Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

How do I know if my small business is covered by the Privacy Act?

Is my small business covered by the Privacy Act?

Generally speaking, most small businesses will not have to comply with the Privacy Act 1988 (Privacy Act). However there are exceptions. A small business with an annual turnover of $3 million or less will have to comply with the Privacy Act if it is:

  • a health service provider
  • trading in personal information (e.g. buying or selling a mailing list)
  • a contractor that provides services under a Commonwealth contract
  • a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
  • an operator of a residential tenancy database
  • a credit reporting body
  • employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
  • businesses that conduct protection action ballots
  • businesses that are related to a business that is covered by the Privacy Act
  • businesses prescribed by the Privacy Regulation 2013. or
  • businesses that have opted in to be covered by the Privacy Act.

If your business has an annual turnover of $3 million dollars or less and meets one of the criteria above, the Privacy Act will apply to your business or some aspects of it.

To check whether you need to comply, you can complete the Privacy checklist for small business, or seek advice from your industry association or lawyer. The precise definition of an exempt small business is set out in section 6D of the Privacy Act.

If your small business is covered by the Privacy Act you will have to comply with the Australian Privacy Principles. The Guide to privacy for small business will help you meet your privacy obligations. More information can be found in the APP guidelines and the Privacy business resources.

Back to Contents

What does 'trading in personal information' mean?

A business is 'trading' in personal information if it collects from or discloses to someone else, an individual's personal information for a benefit, service or advantage. A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service.

Trading in personal information generally means buying, selling or bartering personal information. For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain.

A business is not trading in personal information if it gives or receives personal information for a benefit, service or advantage and it:

  • has the consent of all the individuals concerned; or
  • only does so when authorised or required by law.

If you trade in personal information you will have to comply with the Australian Privacy Principles in the Privacy Act. Complying with the Privacy Act does not prevent you from collecting personal information for your business needs, but it does mean you must follow the rules about how to handle that information.

For more information see the Guide to privacy for small business and APP guidelines.

Back to Contents

If a business is buying or selling personal information and does not want to be subject to the Privacy Act, it will need the consent of every individual concerned before the sale is completed. For further guidance on the scope and meaning of consent, refer to Chapter B of the APP guidelines.

Back to Contents