The answer is mostly likely “yes”, even if you are a small business with annual turnover of less than $3,000,000.
Government agencies, private and not for profit organisations including individuals (e.g. sole traders), companies, partnerships, unincorporated associations, and trusts are all required to comply. There are exemptions. For example, small businesses (i.e. those with annual turnover of less than $3,000,000 and which are not for example related to a larger company that is subject to the Privacy Act) might be exempt in limited circumstances.
(a) the kinds of personal information that the entity collects and holds;
(b) how the entity collects and holds personal information;
(c) the purposes for which the entity collects, holds, uses and discloses personal information;
(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
(e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
(f) whether the entity is likely to disclose personal information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas recipients, the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.