Privacy Act Compliance: What Australian Small Businesses Actually Need to Do

## Does the Privacy Act Apply to Your Business? Many small business owners assume the Privacy Act doesn't apply to them. This assumption is often wrong. The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with annual turnover over $3 million. However, certain businesses are covered regardless of turnover: - Health service providers (including allied health) - Businesses that trade in personal information - Contractors providing services to the Commonwealth - Credit reporting bodies - Businesses related to larger organisations that exceed the threshold If you handle health information, you're covered. If you collect and share customer data in ways that could be considered trading, you're covered. The thresholds are narrower than many expect. ## Understanding the Australian Privacy Principles The Privacy Act operates through 13 Australian Privacy Principles (APPs). These govern how personal information should be handled throughout its lifecycle. The key principles for most businesses include: ### Collection (APPs 1-5) You must only collect personal information that is reasonably necessary for your business functions. This means: - Having a clear purpose for collecting each piece of information - Not collecting more than you need - Collecting information lawfully and fairly - Having a privacy policy that explains your practices - Informing people about why you're collecting their information ### Use and Disclosure (APP 6) Personal information should only be used for the purpose it was collected, unless: - The person has consented to another use - The secondary use is related to the primary purpose (and would be expected) - It's required by law - There are serious threat to health or safety ### Security (APP 11) You must take reasonable steps to protect personal information from: - Misuse, interference, and loss - Unauthorised access, modification, or disclosure What's "reasonable" depends on factors including the sensitivity of the information, your business size, and available security measures. ### Access and Correction (APPs 12-13) Individuals have the right to access their personal information and request corrections to inaccurate information. You need processes to handle these requests. ## Practical Compliance Steps ### Create a Privacy Policy Your privacy policy should clearly explain: - What personal information you collect - Why you collect it - How you use and disclose it - How you store and protect it - How people can access or correct their information - How to make a complaint The policy should be easily accessible—typically on your website and available on request. ### Review Data Collection Practices Audit what personal information you actually collect. For each piece of information, ask: - Do we need this? - What do we use it for? - How long do we keep it? - Who has access to it? You might be surprised how much unnecessary information has accumulated. ### Implement Appropriate Security Security measures should match the sensitivity of information you hold. Consider: **Access controls:** Limit who can access personal information to those who need it for their role. **Secure storage:** Protect digital records with appropriate technical measures. Protect physical records in locked storage. **Transmission security:** Use encrypted connections when transmitting sensitive information. **Staff training:** Ensure staff understand their obligations and how to handle information appropriately. ### Establish Clear Procedures Document how your business handles: - Privacy complaints - Access requests - Correction requests - Data breaches Having procedures in place before you need them makes response much smoother. ## The Notifiable Data Breaches Scheme Since 2018, the Notifiable Data Breaches scheme has required organisations covered by the Privacy Act to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when eligible data breaches occur. An eligible data breach occurs when: - There's unauthorised access, disclosure, or loss of personal information - A reasonable person would conclude it's likely to result in serious harm - The organisation hasn't been able to prevent the harm through remedial action ### Responding to Breaches When a potential breach occurs: 1. **Contain:** Take immediate steps to limit the breach 2. **Assess:** Determine what information was affected and whether serious harm is likely 3. **Notify:** If required, notify affected individuals and the OAIC 4. **Review:** Assess what went wrong and prevent recurrence The assessment must be completed within 30 days, though notification should happen as soon as practicable. ## Common Compliance Gaps ### Outdated Privacy Policies Many businesses created a privacy policy years ago and haven't updated it since. Practices change, new systems are introduced, and policies become inaccurate. ### Poor Data Retention Practices Keeping personal information longer than necessary increases risk and may breach APP 11. Establish retention schedules and actually follow them. ### Inadequate Staff Training Staff handling personal information need to understand their obligations. One-off training during onboarding isn't enough—regular refreshers help maintain awareness. ### Third-Party Risk If you share personal information with third parties (cloud services, contractors, partners), you're still responsible for how they handle it. Ensure appropriate agreements and practices are in place. ## Getting Compliance Right Privacy compliance doesn't have to be overwhelming. Start with understanding what personal information you hold and why. Build appropriate protections around it. Create processes for handling requests and incidents. For most small businesses, compliance is achievable with: - A clear, accurate privacy policy - Reasonable security measures - Staff awareness of privacy obligations - Simple procedures for common situations - Regular review of practices The Office of the Australian Information Commissioner provides guidance resources specifically for small businesses. These are worth reviewing. Professional advice can help identify gaps and establish appropriate practices—particularly for businesses handling sensitive information like health records. Privacy compliance isn't just about avoiding penalties. It's about respecting the trust people place in your business when they share their personal information. Getting it right builds that trust.