Guide: Privacy compliance for small business

Guide: Privacy compliance for small business


Purpose of this Guide

This Guide is provided as background information only and is not to be construed as advice. Prior to making any decisions or taking any action relating to anything contemplated by this Guide, you should obtain legal and financial advice.

If you would like us to provide you with advice about your business’ privacy law obligations, and you have not already done so, please provide us with instructions. You can use our online services to obtain <<privacy advice and privacy policies>>.

Please note that the following relates primarily to commonwealth of Australia legislation, and not state legislation.

In Australia businesses are generally required to comply with the Privacy Act 1988 (Cth) (“Privacy Act”) in how they collect, store, and deal with “personal information” of individuals.

Are you collecting “personal information”?

If your business is collecting information such as client, or prospective client, names, addresses, telephone numbers, email addresses, or other information, then this is likely “personal information” and there are rules about how you can use and deal with that information set out in the Privacy Act.

There are different rules for different types of businesses

If your business meets any of the following criteria, then it will likely have extensive obligations under the Privacy Act (this is not an exhaustive list):

  • your business’ revenues for the current financial year will exceed $3 million;
  • your business’ revenue for any previous financial year exceeded $3 million;
  • your business provides a health service to an individual or hold any health information (excluding information held in any employee records);
  • your business discloses personal information about individuals to anyone else for a benefit, service or advantage (without consent);
  • your business collects personal information for other businesses (for example you provide contract services for collecting information from individuals for your customers);
  • your business is a contract service provider for a Commonwealth contract (as the direct contractor, or a subcontractor);
  • your business involves credit reporting;
  • your business is related to a larger body corporate that is bound to comply with the Privacy Act;
  • your business operates as a deposit taking institution as an account provider to account holders, or any similar activity that would make your business a “reporting entity” for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);
  • your business operates a residential tenancy database;
  • your business is an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth);
  • your business is a protected action ballot agent for a protected action ballot conducted under Part 3-3 of the Fair Work Act 2009 (Cth);
  • your business is required to comply with the data retention provisions in Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth); and
  • your business has voluntarily opted into, or is otherwise bound to comply with the Privacy Act.

However if your business meets the criteria for a “small business” for the purposes of the Privacy Act, then you can limit the obligations your business has under the Privacy Act in various ways.

Privacy Policies and obtaining consent

If your “small business” takes certain steps when collecting personal information, it may be possible for your business to avoid the costs and administrative burdens of having to strictly comply with many of the provisions of the Privacy Act. The critical step is to obtain consent for your current and future uses of the information you collect. This is commonly done in web based businesses by use of a privacy policy and terms and conditions that apply to your services.  This is commonly done in other businesses with a written privacy statement, and a services agreement or similar.

Regardless of the manner in which you obtain consent, it is imperative that such consent is obtained prior to you receiving the information, and it is your responsibility to keep records of the relevant consent, and to be capable of proving that you received it prior to your collection of the information.

Further information

Further information can be obtained from:


Starting Block Lawyers is here to help you and your business

If you have any questions in relation to this Guide, or you would like us to provide you with any assistance with information privacy and compliance, please user our online services to obtain advice and privacy policies or contact us.

Call Now Button