HRIPA/HRA/HRPPA) and decision sign-off. Used before any new system, vendor or AI tool that handles patient data.

View template
APP 5

Patient Data Collection Notice

Short, plain-English notice given to patients at the point of collection in line with APP 5. Covers identity, purpose, consequences of not providing information, recipients of disclosure, overseas storage, access and correction rights, and complaints. Designed for registration forms, online booking, patient portal sign-up and telehealth intake.

View template
30-day free trial, no credit card

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency (Sydney)
Cancel anytime