Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'Privacy Statement Template'

Privacy Statement Template

Roger Clarke **

Version of 19 December 2005
(Minor revisions of 6 Aug 2006, 16 Dec 2008, 15 Feb 2010, 11 Dec 2010)

© Xamax Consultancy Pty Ltd, 2005-10

This document is intended to be used. Here is your copyright licence and here is information about it

This document is at

Further information is available about this document


Privacy Policy Statements (also known as privacy policies', 'privacy statements', 'privacy notices', and 'information practice statements') have become mainstream. But there is a dearth of advice available about what's involved in preparing one.

This document provides a set of undertakings that the author recommends to organisations that handle personal data. It is in effect a template for what has come to be known as a 'Web-Site Privacy Policy Statement'. It is designed be privacy-friendly but practical.

Use of this template is encouraged. A very liberal copyright licence is provided. During its first 5 years, it was accessed over 20,000 times. It has been used both formally and informally by many organisations to assist with developing their Privacy Policy Statements and for evaluating Statements published by other organisations. By late 2010, the Privacy Policy Statements of at least 200 organisations directly applied the Template. Here is an example from the Association for Information Systems, mirrored here.

This document refers throughout to 'ThisCompany'. Replace that with the name of the relevant organisation. A separate document provides more detailed information on how to use this template.

ThisCompany's Privacy Statement

This document declares the undertakings by ThisCompany in relation to its handling of Your Data.


Data Collection

ThisCompany undertakes to collect Your Data by means that are:

If you visit ThisCompany's web-site, your web-browser automatically discloses, and ThisCompany's web-server automatically logs, the following information: the date and time, the IP address from which you issued the request, the type of browser and operating system you are using, the URL of any page that referred you to the page, the URL you requested, and whether your request was successful. This data may or may not be sufficient to identify you.

Any additional data that you provide, e.g. in a web-form, may also be logged. This data may or may not be sufficient to identify you.

Any additional data that your web-browser automatically provides may also be logged. This will be the case, for example, if your browser has previously been requested to store data on your computer in 'cookies' and submits them each time you request a web-page within a particular domain (such as This data may or may not be sufficient to identify you.

If you disclose personal data to ThisCompany in conjunction with an identifier such as your name or your credit-card details, ThisCompany will collect Your Data. Moreover, any data that becomes available to ThisCompany through any of the means described in the preceding paragraphs may be able to be associated with that identifier, and hence become Your Data.

Subject to the qualifications immediately below, ThisCompany undertakes to collect Your Data from you and not from other parties. This undertaking is qualified as follows:

Where ThisCompany collects Your Data from sources other than you, it undertakes:

ThisCompany undertakes to declare the purpose of collection in a manner which is clear and meaningful, and to avoid vague, highly inclusive statements such as 'to support our operations'.

Data Security

ThisCompany undertakes to store Your Data in a manner that ensures security against unauthorised access, alteration or deletion, at a level commensurate with its sensitivity.

ThisCompany undertakes to store Your Data only in jurisdictions where data protections are at least equivalent to those required under the OECD Guidelines.

ThisCompany undertakes to transmit Your Data in a manner that ensures security against unauthorised access, alteration or deletion, at a level commensurate with its sensitivity.

ThisCompany undertakes to implement appropriate measures to ensure security of Your Data against inappropriate behaviour by ThisCompany's staff-members and contractors. These include:

Data Use

Use refers to the application of Your Data by any part of ThisCompany, or any staff-member or contractor of ThisCompany in the course of their work.

ThisCompany undertakes to use Your Data only for:

ThisCompany undertakes to use YourData only if it has demonstrable relevance to the particular use to which it is being put.

ThisCompany undertakes to use YourData in such a manner as to take into account the possibility that it is not of sufficient quality for the purpose, e.g. because it is inaccurate, out-of-date, incomplete, or out-of-context.

Data Disclosure

Disclosure refers to making YourData available to any party other than ThisCompany and You. The term disclosure may include many different conditions of data transfer, including selling, renting, trading, sharing and giving.

ThisCompany undertakes to disclose Your Data only under the following circumstances:

In all cases, ThisCompany undertakes to disclose only such of Your Data as is necessary in the particular circumstances.

Data Retention and Destruction

Subject to the qualifications immediately below, ThisCompany undertakes:

This undertaking is qualified as follows:

Access by You to Your Personal Data

ThisCompany undertakes to provide you with access to Your Data, subject to only such conditions and processes as are reasonable in the circumstances. In particular, ThisCompany undertakes to enable access:

ThisCompany undertakes to establish and operate identity authentication protections for access to Your Data that are appropriate to its sensitivity, but practical. This may involve some inconvenience; for example, relatively straightforward procedures may be involved in order to provide you with access through a channel that you have previously registered with ThisCompany (such as a particular email-address), but may impose more onerous procedures if you wish to use some other channel.

In the event that you dispute some aspect of Your Data, ThisCompany undertakes to take reasonable steps in relation to the amendment, supplementation or deletion of Your Data.

You undertake:

Information about Data-Handling Practices

ThisCompany undertakes to make information available to you about the manner in which ThisCompany handles your data:

Where Your Data is disclosed to a contractor, ThisCompany undertakes to make information available to you on request about the manner in which ThisCompany's contractors handle your data.

ThisCompany undertakes to ensure that the information provided is meaningful, and addresses your concerns.

You undertake:

Handling of Enquiries, General Concerns and Complaints

If you have enquiries, general concerns, or complaints about these Terms, or about ThisCompany's behaviour in relation to these Terms, you undertake:

ThisCompany undertakes:

You further undertake to not pursue ThisCompany through any Regulator or the media:


ThisCompany declares that its undertakings in these Terms are intended to create legal obligations, and that those obligations are intended to be enforceable under appropriate laws in appropriate jurisdictions. These include laws relating to data protection, privacy, fair trading, corporations and criminal laws.

You undertake to seek enforcement only in a jurisdiction that is relevant to the transactions that have taken place between You and ThisCompany, in particular the jurisdiction in which you live or in which you performed the relevant acts, and the jurisdiction in which ThisCompany is domiciled or performed the relevant acts.

If you wish to discover the relevant laws in any particular jurisdiction, ThisCompany draws your attention to the following resources:

Changes to These Privacy Undertakings

ThisCompany undertakes:


ThisCompany means <insert details of the organisation>.

Your Data means data that is capable of being associated with you, whether or not it includes an explicit identifier such as your name or customer number. In particular, it encompasses all data that ThisCompany is capable of correlating with you, using such means as server-logs and cookie-contents.

Your Data does not refer to data that can no longer be associated with you. This includes aggregated data that does not and cannot identify the individuals whose data are included in the aggregation.

Consent means your concurrence with an action to be taken by ThisCompany. Consent may be express or implicit, but in either case must be informed and freely-given.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 19 December 2005 - Last Amended: 15 February 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy