A Plain-English Guide to the Privacy Act for Australian Small Businesses

If your business collects information about customers, employees, or anyone else — names, email addresses, health records, payment details — there's a good chance the Privacy Act 1988 has something to say about how you handle it. But the legislation can feel intimidating to small business owners who just want to get on with running their business.

This guide cuts through the legal language and explains what you actually need to know.

Does the Privacy Act Apply to You?

The Privacy Act's Australian Privacy Principles (APPs) generally apply to businesses and organisations with an annual turnover above $3 million. If you're below that threshold, you may be exempt — but there are important exceptions.

The Privacy Act applies to you regardless of turnover if you:

• Provide health services (including allied health, dental, optical, psychology)
• Handle health information about individuals (even incidentally)
• Trade in personal information — that is, you buy or sell data about people
• Are a contractor that provides services to the Australian Government under a contract
• Are a credit reporting body or an entity that accesses credit reporting information
• Have voluntarily opted in to the Privacy Act

Even if the Act doesn't technically apply to you, collecting customer data carries real responsibilities — customers expect their information to be handled respectfully, and a breach can damage your reputation regardless of your legal obligations. Treating privacy seriously is good business practice, not just a compliance exercise.

What the Australian Privacy Principles Require

The APPs set out thirteen principles for how personal information must be handled. For most small businesses, these are the key practical obligations:

Collect Only What You Need

Only collect personal information that is reasonably necessary for your business functions. If you're a plumber booking jobs, you need a name, phone number, and address — you don't need a customer's date of birth or income. Collecting data you don't need creates unnecessary risk and obligations.

Tell People What You're Collecting and Why

When you collect personal information, you must take reasonable steps to notify people of your identity, why you're collecting the information, and who you might share it with. A privacy policy on your website is the standard way to do this for online businesses. For face-to-face collection (like a paper form), a brief notice explaining the purpose is usually sufficient.

Keep It Secure

You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. What's "reasonable" depends on the sensitivity of the information and the size of your business. At a minimum: use strong passwords, enable multi-factor authentication on systems that hold personal data, store physical documents securely, and delete or de-identify data you no longer need.

Don't Share It Without Consent (Generally)

Personal information should only be used or disclosed for the purpose it was collected, unless the individual consents to another use, or a legal exception applies. This means you can't sell your customer email list to a third party without consent, even if the list is just names and email addresses.

Give People Access to Their Own Information

If someone asks to see what information you hold about them, you must generally provide it. You must also correct information if it's inaccurate, out of date, or incomplete. Keep your records tidy and have a process for handling these requests.

The Notifiable Data Breaches Scheme

If your business is covered by the Privacy Act, you are also covered by the Notifiable Data Breaches (NDB) scheme. This means that if you have a data breach that is likely to cause serious harm to individuals, you have legal obligations to act quickly.

What Triggers the NDB Scheme?

An eligible data breach occurs when:

1. Personal information is lost, accessed, or disclosed without authorisation
2. This is likely to result in serious harm to the individuals involved
3. You haven't been able to prevent the likely harm through remediation

Serious harm includes financial loss, physical harm, serious psychological harm, or significant damage to reputation. A ransomware attack encrypting customer records, a stolen laptop with unencrypted client files, or a staff member accidentally emailing a customer list to the wrong address could all qualify.

What You Must Do — and When

When you become aware of a potential eligible data breach, you must carry out an assessment within 30 days to determine whether it meets the threshold. If it does, you must:

• Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable
• Notify the affected individuals as soon as practicable — those at risk of serious harm
• Include in the notification: what happened, what information was involved, and what steps people should take to protect themselves

Thirty days sounds like a long time, but in a real incident it goes quickly. Having a basic incident response plan before something happens will save you enormous stress.

Practical Steps to Prepare

Write a Privacy Policy

A simple, plain-English privacy policy on your website explains what information you collect, why, and how you handle it. You can find templates from the OAIC. Keep it honest and keep it updated if your practices change.

Secure Your Data Storage

Know where you store personal information — customer databases, accounting software, email archives, physical files — and make sure each location is appropriately protected. Use encryption where possible, and limit who can access sensitive records to only those who need it.

Have a Breach Response Plan

Write down the basic steps you'd take if you discovered a data breach: who to contact internally, how to assess the severity, when to notify the OAIC, and how to communicate with affected customers. You don't need a lengthy document — a single page covering these steps is enough to give you a starting point under pressure.

Train Your Staff

Most data breaches involve human error — emails sent to the wrong person, files saved insecurely, weak passwords on systems holding customer data. Brief your staff on your privacy obligations and the basics of safe data handling. It doesn't need to be a formal training course; a conversation at a team meeting is a useful start.

The Privacy Act isn't designed to be a burden on small businesses — it's designed to protect the people who trust you with their information. Handling that information respectfully and securely is both a legal obligation and a mark of a trustworthy business.