A Privacy Policy documents an organisation' s application of the eight data protection principles to the manner in which it processes data organisation-wide. The policy applies to all personal data processed by the organisation, including customer data, third party data and employee data. A Privacy Policy can, in some instances, be a very complex document, having to apply the data protection principles to its own experience. These principles are:

1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and lawful purposes.
3. Use and disclose it only in ways compatible with these purposes,
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the purpose or purposes.
8. Give a copy of his/her personal data to than individual, on request.

A Privacy Policy can go into great detail on how the organisation applies these principles, what procedures it should follow, assigning individual/departmental responsibilities, etc. A Privacy Policy is fundamentally a document for internal reference.