How To Create A Confidentiality Policy In Australia

Protecting your ideas, client information and sensitive business data isn’t just “nice to have” - it’s essential to the value of your business.

A clear, practical confidentiality policy sets expectations for your team and contractors, reduces the risk of leaks or misuse, and gives you a strong footing if something goes wrong.

In this guide, we’ll walk through what a confidentiality policy is, how it differs from privacy obligations, what to include, and how to roll it out across your operations in Australia.

What Is A Confidentiality Policy (And How Is It Different From Privacy)?

A confidentiality policy is an internal policy that explains how your business handles and protects confidential information - both your own and that of your customers, suppliers and partners.

“Confidential information” is broader than personal information. It can include customer lists, pricing, margins, product roadmaps, recipes and formulas, software code, business strategies, supplier terms, unpublished financials, and any other information you reasonably expect to be kept secret.

Privacy, on the other hand, is about how you collect, use, and disclose personal information under Australian law. Many businesses handle both confidential and personal information, but the legal bases differ. If you want a deeper dive into how these concepts relate, see the difference between privacy and confidentiality in plain English.

Most businesses should have a confidentiality policy alongside a public-facing Privacy Policy. The confidentiality policy sets internal rules and responsibilities, while your Privacy Policy explains to the public how you handle personal information in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Why Your Small Business Needs A Confidentiality Policy

Even if your team is small and you “all trust each other”, a written policy matters. Here’s why:

• Protects trade secrets and know-how: Your competitive edge lives in your processes, pricing, supplier terms and IP. Clear rules make it easier to prove something is confidential if you ever need to enforce it.
• Sets staff expectations: New employees and contractors know exactly what can be shared and what cannot, reducing accidental disclosures.
• Supports contracts and NDAs: A policy complements your Non-Disclosure Agreement clauses by embedding confidentiality obligations into day-to-day practice.
• Helps meet legal and industry requirements: In some sectors (health, finance, NDIS providers, professional services), confidentiality processes are expected by regulators and clients, even if your Privacy Act obligations are limited.
• Streamlines onboarding and exits: Consistent processes for access, training and offboarding lower risk when people join or leave.
• Demonstrates maturity to customers and investors: Bigger clients often ask to see your internal policies during due diligence.

Put simply, a good policy doesn’t just reduce risk - it helps you win work and build trust.

What To Include In A Confidentiality Policy

There’s no one-size-fits-all. Your confidentiality policy should reflect what your business does, the kinds of information you hold and your operational setup (office-based, hybrid or fully remote). As a guide, consider including these sections:

1) Scope: What Counts As “Confidential”?

Start by defining confidential information clearly. Use practical categories and examples relevant to your business, such as:

• Client information (briefs, proposals, agreements, contact details, files)
• Pricing, quotes, margins and supplier terms
• Product plans, R&D, source code, algorithms, designs
• Internal policies, financials, marketing and sales strategies
• Security credentials and system architecture

Make a note that information is still confidential even if it’s not labelled “confidential”, as long as it should reasonably be treated as such. Also explain what is not confidential (e.g. information that’s public or independently developed without reference to your confidential information).

2) Roles And Responsibilities

Outline who is responsible for protecting confidential information and how. Typically, this covers:

• All employees and contractors must follow the policy as a condition of their role and contract.
• Managers are responsible for access approvals and ensuring their teams complete training.
• IT or operations are responsible for access controls, secure storage and incident response processes.

You can reinforce these duties in your Employment Contract and broader Workplace Policy suite so obligations are both contractual and policy-based.

3) Handling, Storage And Access Controls

Explain how confidential information should be created, shared, stored and destroyed, including:

• Approved systems for storing files (e.g. specific cloud platforms) and rules for personal devices.
• Access control principles (e.g. “least privilege”) and multi-factor authentication.
• When to encrypt files, secure emails and use password managers.
• Restrictions on removable media and public Wi‑Fi.
• Retention periods and secure disposal or deletion processes.

These operational rules often sit alongside technical controls documented in an Information Security Policy.

4) Sharing Internally And Externally

Set rules for internal sharing (e.g. “need-to-know basis” across teams) and for external disclosures. For external sharing, require a lawful basis, an approved purpose, and appropriate contractual protections. For example:

• Use NDAs or confidentiality clauses before sharing sensitive materials with suppliers, freelancers or sales partners.
• Where a third party processes personal information on your behalf (e.g. a SaaS provider), consider a Data Processing Agreement as well as confidentiality terms.
• Pre-approve public statements, case studies and marketing content that include client names or information.

5) Working Remotely Or In Public

Include practical guidance for remote and hybrid work, such as:

• Don’t discuss client matters in public spaces or on speakerphone.
• Lock screens and secure home offices; store paper files out of sight.
• Use approved VPNs and avoid saving files locally unless necessary and encrypted.

6) Incident Reporting And Response

Explain how to report suspected or actual unauthorised access or disclosure (who to contact, how quickly). Your policy can reference your separate Data Breach Response Plan, which sets out investigation steps, containment, notifications and record-keeping.

7) Training, Monitoring And Enforcement

Set expectations for induction training, refresher training, acceptable use, and consequences for non-compliance. Make clear that breaches may lead to disciplinary action or termination and, where relevant, legal action or reporting to regulators.

8) Related Policies And Contracts

Point readers to related documents that work together with your confidentiality policy, such as:

• Privacy Policy
• Non-Disclosure Agreement (and confidentiality clauses in other agreements)
• Information Security Policy
• Employment Contract and Workplace Policy framework
• Data Processing Agreement with service providers where relevant
• Data Breach Response Plan

How To Roll It Out And Enforce It Day-To-Day

Policies only work if people know about them and they’re practical to follow. Here’s a simple rollout plan that suits most small businesses.

Step 1: Map Your Sensitive Information

List the types of confidential information you hold, where they live (systems and locations), who has access, and who needs access. This “data map” helps you tailor your policy and set sensible access rules.

Step 2: Draft And Align With Your Contracts

Ensure your policy aligns with your contracts and isn’t contradicted elsewhere. For example, match the definition of confidential information and obligations in your Non-Disclosure Agreement and supplier or client contracts. Update your Employment Contract template to reference the policy and include confidentiality clauses that survive termination.

Step 3: Set Up Access Controls And Tools

Work with IT (or your managed service provider) to implement least‑privilege access, MFA, device management and secure storage in line with your Information Security Policy. Adjust settings so it’s easy for people to comply - if the process is clunky, workarounds creep in.

Step 4: Train Your Team

Run short, practical training at induction and refresh sessions annually. Tailor examples to your business: show how to share a client folder securely, how to redact information before sending a report, and how to recognise a phishing attempt.

Step 5: Embed In Workflows

Build confidentiality steps into checklists and templates - e.g. proposal templates with confidentiality notices, shared folders with default restricted access, and pre-approved NDA templates for sales or partnerships.

Step 6: Review And Improve

Review your policy at least annually or after any incident. As your business grows (new products, jurisdictions or bigger clients), revisit definitions, access rules, and related policies to make sure they still fit.

Handling Breaches: Practical Steps And Legal Options

Even with great policies, mistakes happen. Move quickly and methodically if a breach is suspected.

Containment And Investigation

• Secure systems and revoke or adjust access immediately.
• Preserve logs and evidence; avoid destroying potential audit trails.
• Identify what information was accessed, for how long, and by whom.

Notification And Regulatory Considerations

If personal information is involved, your response may trigger obligations under the Notifiable Data Breaches scheme in the Privacy Act. Follow your Data Breach Response Plan to assess harm, decide whether to notify affected individuals and the OAIC, and implement remedial steps.

Contractual Enforcement

Where a third party (e.g. ex-employee, contractor or supplier) breached confidentiality, assess your contractual rights. NDAs, confidentiality clauses and post-employment obligations can support demands to cease use, return or destroy information, and potentially seek damages or injunctive relief. Well-drafted contracts make enforcement faster and more effective.

Employment And Disciplinary Action

For staff breaches, follow your disciplinary process outlined in your Workplace Policy, and consider whether termination is appropriate given the severity and intent. Ensure decisions are consistent and documented.

Remediation And Lessons Learned

Close the loop by addressing root causes - whether that’s tightening access, improving training, or updating your tools. Record the incident and outcomes to support future audits and client queries.

Frequently Asked Questions About Confidentiality Policies

Do Small Businesses Have To Comply With The Privacy Act?

Many small businesses under $3 million annual turnover aren’t covered by the Privacy Act, but there are important exceptions (for example, health service providers, credit reporting bodies or businesses that trade in personal information). Regardless, you should still maintain a Privacy Policy and robust confidentiality practices - clients expect it and contracts often require it.

Is A Confidentiality Policy Enough On Its Own?

No. Pair your policy with contracts and technical controls. That usually means NDAs with partners and freelancers, confidentiality clauses in employment and supplier agreements, access controls under an Information Security Policy, and a Data Breach Response Plan for when things go wrong.

What’s The Difference Between A Confidentiality Policy And An NDA?

An NDA is a contract between parties that creates legally enforceable obligations. A confidentiality policy is an internal document that sets your business rules. They should align - your policy guides day-to-day behaviour, and your contracts provide remedies if information is misused externally.

Should Contractors Follow Our Policy?

Yes. Make adherence to your policies a condition of engagement. Your contractor agreement should include confidentiality clauses and reference your policy. For personal information handling by contractors, consider a Data Processing Agreement as well.

What Legal Documents Support Your Confidentiality Policy?

To make your policy effective, it helps to have a small set of well-drafted documents that reinforce confidentiality in the right places:

• Non-Disclosure Agreement (NDA): A contract you can use with suppliers, freelancers, potential partners or investors before sharing sensitive information.
• Employment Contract: Includes confidentiality and IP ownership clauses that continue after employment ends.
• Workplace Policy framework: Houses your confidentiality policy alongside acceptable use, social media, and other relevant policies.
• Privacy Policy: Public-facing statement about how you collect and handle personal information.
• Data Processing Agreement: Governs how service providers process personal information for you, with security and confidentiality commitments.
• Information Security Policy: Sets your technical and access control standards to protect data in systems.
• Data Breach Response Plan: Step-by-step playbook to assess and manage security incidents or data leaks.

You may not need every document on day one, but most growing businesses will benefit from several of these in place early.

Key Takeaways

• A confidentiality policy sets clear, practical rules for handling sensitive information across your business.
• Confidentiality and privacy are related but different - pair your internal policy with a public-facing Privacy Policy.
• Cover the essentials: scope and definitions, roles and responsibilities, storage and access, sharing rules, remote work, incident response, training and enforcement.
• Make it real by aligning your policy with contracts (NDAs, Employment Contract), and technical controls under an Information Security Policy.
• Prepare for the unexpected with a Data Breach Response Plan and clear reporting steps.
• Review and refresh your policy as you grow, bring on new tools or enter new markets.

If you’d like a confidential chat about drafting or updating a confidentiality policy tailored to your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no‑obligations chat.