Privacy Act Obligations for Small Businesses in Australia

Handling customer data is part of doing business today - whether you run an online store, provide professional services or operate a local clinic. With that comes legal responsibilities under Australia’s privacy laws.

If you’re wondering what the Privacy Act requires from a small business (and whether it even applies to you), you’re in the right place. In this guide, we’ll break down who needs to comply, what compliance looks like in plain English, and the practical steps you can take to meet your obligations with confidence.

Our goal is to help you set up a sensible, business-friendly privacy framework so you can build trust with customers and grow without privacy headaches.

What Is The Privacy Act And Do You Need To Comply?

The Privacy Act 1988 (Cth) sets out how Australian organisations handle personal information, mainly through the Australian Privacy Principles (APPs). It applies to “APP entities”, which include most Australian Government agencies and businesses with an annual turnover of more than $3 million.

However, even if your turnover is under $3 million, you may still be covered. Many small businesses must comply if they fall into certain categories, including if you:

• Provide a health service (for example, allied health, beauty therapy with health records, or telehealth) and hold health information.
• Trade in personal information (e.g. sell, rent or exchange customer lists).
• Provide services under a Commonwealth contract handling personal information.
• Operate a residential tenancy database or handle tax file number (TFN) information.
• Are a credit reporting body or involved in some credit-related activities.

Even if you’re technically exempt, customers still expect strong privacy practices - and many large clients will require privacy compliance in their supplier terms. Treating privacy seriously is good business, not just a legal checkbox.

If you do need to comply, you must implement the APPs. In practice, that means being open about how you collect and use personal information, collecting only what you need, securing it properly, and giving people rights to access and correct it.

The 13 Australian Privacy Principles (APPs) Explained For Small Business

The APPs are principles-based. They tell you what outcomes to achieve without prescribing exactly how. Here are the key ideas to translate into day-to-day operations:

1) Be Open And Transparent (APP 1)

Explain how you handle personal information in a clear, accessible Privacy Policy, and make sure you actually do what your policy says. Keep it up to date as your business evolves.

2) Offer Anonymity Where Practical (APP 2)

Let people interact with you anonymously or using a pseudonym when it’s feasible (e.g. casual website browsing or general enquiries). It won’t always be possible, such as when providing regulated services or issuing invoices.

3) Collect Only What You Need (APPs 3-5)

• Collect personal information that’s reasonably necessary for your business functions - not “just in case”. If you handle sensitive information (like health or biometric data), the bar is higher and you’ll generally need consent.
• Handle unsolicited information carefully: if you don’t need it, securely destroy or de-identify it (unless a law requires retention).
• Notify individuals at or before collection about what you’re collecting and why. This is often done via a concise Privacy Collection Notice at key touchpoints (web forms, onboarding, sign-up flows).

4) Use And Disclose Fairly (APPs 6-9)

• Use personal information only for the purpose you collected it, or a related purpose the individual would reasonably expect. If you want to use it for something new, get consent or ensure another lawful basis applies.
• Direct marketing requires careful handling - provide a clear opt-out and honour it promptly. Your marketing must also comply with spam and consumer laws.
• Be careful with government-related identifiers (e.g. Medicare numbers) - don’t adopt or disclose them unless an exception applies.
• If disclosing personal information overseas, take reasonable steps to ensure the overseas recipient protects it (APP 8). Contract terms and due diligence are key.

5) Keep It Accurate And Secure (APPs 10-11)

• Take reasonable steps to ensure personal information is accurate and up to date before using it.
• Protect information from misuse, loss, and unauthorised access. This includes technical measures (access controls, encryption), process controls (least-privilege access, offboarding) and training.
• Only keep information for as long as it’s needed for your business purposes or required by law, then securely delete or de-identify it. Understanding your data retention laws will help you set sensible retention schedules.

6) Give People Access And Correction Rights (APPs 12-13)

Have simple processes for individuals to request access to their personal information and ask for corrections. Respond within a reasonable timeframe and explain your decision if you refuse (you’ll need a solid reason).

Practical Steps To Meet Your Privacy Act Obligations

Turning the APPs into day-to-day practice is easier when you approach it as a structured, business process. Here’s a practical roadmap you can use right away.

Step 1: Map Your Personal Information

• List the types of personal information you collect (names, contact details, payment info, health information, etc.).
• Document the sources (website forms, support tickets, in-clinic forms, third-party integrations), where it’s stored, who can access it, and where it flows (including any overseas disclosures).
• Note the lawful purpose for each category (e.g. order fulfilment, customer support, legal compliance).

This “data map” becomes the foundation for your policies, consents, security settings and contracts.

Step 2: Put Your Core Documents In Place

• A clear and tailored Privacy Policy on your website and at key collection points.
• Short-form notices for specific touchpoints, such as a Privacy Collection Notice for online forms or onboarding.
• Internal playbooks for staff, including a Privacy Complaint Handling Procedure to manage customer requests and concerns consistently.
• Security and governance documents that match your risk profile, like an Information Security Policy that sets out access, passwords, incident response and vendor management.

Step 3: Lock Down Your Vendors And Apps

If you share personal information with service providers (for example, cloud hosting, CRM, email tools, accountants or offshore support), you’re still responsible for how that information is handled.

• Check where the data is stored and accessed (Australia or overseas) and what security standards the vendor applies.
• Include privacy and security protections in your contracts - a Data Processing Agreement (DPA) sets out processing instructions, security, breach notification, sub‑processors and audit rights.

Step 4: Set Retention And Deletion Rules

Keep personal information only for as long as you need it for business or legal purposes. Build in a routine to archive or delete data you no longer need, taking into account your industry’s record-keeping obligations and your documented position on data retention laws.

Step 5: Train Your Team And Embed “Privacy By Design”

Most privacy incidents are caused by human error. Keep training short and practical so people know how to spot and report issues, handle requests, and use approved tools.

Bring privacy into everyday decisions - for example, reviewing new features or marketing campaigns to check whether you’re collecting new data, whether consents are needed, and how customers will be informed.

Handling Data Breaches Under The Notifiable Data Breaches Scheme

The Notifiable Data Breaches (NDB) scheme requires you to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if you experience an eligible data breach likely to cause serious harm (for example, a ransomware attack exposing customer IDs or a misdirected email with sensitive information).

Your best defence is preparation. Have a simple, battle-tested Data Breach Response Plan that sets out:

• How to identify and triage suspected incidents.
• Who is on the response team (including IT, legal and comms) and their roles.
• Steps to contain and assess the breach - including whether serious harm is likely.
• How and when to notify the OAIC and affected individuals where required.
• How you’ll document the incident and improve controls afterwards.

Run a short tabletop exercise once or twice a year to rehearse your plan. If an incident happens, you’ll move faster and make better decisions under pressure.

Common Privacy Traps For Small Businesses (And How To Avoid Them)

Here are frequent pain points we see with small businesses - and simple ways to manage them.

Collecting More Data Than You Need

It’s tempting to ask for extra details “just in case.” This increases risk without clear benefit. Collect only what’s reasonably necessary for your service and explain why you need it.

Unclear Marketing Consents

Make consent choices easy to understand and easy to change. If you’re sending promotional emails or texts, your practices should align with your email marketing laws obligations and the APPs on direct marketing.

Using CCTV And Call Recordings Without Proper Notice

If you use cameras in-store or record calls for training or quality purposes, you must handle the footage or audio as personal information. Provide clear notices and check state-based surveillance laws. Useful starting points include guidance on security camera laws, recording laws in Australia, and business call recording laws.

Ignoring Customer Rights Requests

Have a simple inbox or ticket type for privacy requests so they’re not lost. Your team should know how to verify identity, record the request, and respond on time. An internal Privacy Complaint Handling Procedure will keep responses consistent.

Forgetting About Third Parties

Many breaches involve vendors. Keep an inventory of your service providers, ensure you have a suitable Data Processing Agreement in place, and review access regularly (especially when staff or projects change).

Keeping Data Forever

“Just in case” retention creates unnecessary risk. Set clear retention schedules and implement a routine for deletion or de-identification, considering your obligations under data retention laws.

Key Takeaways

• The Privacy Act applies to many small businesses - especially health providers, those who trade in personal information, or those handling sensitive information - so confirm whether you are an APP entity.
• Compliance is principles-based: be transparent, collect only what you need, secure information appropriately, and give people access and correction rights.
• Embed privacy in your operations with a tailored Privacy Policy, concise collection notices, an information security policy and contracts that protect data shared with vendors.
• Prepare for incidents with a practical Data Breach Response Plan so you can meet Notifiable Data Breaches scheme requirements quickly and confidently.
• Watch for common traps: over-collection, unclear marketing consents, surveillance without notice, unmanaged vendor risks, and indefinite retention.
• Strong privacy practices build customer trust and make it easier to win bigger clients who demand robust compliance from their suppliers.

If you’d like a consultation about your Privacy Act obligations and the right documents for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.