Handling Personal Information in Australia: Collect, Use and Protect

byAlex Solo24 October 20258 min read

Business Set Up Regulatory Compliance Data & Privacy

If your business collects customer details, runs a website, uses a mailing list or has employees, you’re handling personal information. Managing that information properly isn’t just good practice - it’s a legal requirement in Australia and a big part of building trust with your customers.

In this guide, we’ll break down what “personal information” actually means in Australia, when the Privacy Act applies to small businesses, what you should include in your privacy documents, and practical steps to collect, use and protect data lawfully. By the end, you’ll have a clear checklist you can action right away.

What Counts As Personal Information In Australia?

Under Australian law, “personal information” is any information or opinion about an identified individual, or an individual who is reasonably identifiable. It doesn’t matter whether the information is true or recorded in a material form - if it can identify someone (alone or when combined with other data), it’s likely personal information.

Common personal information handled by small businesses includes:

Names, email addresses, phone numbers and postal addresses
Customer account details, purchase history and support tickets
Website analytics that can identify a user (e.g. user IDs, cookie identifiers combined with other data)
Payment information (e.g. partial card details, transaction tokens) - note there are added industry rules if you store card details
Employee or applicant information (CVs, emergency contacts, payroll details)

There’s also a subset called “sensitive information” - for example, health data, biometric templates, racial or ethnic origin, religious beliefs, sexual orientation and criminal records. Sensitive information attracts stricter rules, including a higher bar for consent.

Tip: If you’re ever unsure whether a dataset is personal information, ask yourself, “Could a reasonable person work out who this is?” If the answer is yes (even with some effort or by combining with other data), treat it as personal information and handle it accordingly.

Do Small Businesses Need To Comply With The Privacy Act?

Australia’s Privacy Act sets out the Australian Privacy Principles (APPs) - the core rules for collecting, using, disclosing and securing personal information. Many small businesses assume they’re exempt, but in practice, a lot still need to comply.

Generally, small businesses with an annual turnover of $3 million or more must comply. However, there are several situations where small businesses under that threshold still need to follow the APPs, including if you:

Provide health services (even basic wellness or allied health) and hold health information
Trade in personal information (buying, selling or renting customer lists)
Operate under certain federal contracts where compliance is required
Are part of a group where related entities push aggregate turnover over $3 million
Choose to opt in to the Privacy Act (some brands do this to build trust and standardise practices)

Even if the Act doesn’t strictly apply today, best practice says you should implement privacy controls from day one. It’s easier to scale responsibly, and customers expect it. At a minimum, put in place a clear Privacy Policy and consistent internal processes that align with the APPs.

What Should Your Privacy Documents Include?

Your privacy framework usually has two public-facing layers and a few internal pieces. Together, they set expectations with your customers and keep your team compliant.

1) Privacy Policy (External)

Your Privacy Policy explains, in plain English, what personal information you collect, why you collect it, how you use and disclose it, how you keep it secure, and how people can access or correct their data. It should also cover overseas disclosures and how to make a privacy complaint.

Make it easy to find (e.g. footer on your website, checkout pages, account signup) and keep it consistent with what actually happens in your business.

2) Collection Notice (External, Context-Specific)

A Privacy Collection Notice is a shorter, context-specific statement shown at the time of collection (for example, above a website form). It tells people exactly what’s being collected right now, the purpose, whether collection is required or optional, and any key disclosures. It complements your main policy and is essential for transparency.

3) Internal Policies and Procedures

Information Security Policy: Sets your security standards (access controls, encryption, backups, incident response).
Data Breach Response Plan: A step-by-step playbook to identify, contain, assess and notify if a breach occurs.
Data handling procedures: How staff classify data, use approved tools, and follow retention and deletion rules (linking with your obligations under data retention laws).

Together, these documents ensure your public promises match your internal practices - which is exactly what regulators expect.

Collecting, Using And Disclosing Personal Information Lawfully

Here’s a practical checklist you can apply across your touchpoints - websites, apps, sales, customer support, recruitment and marketing.

Collect Only What You Need (Data Minimisation)

Only collect information that’s reasonably necessary for your functions or activities. Think “need-to-have”, not “nice-to-have”. Fewer data points reduce risk and make compliance (and security) simpler.

Be Clear And Upfront (Transparency)

Use a concise collection notice wherever you gather data, and ensure your full Privacy Policy is visible. Explain the purpose in plain English - for example, “We’ll use your email to send order updates and service messages.” If you also want to use it for marketing, say so clearly and offer an opt-out.

Use And Disclosure (Stick To The Purpose)

Use personal information only for the purpose you stated (or a directly related one that the individual would reasonably expect). If you want to expand the use (e.g. partnering with a new analytics provider), update your policy and collection notices and consider whether fresh consent is needed.

For sensitive information, the bar for consent is higher. Consent should be voluntary, specific, informed, current and given by someone with capacity. Avoid pre-ticked boxes. If consent is withdrawn, honour it promptly.

Marketing And Email Compliance

If you send marketing emails or SMS, you must comply with Australian spam rules. That generally means you need consent (express or inferred), clear sender identification and a working unsubscribe in every message. Make sure your Privacy Policy and any email marketing practices align.

Disclosing Overseas

If you use overseas service providers (e.g. cloud storage, CRM, helpdesk or email platforms), disclose that to your customers and take reasonable steps to ensure those recipients protect the data to Australian standards. Your Service Agreements and any Data Processing Agreement with vendors should reflect those obligations.

Children’s Data

If your product targets children or you’re likely to collect children’s information, take extra care. Use age-appropriate language, collect the minimum necessary, and consider parental consent where applicable.

Keeping Personal Information Secure And Handling Data Breaches

Security is the backbone of privacy compliance. The APPs require you to take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure.

Practical Security Measures

Access controls: Limit access to staff who genuinely need it; use role-based permissions and remove access promptly when people leave.
Strong authentication: Enforce multi-factor authentication for email, admin panels and cloud platforms.
Encryption: Encrypt laptops, portable media and sensitive data at rest and in transit where feasible.
Vendor due diligence: Assess your SaaS providers’ security practices and lock down data sharing in settings.
Backups and recovery: Test restore procedures and keep backups separated from production systems.
Training: Run onboarding and refresher training so your team knows how to handle personal information safely.

Payment Information

If you process payments, avoid storing full card data unless you have a very strong reason and the right certifications. Use reputable payment gateways and align with the expectations outlined in guidance on storing credit card details.

Notifiable Data Breaches (NDB) Scheme

If you experience a data breach that’s likely to result in serious harm, you may be required to notify affected individuals and the regulator under Australia’s Notifiable Data Breaches scheme. It’s critical to conduct a quick assessment, document the impact and take action. A clear Data Breach Response Plan will help you triage effectively, and you can engage a lawyer to prepare any required data breach notifications.

Retention And Destruction

Personal information shouldn’t be kept forever. Define retention periods that meet your business needs and any legal obligations, and then securely destroy or de-identify data when it’s no longer required. Align your internal processes with your obligations around data retention, and make sure your team knows who owns this task.

Key Legal Documents To Put In Place

Getting the right documents in place early makes compliance far easier and reduces risk. Here are the essentials most small businesses should consider.

Privacy Policy: A clear, tailored statement of what you collect, why, how you use and disclose it, your security approach and how individuals can exercise their rights. Link it in your website footer and at key collection points. Consider a dedicated health service provider version if you handle health data.
Privacy Collection Notice: A concise, context-specific notice shown at the time of collection that complements your Privacy Policy. Use it on forms, checkout pages and job applications with a link to your full Privacy Policy.
Information Security Policy: Your internal standard for access, encryption, device use, third-party risk and incident response. A formal Information Security Policy helps staff do the right thing consistently.
Data Breach Response Plan: A structured, actionable plan to identify, contain, assess and notify following a breach. Keep your Data Breach Response Plan up to date and run practice drills.
Data Processing Agreement (with vendors): Contract terms that require your SaaS and service providers to safeguard personal information, restrict subprocessing and support breach notifications. Use a robust Data Processing Agreement where appropriate.
Website and App Terms: Set the rules of use for your digital platforms and limit your liability. Pair these with a clear Privacy Policy and suitable Website Terms and Conditions.
Marketing Compliance: Align your consent capture and unsubscribe flows with Australian spam rules and your own email marketing laws obligations.

Depending on your industry and scale, you may also implement a complaints handling process for privacy issues, internal training materials and role-based procedures for retention and deletion. The aim is to make privacy practical and repeatable - not a one-off document set that sits on a shelf.

Key Takeaways

Personal information is any data that can identify an individual - treat it carefully, and apply stricter rules to sensitive information like health data.
Many small businesses must comply with the Privacy Act, and even if you’re under the turnover threshold, best practice is to follow the APPs to meet customer expectations and reduce risk.
Publish a clear, tailored Privacy Policy and use a context-specific collection notice at the point of capture so people understand what you’re doing with their data.
Only collect what you need, be transparent about purpose, manage consent properly, and keep your marketing in line with email marketing laws.
Invest in security basics (access controls, MFA, encryption, training) and prepare for incidents with a tested Data Breach Response Plan and clear notification process.
Use strong vendor contracts like a Data Processing Agreement, set sensible data retention timelines, and ensure your internal policies match your public commitments.

If you’d like a consultation on setting up your privacy framework and handling personal information in your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Alex Solo

Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.

Need legal help?

Get in touch with our team

Tell us what you need and we'll come back with a fixed-fee quote - no obligation, no surprises.

Proceeding confirms you agree to our Privacy Policy

Keep reading

Privacy Act 1988 Compliance For Australian Real Estate Businesses

If you run a real estate agency, property management business, buyer’s advocacy service, or proptech platform, you probably handle personal information every day. Think rental applications, copies of IDs, employment details, bank...

20 Apr 2026

Employee Privacy Rights In Australia: What Employers Need To Know

As a small business owner, you’re probably handling a lot of “people data” every day without even realising it. Employee records, rosters, performance notes, medical certificates, CCTV footage, swipe-card logs, emails, Slack...

17 Apr 2026

How To Protect Commercial Confidentiality In Australia

When you’re building a startup or running a small business, a lot of your value lives in information. It might be a pricing model you’ve refined through trial and error, a list...

16 Apr 2026

How to Spot Legal Gaps on Your Own Website

Could your website be hiding legal risks in plain sight? A quick DIY check can reveal gaps in your policies, forms and refund wording before they become bigger problems.

16 Apr 2026

Opt-Out Notices: Complying With Australian Privacy and Spam Laws

If you market your business by email, SMS, phone, or even targeted online ads, you’ve probably seen (or used) an “unsubscribe” link or a “STOP to opt out” message. That small line...

15 Apr 2026

The Hidden Legal Risks Sitting on Most Business Websites

Could your website be creating legal risk without you realising it? Hidden issues in your terms, privacy wording and marketing claims can escalate fast.

13 Apr 2026

Need support?

Need help with your business legals?

Speak with Sprintlaw to get practical legal support and fixed-fee options tailored to your business.

Get Started Book A Call