Privacy Act Compliance: What Australian Small Businesses Actually Need to Do

Does the Privacy Act Apply to Your Business?

Many small business owners assume the Privacy Act doesn't apply to them. This assumption is often wrong.

The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with annual turnover over $3 million. However, certain businesses are covered regardless of turnover:

• Health service providers (including allied health)
• Businesses that trade in personal information
• Contractors providing services to the Commonwealth
• Credit reporting bodies
• Businesses related to larger organisations that exceed the threshold

If you handle health information, you're covered. If you collect and share customer data in ways that could be considered trading, you're covered. The thresholds are narrower than many expect.

Understanding the Australian Privacy Principles

The Privacy Act operates through 13 Australian Privacy Principles (APPs). These govern how personal information should be handled throughout its lifecycle. The key principles for most businesses include:

Collection (APPs 1-5)

You must only collect personal information that is reasonably necessary for your business functions. This means:

• Having a clear purpose for collecting each piece of information
• Not collecting more than you need
• Collecting information lawfully and fairly
• Having a privacy policy that explains your practices
• Informing people about why you're collecting their information

Use and Disclosure (APP 6)

Personal information should only be used for the purpose it was collected, unless:

• The person has consented to another use
• The secondary use is related to the primary purpose (and would be expected)
• It's required by law
• There are serious threat to health or safety

Security (APP 11)

You must take reasonable steps to protect personal information from:

• Misuse, interference, and loss
• Unauthorised access, modification, or disclosure

What's "reasonable" depends on factors including the sensitivity of the information, your business size, and available security measures.

Access and Correction (APPs 12-13)

Individuals have the right to access their personal information and request corrections to inaccurate information. You need processes to handle these requests.

Practical Compliance Steps

Create a Privacy Policy

Your privacy policy should clearly explain:

• What personal information you collect
• Why you collect it
• How you use and disclose it
• How you store and protect it
• How people can access or correct their information
• How to make a complaint

The policy should be easily accessible—typically on your website and available on request.

Review Data Collection Practices

Audit what personal information you actually collect. For each piece of information, ask:

• Do we need this?
• What do we use it for?
• How long do we keep it?
• Who has access to it?

You might be surprised how much unnecessary information has accumulated.

Implement Appropriate Security

Security measures should match the sensitivity of information you hold. Consider:

Establish Clear Procedures

Document how your business handles:

• Privacy complaints
• Access requests
• Correction requests
• Data breaches

Having procedures in place before you need them makes response much smoother.

The Notifiable Data Breaches Scheme

Since 2018, the Notifiable Data Breaches scheme has required organisations covered by the Privacy Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when eligible data breaches occur.

An eligible data breach occurs when:

• There's unauthorised access, disclosure, or loss of personal information
• A reasonable person would conclude it's likely to result in serious harm
• The organisation hasn't been able to prevent the harm through remedial action

Responding to Breaches

When a potential breach occurs:

1.

2. 3. 4. The assessment must be completed within 30 days, though notification should happen as soon as practicable.

Common Compliance Gaps

Outdated Privacy Policies

Many businesses created a privacy policy years ago and haven't updated it since. Practices change, new systems are introduced, and policies become inaccurate.

Poor Data Retention Practices

Keeping personal information longer than necessary increases risk and may breach APP 11. Establish retention schedules and actually follow them.

Inadequate Staff Training

Staff handling personal information need to understand their obligations. One-off training during onboarding isn't enough—regular refreshers help maintain awareness.

Third-Party Risk

If you share personal information with third parties (cloud services, contractors, partners), you're still responsible for how they handle it. Ensure appropriate agreements and practices are in place.

Getting Compliance Right

Privacy compliance doesn't have to be overwhelming. Start with understanding what personal information you hold and why. Build appropriate protections around it. Create processes for handling requests and incidents.

For most small businesses, compliance is achievable with:

• A clear, accurate privacy policy
• Reasonable security measures
• Staff awareness of privacy obligations
• Simple procedures for common situations
• Regular review of practices

The Office of the Australian Information Commissioner provides guidance resources specifically for small businesses. These are worth reviewing.

Professional advice can help identify gaps and establish appropriate practices—particularly for businesses handling sensitive information like health records.

Privacy compliance isn't just about avoiding penalties. It's about respecting the trust people place in your business when they share their personal information. Getting it right builds that trust.