Privacy Act 1988 Compliance Checklist for Small Business

The Privacy Act 1988 is Australia's primary law governing how organisations handle personal information. If you've been putting off understanding what it means for your business, this is your practical starting point. This guide doesn't cover every nuance of the law — that's what lawyers are for — but it does give you a clear, actionable checklist against the Australian Privacy Principles (APPs) most relevant to small businesses.

Does the Privacy Act Apply to Your Business?

The Privacy Act applies to:

• All Australian Government agencies
• Businesses and not-for-profits with an annual turnover of more than $3 million
• Smaller organisations in specific circumstances, including: health service providers (regardless of turnover), businesses that trade in personal information, credit reporting bodies, businesses related to larger covered businesses, and businesses that have opted in

Even if you're currently exempt, be aware that the Australian Government has proposed extending Privacy Act obligations to more small businesses. The direction of travel is clear: more businesses will be covered over time, not fewer. And best-practice privacy management protects your customers and your reputation regardless of your legal obligations.

The Australian Privacy Principles at a Glance

There are 13 Australian Privacy Principles (APPs), and they cover the full lifecycle of personal information — from collection through to destruction. Here's what they mean for your business in practice.

APP 1: Have an Up-to-Date Privacy Policy

You must have a clearly expressed and up-to-date privacy policy that explains:

• What kinds of personal information you collect
• How you collect it
• Why you collect it (the purposes)
• Whether you disclose it to anyone else (and if so, who)
• Whether you send it overseas, and if so, to which countries
• How individuals can access or correct their information
• How to make a privacy complaint

Checklist item: Does your website have a privacy policy? Is it current and accurate? Does it cover all the above points?

APP 3: Only Collect What You Need

You should only collect personal information that is reasonably necessary for your business functions. If you don't need a customer's date of birth or home address for the service you're providing, don't ask for it.

You must also collect information by lawful and fair means — and wherever reasonable, collect it directly from the individual rather than from third parties.

Checklist item: Review your data collection forms and processes. Are you collecting more information than you actually need? Can you reduce what you ask for?

APP 5: Notify People What You Collect and Why

At or before the time you collect personal information, you must notify individuals (or ensure they're aware) of key facts: who you are, how to contact you, why you're collecting the information, who you'll disclose it to, and whether any of this is required by law.

In practice, this is usually done via your privacy policy and a notice at the point of collection (e.g., "We collect this information to process your order — see our privacy policy for details").

Checklist item: Do your contact forms, booking systems, and intake processes include a reference to your privacy policy? Do you tell people why you're collecting their information?

APP 6: Only Use Information for the Purpose You Collected It

You can only use or disclose personal information for the primary purpose you collected it for — unless one of a limited set of exceptions applies (e.g., the individual has consented to a secondary use, or use for a secondary purpose is directly related to the primary purpose and the individual would reasonably expect it).

This means: if you collected someone's email to fulfil their order, you can't automatically add them to your marketing newsletter without their separate consent.

Checklist item: Are you using customer data only for the purposes for which it was collected? Do you have clear consent processes for marketing communications?

APP 7: Direct Marketing

If you use personal information for direct marketing (email newsletters, SMS campaigns, targeted advertising), you must provide a simple way to opt out, and you must stop when asked. You generally need consent before sending marketing to new contacts, unless you have an existing customer relationship and the person would reasonably expect to receive marketing from you.

Note that direct marketing is also governed by the Spam Act 2003 (for electronic messages) and the Do Not Call Register Act 2006 (for phone calls).

Checklist item: Do all your marketing emails include an unsubscribe link? Do you process unsubscribe requests promptly? Are you only emailing people who have consented (or who are existing customers with a reasonable expectation of contact)?

APP 8: Cross-Border Disclosures

If you disclose personal information to an overseas recipient (including by using cloud services hosted overseas), you generally remain accountable for how that recipient handles the information. You must take reasonable steps to ensure overseas recipients comply with Australian privacy law, or obtain specific consent from the individual.

In practice, this means checking the privacy and data handling commitments of any overseas cloud service providers you use — your CRM, your email marketing platform, your project management software.

Checklist item: Do you use any overseas cloud services that process personal information? Have you reviewed their privacy terms and data processing agreements?

APP 11: Protect Personal Information You Hold

You must take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure. This includes both technical measures (encryption, access controls, secure passwords) and organisational measures (training staff, having a privacy policy, conducting incident response).

When you no longer need personal information for any purpose, you must destroy or de-identify it (unless a law requires you to keep it).

Checklist item: Are your systems and devices appropriately secured? Do you have a data retention policy? When you delete data, are you deleting it securely?

APP 12: Give People Access to Their Information

Individuals have the right to request access to personal information you hold about them. You must respond within 30 days, and you generally cannot charge a fee for making the request (though you can charge for the reasonable cost of providing access in some circumstances). You can only refuse access on specific grounds set out in the Privacy Act.

Checklist item: Do you have a process for responding to access requests? Does your privacy policy explain how to make one?

APP 13: Correct Personal Information

If an individual believes personal information you hold about them is inaccurate, out of date, incomplete, or misleading, they can ask you to correct it. You must respond within 30 days.

Checklist item: Do you have a process for updating customer information when requested?

How to Make a Complaint (and What to Do If One Is Made Against You)

Individuals who believe their privacy has been interfered with can complain to the OAIC (oaic.gov.au). Before going to the OAIC, they must first give you a chance to handle the complaint internally. Make sure you have a clear internal complaints process and that it's described in your privacy policy.

Key Takeaways

• The Privacy Act and its 13 Australian Privacy Principles apply to businesses with turnover over $3 million, all health service providers, and some others — with broader coverage likely to come.
• Core obligations: have a current privacy policy (APP 1); only collect what you need (APP 3); tell people why you're collecting their data (APP 5); only use data for the purpose collected (APP 6); manage direct marketing lawfully (APP 7); protect personal information with reasonable security measures (APP 11).
• Individuals have rights to access (APP 12) and correct (APP 13) their information — have a process to handle these requests.
• Cross-border data flows (including overseas cloud services) require attention under APP 8.
• Free guidance and resources are available from the OAIC at oaic.gov.au.

Privacy compliance starts with understanding what data you hold and how you're protecting it. The free assessment at flagged.com.au helps Australian businesses identify their biggest privacy and data security gaps quickly — take five minutes to see where you stand.