Privacy, Confidentiality and Disclosure in Australia

Handling information well is core to running a trustworthy business. Customers, suppliers and staff expect you to keep their details safe, only use them for the right reasons, and be upfront about when and why you share them.

At the same time, Australian law sets clear rules around privacy and data breaches, and your contracts should protect confidential information that gives your business a competitive edge.

If you’re wondering how “privacy”, “confidentiality” and “disclosure” fit together in practice, you’re not alone. In this guide, we’ll break it down in plain English and help you set up a simple, compliant framework that works for your business.

What Do Privacy, Confidentiality And Disclosure Mean For Your Business?

These terms often get used together, but they’re not the same thing.

• Privacy is about personal information. It covers how you collect, use, store and secure information that can identify an individual (like a customer’s name, email, device ID, or payment details).
• Confidentiality is about protecting sensitive information (personal or commercial) from unauthorised use or disclosure. Think trade secrets, source code, pricing, business plans, and non-public customer lists.
• Disclosure is when you share information with someone else. It can be lawful and necessary (e.g. sharing with a payment processor), or risky and unlawful (e.g. posting a client list online).

In short: privacy is driven by statute (mainly the Privacy Act), confidentiality is driven by contracts and equity (duty of confidence), and disclosure is the act that needs to be managed under both. If you need a quick refresher on how these concepts differ, start with the difference between privacy and confidentiality.

Do Australian Privacy Laws Apply To Small Businesses?

Many small businesses assume the Privacy Act 1988 (Cth) doesn’t apply to them. It’s true that some small businesses with annual turnover under $3 million are exempt. However, there are important exceptions where the law does apply regardless of turnover, including if you:

• Operate a health service or handle health information (e.g. allied health, wellness apps, fitness assessments).
• Trade in personal information (sell, rent or exchange customer data).
• Are a contractor to the Commonwealth, or part of specific regulated sectors.
• Run credit reporting activities or certain professional services.

Even if you’re technically exempt, in practice most modern businesses collect personal information via websites, apps and payment systems. Customers and enterprise clients increasingly expect you to follow best-practice privacy standards. Having a clear, accurate Privacy Policy and good data hygiene is now a trust signal and a common contractual requirement.

Australia’s Notifiable Data Breaches (NDB) scheme also sets expectations for how serious data breaches should be assessed and handled. If you scale, work with larger clients, or process personal information for others, assume you will need to meet the Australian Privacy Principles (APPs) and build your processes accordingly.

What Counts As Confidential Information (And How Do You Protect It)?

Confidential information is any non-public information that has value because it’s secret. For small businesses, that usually includes:

• Pricing, margins and commercial strategies.
• Source code, algorithms, product formulas or prototypes.
• Customer lists, buyer personas, RFP responses and marketing plans.
• Supplier terms, unpublished contracts and deal terms.
• Business plans, financial models and investor decks.

Unlike privacy (which focuses on people), confidentiality can cover both personal and business information. The key is putting the right protections in place:

• Use an Non-Disclosure Agreement (NDA) before sharing sensitive information with prospective partners, contractors or investors.
• Include confidentiality clauses in your customer and supplier contracts (define what’s confidential, allow limited use for the purpose, and require secure handling and return or deletion).
• Limit internal access on a need-to-know basis and use simple security controls (unique logins, MFA, encryption for portable devices).
• Mark documents “Confidential” and keep a record of what you shared, with whom, and for what purpose.
• If you’re processing data for clients, adopt a Data Processing Agreement (DPA) that clearly allocates roles and responsibilities.

Good confidentiality hygiene isn’t just legal risk management-it protects the value you’re building in your brand, relationships and IP.

When Can Or Must You Disclose Information?

Disclosure is often necessary to run your business-think payments, logistics, customer support or marketing. The goal is to make sure every disclosure is deliberate, lawful and proportionate. Common scenarios include:

Disclosures You Can Make With Consent Or Notice

• Service providers: Payment processors, hosting providers, CRM and analytics tools. Make sure your Privacy Policy clearly explains this and you have appropriate contracts in place.
• Marketing: Using email addresses for newsletters or special offers should be covered by your Privacy Collection Notice and opt-in records, and comply with the Spam Act.
• International transfers: If you send data offshore (e.g. cloud hosting or support teams), disclose locations or categories of recipients, and ensure comparable protections contractually.

Disclosures You Must Make (Or Should Consider Making)

• Legal obligations: Court orders, law enforcement requests, tax or regulatory reporting. Only disclose what’s required and keep a record.
• Data breaches: Under the NDB scheme, assess eligible breaches and notify affected individuals and the regulator where required. A tested Data Breach Response Plan will help you act quickly and accurately.
• Whistleblowing: Certain companies must maintain whistleblower protections and processes-having a practical Whistleblower Policy can support lawful, protected disclosures.

Disclosures You Should Avoid

• Unnecessary sharing: Forwarding customer spreadsheets to third parties “just in case” or copying entire databases for a narrow task.
• Public posts: Posting images or testimonials that identify customers without consent, or sharing screenshots that expose personal data.
• Ambiguous “partnerships”: Allowing “partners” broad access to your systems without a contract, clear purpose and access controls.

As a rule of thumb, ask: What is the purpose? What is the minimum information needed? What does our policy say? Do we have a contract in place? If you can’t answer these clearly, press pause and tidy it up first.

Essential Documents To Put In Place

A simple set of policies and contracts will do most of the heavy lifting for your privacy, confidentiality and disclosure obligations. At a minimum, consider the following:

• Privacy Policy: Explains what personal information you collect, why you collect it, who you share it with, and how people can access or correct their data.
• Privacy Collection Notice: A short notice presented at the point of collection (e.g. website form) that points to key facts and your policy.
• Non-Disclosure Agreement: Protects confidential information when exploring partnerships, pitching or onboarding suppliers.
• Data Processing Agreement: Sets out roles, security standards and breach notification rules when you process data for a client (or they process data for you).
• Data Breach Response Plan: A playbook for identifying, containing, assessing and notifying breaches under the NDB scheme.
• Employee Privacy Handbook: Helps your team understand acceptable data handling, device security, and what to do if something goes wrong.

If you operate in a regulated industry or handle sensitive information (such as health data), you may need additional policies or more detailed controls. The goal is still the same: document how you handle information, train your team on it, and follow it consistently.

Step-By-Step: Build A Compliant Information Handling Framework

You don’t need a big budget to set up strong privacy and confidentiality practices. Follow these steps to build a framework that’s practical for your size and scalable as you grow.

1) Map What You Collect And Why

List the types of personal and confidential information you handle (customers, prospects, employees, contractors, suppliers) and the purposes (onboarding, billing, support, marketing, analytics, product improvement).

Note where the information comes from, where it’s stored (systems and locations), who can access it, and who you share it with. This “data map” becomes the backbone of your policies and contracts.

2) Set Your Rules In Writing

Draft and publish your Privacy Policy and put a concise Privacy Collection Notice on every form where you collect personal information.

Update your customer and supplier contracts to include clear confidentiality and data protection clauses. For any third parties handling data, include a Data Processing Agreement or equivalent schedule.

3) Protect Access And Security

Introduce basic, effective security measures:

• Use unique logins, strong passwords and multi-factor authentication for all business systems.
• Restrict access to sensitive data on a need-to-know basis.
• Encrypt portable devices and back up critical data.
• Keep a simple asset register of where data lives (cloud apps, drives, devices).

This doesn’t require advanced tooling-just consistent habits and clear ownership.

4) Train Your Team

Most incidents start with human error. Run short onboarding training that covers phishing awareness, handling IDs and payments, working remotely, and when to escalate a suspected breach. Your Employee Privacy Handbook can provide the script and references.

5) Test Your Breach Response

Incidents happen. The difference between a stumble and a crisis is preparation. Walk through your Data Breach Response Plan with your team once or twice a year. Check you can quickly identify affected records, contact your IT support, and make a call on whether notification is required.

6) Review Vendors And International Transfers

Review key vendors annually. Confirm where they store data, their security certifications, and how they’ll help you if you need to investigate or notify a breach. If data leaves Australia, make sure your contracts require appropriate safeguards.

7) Keep It Current

As you launch new features or campaigns, revisit your data map and policies. Update your documents, adjust access controls and ensure the disclosures in your policy remain accurate. Small, regular updates are easier than big overhauls.

Practical Examples (So You Can Spot The Issues Early)

Here are a few everyday scenarios and how to think about privacy, confidentiality and disclosure in each:

• New email signup form: Add a short collection notice under the form, link it to your Privacy Policy, capture timestamped consent, and tag the subscriber for the purpose they opted into.
• Sharing a pitch deck: Include only the necessary detail, watermark “Confidential” and send it under an NDA or with a contract that contains equivalent confidentiality terms.
• Using a new AI tool: Check where data will be processed, disable training on your inputs if possible, and ensure your policy discloses categories of recipients and locations if data will be sent offshore.
• Customer support screenshot: Redact personal details before sharing in team channels or ticketing systems, and remind staff that screenshots are still personal information.
• Employee leaving: Offboard access promptly, recover devices, and remind them of ongoing confidentiality obligations in their employment agreement.

Common Pitfalls To Avoid

Small missteps can snowball. Watch out for these traps:

• “Set and forget” policies: Publishing a policy and never updating it as your stack or practices change.
• Over-collection: Asking for more data than you need “just in case”-it increases risk without adding much value.
• Shadow IT: Teams adopting tools without contracts or review, leading to accidental offshore transfers or weak security.
• Open-ended disclosures: Vague privacy wording like “we may share data with partners” without explaining who and why.
• No breach drills: Waiting until an incident happens to figure out who’s in charge and what to say.

Key Takeaways

• Privacy covers personal information, confidentiality protects sensitive business information, and disclosure is the act you need to manage carefully under both.
• Even if you’re a small business, clients and customers expect APP-aligned practices-publish a clear Privacy Policy and use a Privacy Collection Notice at every point of collection.
• Protect your trade secrets and deal terms with strong contract clauses and a simple NDA process before sharing sensitive information.
• Know when you can disclose, when you must disclose (e.g. data breaches or legal requests), and when to say no.
• Put practical documents in place-like a Data Breach Response Plan and a Data Processing Agreement-and train your team so they can follow them.
• Keep your framework current by mapping data flows, reviewing vendors and refreshing policies as your business grows.

If you’d like a consultation on setting up privacy, confidentiality and disclosure processes for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.