Privacy Act 1988

The Privacy Act 1988 (Cth) is the main Commonwealth law regulating how covered entities handle personal information. It is not limited to one narrow topic. The Act includes the Australian Privacy Principles, rules about tax file number information, a detailed credit reporting regime, privacy codes, notification of eligible data breaches, the functions and powers of the Information Commissioner, complaint and investigation processes, and enforcement mechanisms.

For a business owner, the practical point is that privacy law follows the full life cycle of information. It affects what you collect, why you collect it, what you tell people at the time of collection, how you use and disclose the information, how you secure it, whether it goes offshore, how you respond to access or correction requests, and what you do if something goes wrong. If your business uses online forms, customer accounts, booking systems, CRMs, payroll software, cloud storage, email marketing tools or analytics platforms, privacy issues are already part of your day-to-day operations.

The Act contains specific provisions about organisations, small business and small business operators, annual turnover, and when a small business operator is treated as an organisation. That means the first legal question is not simply whether you are a company, trust, partnership or sole trader. The real question is whether your business falls within the Act's coverage rules.

Many businesses focus on the commonly discussed small business threshold, but that is only part of the picture. A business with annual turnover of $3 million or less should still check whether a carve-in applies. In practical terms, the main categories to check up front are businesses that provide a health service or handle health information, businesses that deal in personal information, businesses involved in credit reporting or credit provision, businesses handling tax file number information, businesses performing services under Commonwealth contracts, and businesses whose structure or related entities affect how the Act applies. The safest approach is to test your actual activities, data handling and commercial arrangements rather than relying on turnover alone.

The Act also refers to related bodies corporate and contains provisions relevant to overseas acts in some circumstances. For groups with multiple entities, shared systems or centralised customer databases, privacy analysis should be done across the group rather than entity by entity in isolation. A business can easily misread its position if one entity signs customers, another entity stores the data, and a third entity provides support or marketing services.

Privacy issues often become visible only after a complaint, a vendor incident or a rushed product launch. In practice, there are common trigger points that should prompt a privacy review before the business moves ahead. These include launching a new website or app, redesigning sign-up or checkout forms, adding a CRM or marketing platform, onboarding an offshore software provider, starting a loyalty program, collecting extra customer profile data, expanding into health-related services, offering credit, or changing how customer records are shared within a corporate group.

Another common trigger point is growth. A startup may begin with a simple contact form and a spreadsheet, then add customer accounts, payment tools, support software, analytics, email automation and outsourced contractors over time. Each new tool can change what personal information is collected, where it is stored, who can access it and whether it is disclosed to another entity. If the business documents do not keep up with those changes, the gap between actual practice and stated practice becomes a legal and operational risk.

Procurement is also a privacy trigger. Before signing with a software vendor, a business should understand what information will be uploaded, whether the vendor acts only on instructions or uses data for its own purposes, where the data is stored, whether subcontractors are involved, and what security and incident response commitments are included in the contract. These checks are often easier before onboarding than after a breach or customer complaint.

The Act contains the Australian Privacy Principles, and APP entities must comply with them. For most covered businesses, the APPs are the core operating rules for handling personal information. They deal with matters such as open and transparent management, collection, use and disclosure, direct marketing settings in context, data quality, security, access and correction.

In practical business terms, the APPs are not abstract legal concepts. They show up in ordinary workflows. A sign-up form should ask only for information the business genuinely needs. A booking or intake form should explain why the information is being collected. Customer information should not be reused for a new campaign or internal project without checking whether that use is permitted. Staff should know where personal information is stored, who can access it, and how to respond if a person asks for access or correction. Security should be built into systems and permissions rather than left to informal habits.

The APP framework also means privacy compliance is ongoing. A business that was compliant when it launched can drift out of step as products, vendors and internal processes change. The most common practical failure is not a complete absence of privacy documents, but documents and procedures that no longer match what the business actually does.

If your business is an APP entity, the Act requires open and transparent management of personal information, and the APP framework includes having a clearly expressed and up-to-date privacy policy available free of charge. This is one of the most visible privacy documents in a business, but it only helps if it accurately reflects real practices.

A privacy policy is not the same as a collection notice. The privacy policy is the broader document explaining how the business manages personal information overall. A collection notice is the shorter explanation given at or before collection, such as on a webform, account creation page, intake form or onboarding flow. In practice, many businesses need both. For example, a customer sign-up page may include a short collection statement and a link to the full privacy policy.

Businesses should also think beyond public-facing documents. Internal procedures matter just as much. Staff need to know where information is stored, how long it is kept, who can approve disclosures, how to verify identity before releasing information, and how to escalate a complaint or suspected breach. If your website policy says one thing but your staff and systems do another, the policy will not protect you.

The Act includes rules about use and disclosure of personal information and specifically refers to acts and practices of overseas recipients of personal information. For modern businesses, this is a major practical issue because personal information often moves through multiple software providers and service partners.

If you use a CRM, accounting platform, payroll system, booking tool, cloud storage provider, analytics service, support desk platform or email marketing tool, personal information may be disclosed outside your business and may be stored or accessed outside Australia. That does not automatically mean you are non-compliant, but it does mean you should understand the arrangement properly. Before onboarding a vendor, check what information will be shared, whether the vendor uses subcontractors, where the information will be stored or accessed, what security commitments are in place, how incidents are reported, and whether your privacy documents describe the arrangement accurately.

Businesses often underestimate how many overseas disclosures occur through ordinary software use. A company may think it stores data in Australia because its office is in Australia, while customer information is actually processed through several offshore systems. Mapping those flows is one of the most useful privacy exercises a business can do because it improves both legal compliance and incident response readiness.

The Act contains a dedicated Part on notification of eligible data breaches. It includes provisions on what an eligible data breach is, assessment of suspected breaches, statements about eligible data breaches, notification obligations, exceptions, and the Commissioner's powers to obtain information and documents relating to eligible data breaches.

For business owners, the key point is that a privacy incident needs a structured response. Common incidents include an email sent to the wrong recipient, a compromised inbox, a lost device, accidental publication of records, a misconfigured cloud folder, or unauthorised access through a vendor account. The first step is containment. The second is assessment. You need to identify what happened, what information was involved, whose information was affected, whether the information was actually accessed or disclosed, and whether the incident is likely to result in serious harm. If the legal threshold is met, notification obligations can follow.

Businesses usually handle incidents better when they have a short written response plan before anything goes wrong. That plan should identify who leads the response, who investigates technical issues, who approves communications, where evidence is recorded, and how decisions are documented. Without a plan, businesses often lose time, overlook facts and make inconsistent statements to customers, vendors and regulators.

The Privacy Act is not only a general privacy law. It also contains specialised regimes that can impose more detailed obligations than the standard APP framework. The official text includes dedicated provisions about health information and health services in the interpretation section, a substantial Part on credit reporting, and rules relating to tax file number information.

This matters because businesses in these areas should not rely on a generic privacy checklist. The credit reporting Part deals with matters such as collection, use, disclosure, quality, security, access, correction, retention and destruction of regulated information, as well as complaint pathways and court orders. The Act also includes additional notification requirements in the credit context. Likewise, businesses handling tax file number information need to check the specific rules that apply rather than assuming ordinary customer data practices are enough.

For small and medium businesses, the practical message is simple. If you provide finance, report credit information, receive regulated credit information, provide a health service, handle health information, or collect tax file number information, your forms, notices, retention settings, complaint handling and internal procedures should be checked against the specialised regime that applies to you.

The Act gives the Information Commissioner functions relating to guidance, monitoring, advice, assessments and inquiries. It also contains detailed provisions for complaints, investigations, conciliation, determinations, enforcement of determinations and civil penalty provisions for serious interference with privacy and interference with privacy of individuals.

From a business perspective, this means privacy compliance should be treated as a governance issue. A complaint may begin with something ordinary, such as a person saying you used their information for the wrong purpose, failed to respond to an access request, disclosed information without authority, or did not protect it properly. If your records are poor, your policy is inaccurate, or staff cannot explain your process, the issue becomes harder to manage.

Good privacy practice therefore includes documentation as well as intent. Businesses should keep current privacy materials, internal procedures, vendor records, access controls, complaint handling steps and incident logs. These are the documents that help show what the business actually did, what steps it took, and how it responded when a problem arose.

The Act is detailed and applies differently depending on the type of entity, the kind of information involved and the business activity being carried on. Before relying on a general guide, a business should confirm its scope position and identify any specialised regime that may apply.

At a minimum, check whether your business is an APP entity, whether any small business carve-in applies, whether you handle health information, whether you are involved in credit reporting or credit provision, whether you handle tax file number information, whether you disclose personal information to overseas recipients, and whether your current privacy policy and collection notices match your actual systems and workflows. If your business model has changed recently, that is a strong sign that your privacy position should be reviewed again.