Opting in to the Privacy Act

Last updated: 6 August 2019

On this page

The Privacy Act allows small business operators, who would otherwise not be covered by the Privacy Act, to choose to be treated as an organisation for the purposes of that Act and therefore subject to the Australian Privacy Principles.

About the register

Most small businesses and not-for-profit organisations that have an annual turnover of $3 million or less and that are not health service providers or do not trade in personal information for benefit, service or advantage are not covered by the Privacy Act 1988 (Privacy Act). There are some other situations that bring a small business/not-for-profit under the coverage of the Privacy Act, either in whole of for some of its activities. For more information on which small businesses/not-for-profits are covered by the Privacy Act see Small Business.

Section 6EA of the Privacy Act allows small businesses/not-for-profits, who would otherwise not be covered by the Privacy Act, to choose to be treated as an organisation for the purposes of the Privacy Act and therefore subject to the Australian Privacy Principles and any relevant APP code.

Small businesses/not-for-profits opting-in to be covered by the Privacy Act are making a public commitment to good privacy practice. This option has been made available in order to provide small businesses/not-for-profits with the opportunity to benefit from any increase in consumer confidence and trust that may be derived from operating under the Privacy Act.

How to opt-in

If you decide to opt-in you will need to complete the Opt-in application form below, including your privacy policy, and return it to the Office of the Australian Information Commissioner (OAIC) by mail, email or fax.

You will need to provide us with a link to your business’ privacy policy on your website, or attach a copy of your privacy policy if it is not yet available online. Applications from business/not-for-profit organisations that do not have a privacy policy will be declined.

Australian Privacy Principle (APP) 1 in the Privacy Act, requires entities to have a clearly expressed and up to date privacy policy describing how it manages personal information. The privacy policy should be published on the entity’s website.

If your business does not already have an APP privacy policy, you will need to produce such a policy as a first step to complying with your privacy obligations, and provide the OAIC with a link to (or a copy of) your APP privacy policy as part of your opt-in application. Further information is available in our Guide to developing an APP privacy policy.

After verification and assessment of the application, you will notified and the trading name of your business/not-for-profit and its ABN will be placed on the public Opt-in Register as required by s6EA(3) of the Privacy Act. You will not be charged any fees for opting-in.

How to opt-out

If you have opted in and for any reason you wish to revoke that decision, you may opt-out by notifying the OAIC in writing. Your details will then be removed from the Opt-in Register, and you will no longer be covered by the Privacy Act (assuming no other provisions of the Privacy Act apply to your business/not-for-profit). You will not be charged any fees for opting-out.

It is important to note that any acts and practices of your business/not-for-profit that occur while you are on the Opt-in Register may be the subject of a complaint to the OAIC, even if you subsequently opt out.

The OAIC will keep a list of organisations that have revoked their decision to opt-in to the Privacy Act, or have been removed from the Opt-in Register for some other reason, and will make this information available if asked.

Opt-in form

By completing and submitting this application form you are choosing to have your small business/not-for-profit treated as an ‘organisation’ under the Privacy Act.

The application form must be signed by an authorised person. If at any time you decide to revoke your choice to be treated as an organisation covered by the Privacy Act, you will need to do so in writing to the OAIC.

For more information on what it means for your business/not-for-profit to be treated as an organisation under the Privacy Act, please refer to the Privacy section of this website, or contact the Enquiries line during business hours. Once completed this form can be mailed, emailed or faxed.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au