Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy business resource 10: Does my small business need to comply with the Privacy Act?

pdfPrintable version212.36 KB

July 2015

The information in this resource outlines how the Privacy Act 1988 (Privacy Act) applies to small businesses. It also includes a Checklist that will help you determine whether your small business is required to comply with the Australian Privacy Principles (APPs) in the Privacy Act.

The Privacy Act

The Australian Privacy Principles (APPs) in the Privacy Act outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must handle, use and manage personal information . APP entities can include an individual (including a sole trader), body corporate, partnership, unincorporated association and trust.

Personal information is information or an opinion that identifies or could reasonably identify an individual. Some examples are name, address, telephone number, date of birth, medical records, bank account details, and opinions.

In addition to the APPs, the Privacy Act also covers more specific matters that entities, including some small businesses, may be required to comply with.   

Part IIIA of the Privacy Act regulates the handling of individuals’ consumer credit information, including credit reports. Small businesses participating in the credit reporting system[1] are required to comply with Part IIIA. More information about complying with Part IIIA can be found at the Office of the Australian Information Commissioner’s (OAIC) Credit reporting page.

The Privacy (Tax File Number) Rule 2015 regulates the handling of individuals' tax file number information. Small businesses that are tax file number recipients[2] are required to comply with the Privacy (Tax File Number) Rule 2015. More information about complying with the Privacy (Tax File Number) Rule 2015 can be found at the OAIC’s resource The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information.

The APPs and small businesses

Under the Privacy Act, a small business is one that does not have an annual turnover greater than $3 million. Whilst many small businesses do not need to comply with the APPs, some small businesses that handle personal information do.

The Checklist

The Checklist in Appendix A of this resource will help you decide if your small business needs to comply with the APPs. If you’re still not sure if your small business needs to comply, you may need to get more advice from your lawyer or other advisers.

What resources will help my small business comply with the APPs?

If your small business is required to comply with the APPs, you will need to consult other resources to help you comply with your obligations and avoid breaching the Privacy Act. The OAIC has a number of resources to help you with this.  

For more information about:

It is important to remember that complying with the Privacy Act does not prevent you handling personal information for your business needs.

What could happen if my small business breaches the APPs?

Individuals have the right to complain if they consider that a business that is covered by the Privacy Act has not complied with the Act in handling their personal information. If your small business is covered by the Privacy Act, the OAIC can investigate, conciliate and, if necessary, make determinations about complaints made about your handling of personal information.

The Commissioner can also investigate a matter on his or her own initiative through a Commissioner initiated investigation.

For more information about the about the Commissioner’s range of powers, and the OAIC’s regulatory strategy, approach and priorities, see the OAIC’s Privacy regulatory action policy.

For information about how to handle a privacy complaint, see the OAIC’s Handling privacy complaints resource.

The information provided in this resource is of a general nature. It is not a substitute for legal advice. Small businesses will need to consider how the Privacy Act applies to their particular situation.

For further information

telephone: 1300 363 992
email: enquiries@oaic.gov.au
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at www.oaic.gov.au

Appendix A: Checklist — Does my small business need to comply with the Australian Privacy Principles?

Question 1

Does your small business handle personal information?

YES: Please go to Question 2

NO: You do not need to comply with the APPs.

Question 2

Has your small business had an annual turnover of more than $3,000,000 in any financial year since 2002?

Annual turnover for the purposes of the Privacy Act includes all income from all sources. Annual turnover does not include assets held, capital gains or proceeds of capital sales.

Ifyour small business has not operated for a whole financial year, you need to make a projection of full year annual turnover based on the income of your business during that period.

YES: You need to comply with the APPs. The information and resources at the beginning of this Checklist will help you understand how to comply.

NO: Please go to Question 3

Question 3

Does your small business trade in personal information?

A business is considered to trade in personal information if it:

  • provides a benefit, service or advantage  to collect personal information; or
  • discloses personal information for a benefit, service or advantage.

A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service. For example, where a small business sells its customer list to a marketing company or gives its own list in return for another list.

YES: Go to Question 4

NO: Go to Question 5

Question 4

Does your small business trade in personal information without the consent of the individual and without being required or authorised by law?

Consent can either be express or implied. 

YES: You need to comply with the APPs. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 5

Question 5

Is your small business a health service provider?

Health service providers provide services in relation to physical, emotional, psychological and mental health. They include traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals; complementary therapists, child care centres, private schools and private tertiary educational institutions.

YES: You need to comply with the APPs. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 6

Question 6

Is your small business related to a larger body corporate that is subject to the Privacy Act?

To answer this question, use the test for related body corporate in the Corporations Act 2001.  Companies might be related where they are a holding company or a subsidiary of another body corporate.

YES: You need to comply with the APPs. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 7

Question 7

Is your small business a Commonwealth contracted service provider?

Your business is a Commonwealth contracted service provider if you provide services to, or on behalf of, Australian or Norfolk Island government agencies under a Commonwealth contract or subcontract.

The provisions do not apply to businesses that receive funding from Commonwealth agencies for services that are not a function of the agency.

YES: You need to comply with the APPs. Check your contract for more information about your privacy obligations. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 8

Question 8

Are you a reporting entity or authorised agent of a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) or its Regulations or Rules?

More information about the AML/CTF Act is available from the AUSTRAC website.

YES: You need to comply with the APPs for your activities in relation to the AML/CTF Act and its Regulations and Rules. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 9

Question 9

Does your small business operate a residential tenancy database?

A residential tenancy database is a database that stores personal information about individuals occupying residential premises as tenants and is accessible by a person other than the operator of the database or a person acting for the operator.

YES: You need to comply with the APPs. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 10

Question 10

Does your small business carry on a credit reporting business?

A credit reporting business is defined in section 6P of the Privacy Act.

YES: You need to comply with Part IIIA of the Privacy Act and the APPs where Part IIIA does not apply. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 11

Question 11

Is your small business an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009?

YES: You need to comply with the APPs.  The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 12

Question 12

Is your small business a protected action ballot agent for a protected action ballot conducted under Part 3-3 of the Fair Work Act 2009?

YES: You need to comply with the APPs. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 13

Question 13

Is your small business a service provider that is required to comply with the data retention provisions in Part 5-1A of the Telecommunications (Interception and Access) Act 1979?

Part 5-1A requires service providers to collect and retain certain information about communications.

YES: You need to comply with the APPs for your activities in relation to data collected and retained under Part 5-1A. The information and resources at the beginning of this resource will help you understand how to comply.

NO: Go to Question 14

Question 14

Has your small business voluntarily opted into the Privacy Act?

The Privacy Act provides a mechanism to allow an organisation that is a small business operator to opt in to the Act.

YES: You need to comply with the APPs. The information and resources at the beginning of this resource will help you understand how to comply.

NO: You don’t need to comply with the Privacy Act. As a matter of best practice though, we recommend you protect any personal information you hold.

We also recommend you consider opting in to the Privacy Act. A small business that opts in to the Privacy Act could experience a number of benefits, including increased consumer confidence and trust in its operations.

Footnotes

[1] A small business may be participating in the credit reporting system if it discloses personal information to, or collects information from, a credit reporting body. A credit reporting participant includes a credit reporting body, a credit provider and other third party recipients of that information. Credit related personal information is information about an individual’s consumer credit activities.

[2] A small business is a tax file number recipient if it is in possession or control of a record that contains tax file number information of an individual.