Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Clear, practical business policies are one of the easiest ways to protect your business, set expectations with your team, and stay compliant with Australian laws.
Whether you have two employees or twenty, the right policies turn “how we do things here” into simple rules your whole team can follow. And when something goes wrong, policies help you respond consistently and fairly.
In this guide, we’ll walk through what business policies you actually need in Australia, how to create and roll them out, and the legal traps to watch for. We’ll also share a simple roadmap to build a policy suite that scales as you grow.
What Are Business Policies (And Why Do They Matter)?
Business policies are written rules and procedures that explain how your business operates and how your team should behave in common (and sometimes tricky) situations.
Good policies are short, clear and action-focused. They tell your people what’s expected, who is responsible, and what happens if a process isn’t followed.
Why policies are worth your time
- Set expectations: When everyone knows the rules, you prevent confusion, inconsistency and “I didn’t know” moments.
- Manage risk: Policies help you comply with employment, privacy and consumer laws, and demonstrate you’ve taken reasonable steps.
- Support managers: Your leaders have a consistent reference point for decisions, performance management and investigations.
- Build culture: Clear standards around conduct, safety and communication lead to a safer, more respectful workplace.
- Save money and time: Fewer disputes, faster onboarding, smoother operations.
Which Business Policies Do Small Businesses Need?
There’s no one-size-fits-all list, but most Australian small businesses benefit from a core set of policies that cover people, privacy, safety and day-to-day conduct. Start with the essentials below and add more as your risks evolve.
Employment and conduct
- Workplace Policy: A central policy (or suite) that sets standards for attendance, leave requests, use of company property, performance, and disciplinary processes. This often houses or points to the specific policies below.
- Code of Conduct: Defines acceptable behaviour, conflict of interest rules, gifts and benefits, respectful communication and anti-bullying expectations.
- Equal Opportunity, Bullying, Harassment and Discrimination: Outlines zero-tolerance standards, how to raise concerns, and how investigations will run. This supports your obligations under Fair Work and anti-discrimination laws.
- Leave and Flexible Work: Explains entitlements and request processes so managers handle requests fairly and consistently.
- Social Media and Communications: Sets standards for public posts, brand use, media queries and internal communications etiquette.
Privacy and data
- Privacy Policy: Explains how you collect, use and store personal information (staff and customers), and people’s rights under the Privacy Act.
- Data Breach Response Plan: A practical checklist for identifying, containing, assessing and notifying eligible data breaches.
- Information Security: Passwords, access controls, storage, encryption and acceptable storage of customer data.
- Acceptable Use Policy: Sets rules for using company systems, devices, software and internet (including cloud tools and email).
Safety and operations
- Work Health and Safety (WHS): Roles, reporting hazards, incident response, training and risk assessments appropriate to your industry.
- Incident and Complaints Handling: A simple process to raise issues and resolve them quickly and fairly.
- Customer Service and Refunds: Practical steps for complaints, refunds and returns aligned with the Australian Consumer Law (ACL). If you sell goods or services, your policy should reflect your obligations under section 18 (misleading or deceptive conduct) and other ACL rights.
Governance and integrity
- Whistleblower Policy: If your structure or size requires it (or you choose to adopt one), this sets out protected disclosures and protections for reporters of wrongdoing.
- Anti-Bribery and Corruption: Zero tolerance, gifts and hospitality rules, and approval thresholds.
- Records Management: What to retain, how long, and how to dispose of data securely.
How To Build Your Policy Suite (Step-By-Step)
You don’t need every policy on day one. Prioritise based on risk, then build out steadily. Here’s a practical roadmap.
1) Map Your Risks And Priorities
List your activities, the data you collect, where you operate, and who you employ. Then ask: what could realistically go wrong? Focus on legal obligations, safety, customer promises and data handling.
From that list, pick the top five policies that would prevent the biggest headaches if something went wrong tomorrow.
2) Decide Where Policies Live
Small teams often favour a single, searchable handbook that points to separate topic policies. A central Staff Handbook can house your must-know rules and link to detailed procedures (for example, your data breach steps or WHS risk forms).
3) Draft In Plain English
Policies work when people actually read and use them. Keep each policy short, practical and role-specific. Include:
- Purpose: Why this policy exists.
- Scope: Who and what it applies to.
- Key rules: Short, clear, do/don’t statements.
- Responsibilities: Who approves, who investigates, who maintains.
- Process: Simple steps with examples or screenshots where helpful.
- Consequences: What happens if it’s breached.
Tip: If a topic is highly technical (for example, handling personal information), keep the main policy high-level and attach a short procedure for your admins or managers to follow.
4) Align Policies With Your Contracts
Make sure your employment and contractor terms support your policies. For example, confidentiality, IP ownership, device use and discipline processes should be reflected in each Employment Contract or contractor agreement, so you have the legal right to enforce them.
5) Check Legal Compliance
Cross-check your policies against Australian requirements. For instance, ensure your refunds and ads align with the ACL’s rules on guarantees and misleading conduct, and that privacy rules reflect your Privacy Policy and the Privacy Act. If you sell to consumers, it’s worth understanding how section 18 of the ACL applies to your marketing and claims.
6) Train, Launch And Acknowledge
Roll out policies via short training sessions. Keep it practical and scenario-based. Ask staff to confirm they’ve read and understood the policies (electronic acknowledgement is fine).
Store everything in one easy-to-find place (intranet, shared drive or HRIS) and show new starters where it lives during onboarding.
7) Review Regularly
Set review reminders (for example, every 12 months or when laws change). After any incident or near miss, update the policy or procedure to close gaps. Encourage feedback from staff who use the policy day-to-day-small tweaks often make a big difference.
Key Legal Considerations For Business Policies In Australia
Policies do more than set expectations-they help you meet your legal obligations. Here are the main compliance areas to consider.
Employment Law (Fair Work)
If you employ staff, your policies should support your obligations under the Fair Work Act and modern awards. This includes minimum entitlements, anti-bullying and harassment, workplace behaviour, leave, safety, and performance management.
Policies don’t replace the law, but they help you prove you acted reasonably and consistently.
Privacy And Data Protection
If you collect personal information (customer details, job applications, employee records), you need to handle it properly under the Privacy Act and Australian Privacy Principles. Your public-facing Privacy Policy explains your practices; your internal policies and an up-to-date data breach response plan guide your team on what to do day-to-day.
Consumer Law (ACL)
Policies touching advertising, pricing, refunds and complaints must reflect the ACL. Avoid “no refunds” statements and train your team on guarantees and remedies. Your internal customer service policy should mirror the rights you give consumers publicly and the obligations you have under law.
If your team creates marketing content, consider a short checklist aligned with the ACL’s rules against misleading or deceptive conduct (section 18). Keeping those rules front-of-mind reduces risk when publishing posts, emails or ads.
Work Health And Safety (WHS)
Every workplace must provide a safe environment. Even in office settings, policies around hazards, ergonomics, incident reporting and emergency procedures are important. For higher-risk industries, you’ll need more detailed procedures and training to reflect your specific risks.
Intellectual Property And Confidentiality
Policies should reinforce IP ownership and confidentiality obligations. Combine them with strong contractual clauses in your Employment Contract and contractor agreements, and ensure your onboarding covers how to handle confidential information and brand assets.
Technology And AI Use
With more teams using AI tools and cloud software, set clear rules on accuracy checks, privacy and client confidentiality. If your team uses generative tools, align your guidance with your Acceptable Use Policy and information security standards so sensitive data doesn’t end up in the wrong place.
Rolling Out Policies That Actually Work
The best policies are short, lived-in and championed by leaders. Here’s how to make them stick.
Keep It Simple (And Visual)
Use plain English, short sentences and headings. Include quick examples or mini-scenarios. Consider a one-page summary for complex topics with links to full procedures.
Train With Real Scenarios
Walk through realistic situations: a refund request, an offensive social media comment, a suspicious email, a safety incident. Ask your team what they would do, then show the policy steps. Practical training helps people remember what matters.
Lead By Example
Make sure managers consistently follow the policies-especially for conduct, device use and performance management. Nothing undermines a policy faster than inconsistent application.
Centralise And Version-Control
Host policies in one place, with version numbers and last updated dates. Remove old copies so there’s no confusion about which rules apply right now.
Connect Policies To Consequences
Your disciplinary process should link to your policies. If a policy is breached, follow your documented steps-verbal warning, written warning, further action-so responses are fair, consistent and defensible.
Common Mistakes (And How To Avoid Them)
- Overloading staff with long PDFs: Keep policies concise and actionable. Separate policies from detailed procedures and checklists.
- Copy-pasting templates: Generic documents often miss your real risks or contradict your contracts. Tailor policies to your operations and align them with your agreements and Staff Handbook.
- Not updating after changes: Laws and tools change. Set calendar reminders to review privacy, WHS and conduct policies at least annually.
- No training or acknowledgements: A policy unread is a policy undone. Deliver short training and record acknowledgements with start dates, updates and role changes.
- Gaps between policy and practice: If the real process doesn’t match the policy, fix one or the other. Consistency protects you.
- Forgetting system-specific rules: If you rely on email, chat and devices, add an email disclaimer and device rules inside your Acceptable Use Policy.
- Unclear reporting lines: Every policy needs a clear “who to contact” and escalation path. Ambiguity creates delays and risk.
What To Draft First: A Practical Starter Pack
If you’re starting from scratch, this starter set covers the most common risks for Australian small businesses:
- Code of Conduct and Respectful Workplace policy (include equal opportunity, anti-bullying/harassment, social media and complaint handling).
- Workplace Policy to centralise leave, attendance, equipment use, performance and discipline.
- Privacy Policy plus internal data handling and a data breach response plan.
- WHS policy and incident reporting procedure tailored to your risks.
- Customer service and refunds policy aligned with the ACL (train your team to avoid misleading statements and to apply consumer guarantees correctly).
- Employment and contractor onboarding: pair your policies with each Employment Contract and a role-specific induction checklist.
As you grow, consider adding role-specific addendums (for example, sales commission rules), deeper information security standards, and governance items like a Whistleblower Policy if appropriate to your structure.
Key Takeaways
- Business policies translate your legal obligations and values into practical rules your team can follow every day.
- Start with a lean, high-impact set: conduct, workplace, privacy/data, WHS and customer refunds aligned with the ACL.
- Match your policies to your contracts and systems-especially your Employment Contract, onboarding and IT tools.
- Train with real scenarios, record acknowledgements and keep a single, up-to-date source of truth for staff.
- Review at least annually (and after incidents) so your policies stay aligned with current law and your actual workflows.
- Tailored, plain-English policies and a centralised Staff Handbook make compliance easier and reduce disputes.
If you’d like help drafting or refreshing your business policies for your Australian small business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
