EOFY Sale · Save up to $750 off your legals · Ends 30 June

Claim offer
Main laws

Commonwealth Act

Privacy Act 1988

The Privacy Act sets the main federal rules for handling personal information in Australia.

In forceCommonwealthPlain-English guide4 practical checks

Plain-English explainers, not legal advice. Check the linked official source before you rely on a specific section, and get advice for your situation.

Get legal help

Start here

Quick read

  • For small businesses, the practical question is not just whether the business is under the revenue threshold.
  • Certain activities, sectors and data practices can still bring a business into the Act.

Likely relevant if

  • Businesses handling health, finance, credit or sensitive information
  • Online businesses collecting customer accounts or marketing data
  • Startups sharing data with vendors, platforms or overseas providers

Check first

  • Check whether the business is covered by the Privacy Act or a specific carve-in.
  • Keep a clear privacy policy and collection notices where required.
  • Use personal information only for permitted purposes and manage overseas disclosures.

First question: do these rules even apply to you?

The Privacy Act is the main federal law about how businesses handle personal information - basically, any information that identifies a living person, or could reasonably be linked back to them. Names, emails, phone numbers, addresses, payment details, IP addresses in some cases, even a photo. If you run a business, you almost certainly hold some.

The rules a covered business has to follow are called the Australian Privacy Principles (APPs). The catch for small businesses is working out whether you are covered at all.

As a starting point, businesses with an annual turnover of $3 million or less are exempt from the Privacy Act. That sounds like it covers most small businesses - but the exemption has a long list of exceptions (called ‘carve-ins’) that pull plenty of small operators straight back in.

Questions to work through

  • You handle health information or provide a health service (this includes gyms, allied health, childcare and many wellness businesses).
  • You buy or sell personal information - for example, trading mailing lists or lead data.
  • You are a contractor that provides services under a Commonwealth contract.
  • You are related to a larger business that is covered.
  • You are a credit provider, or you handle tax file numbers and certain financial data.

The Australian Privacy Principles, in plain English

There are 13 APPs. You do not need to memorise them, but it helps to understand what they are trying to achieve. Grouped together, they tell a simple story: be open about what you do, only collect what you need, use it for the reason you collected it, keep it safe, and let people see and correct it.

Principle groupWhat it coversWhat it means for you
APP 1-2 - Be openHave a clear, current privacy policy; let people deal with you anonymously where it is practical.Publish a privacy policy and actually keep it up to date.
APP 3-5 - CollectingOnly collect personal information you genuinely need, and tell people when you collect it.Trim your forms; show a short collection notice.
APP 6 - Using itUse information for the purpose you collected it, not for something unrelated.Do not quietly repurpose data people gave you for one thing.
APP 7 - MarketingRules on using personal information for direct marketing.Offer an easy opt-out and mind the Spam Act too.
APP 8 - Going overseasYou stay accountable when you send data to overseas providers.Know where your tools store data.
APP 11 - SecurityTake reasonable steps to protect information, and destroy or de-identify it when you no longer need it.Lock it down; delete what you do not need.
APP 12-13 - Access & fixPeople can ask for the information you hold about them and ask you to correct it.Have a simple process to respond to requests.

Your privacy policy: what it must actually say

If you are covered, you must have a privacy policy that is clearly written, free to access, and genuinely describes how you handle personal information. A privacy policy is not the same as your website terms - it is specifically about data.

Practical sense check

  • What kinds of personal information you collect and hold
  • How you collect it and why
  • How someone can access or correct their information
  • How someone can make a privacy complaint, and how you will handle it
  • Whether you disclose information overseas, and roughly where

Cloud tools, vendors and sending data overseas

The moment you use a CRM, an email platform, analytics, a payment processor or cloud storage, you are sharing personal information with a third party - and often storing it overseas. That is normal, but the Privacy Act makes you accountable for what happens to it.

When something goes wrong: data breaches

If you are covered by the Privacy Act, you are also covered by the Notifiable Data Breaches (NDB) scheme. It applies when personal information is lost, or accessed or disclosed without authorisation, and that is likely to cause serious harm to the people involved. A lost laptop, a misdirected email with a spreadsheet attached, a hacked inbox - these are the everyday versions.

  1. 1

    Contain it

    Stop the leak. Change passwords, revoke access, recall the email, take the system offline if you have to.

  2. 2

    Assess the harm

    Work out what information was involved and whether serious harm to any individual is likely. Document your reasoning.

  3. 3

    Notify if required

    If it is an eligible data breach, notify the affected individuals and the OAIC as soon as practicable, with practical steps people can take to protect themselves.

  4. 4

    Learn from it

    Fix the root cause and update your processes so the same gap cannot reopen.

Marketing, cookies and the Spam Act overlap

Privacy is not the only law in play when you market. Sending commercial electronic messages (email and SMS) is governed by the Spam Act, which requires consent, clear identification of the sender, and a working unsubscribe in every message. The APPs add a layer on top about using personal information for direct marketing at all.

Key points

  • Get consent before adding someone to a marketing list (and keep a record of it).
  • Put a genuine, easy unsubscribe in every marketing message and honour it promptly.
  • If you use cookies or tracking, tell people in your privacy policy and let them make a choice.

What is changing (and why it matters now)

Privacy law in Australia is being reformed in stages. Expect stronger enforcement, a narrower small-business exemption, clearer rights for individuals, and higher expectations around security and breach response. None of this is a reason to panic - but it is a good reason to get the basics right now rather than scramble later.

If you remember five things

Key takeaways

  • Do not rely on the $3M exemption - carve-ins and reform mean many small businesses are covered.
  • Collect less, be upfront about why, and use information only for that purpose.
  • Keep a real, accurate privacy policy that matches what your business actually does.
  • You stay responsible for data you hand to cloud tools and overseas providers.
  • Have a simple data breach response plan ready before you ever need it.

Plain-English glossary

Personal information
Information or an opinion about an identified individual, or an individual who is reasonably identifiable - whether or not it is true or recorded in a material form.
Australian Privacy Principles (APPs)
The 13 principles that set out how covered entities must collect, use, store, disclose and give access to personal information.
Eligible data breach
Unauthorised access, disclosure or loss of personal information that is likely to result in serious harm, triggering notification obligations.

Common questions

Does the Privacy Act apply to my small business?

Many small businesses under the turnover threshold are exempt, but carve-ins - such as handling health information, trading in personal information, or being a contracted service provider - can bring you in. Reform is also narrowing the small-business exemption, so check your specific activities rather than relying on turnover alone.

Do I legally need a privacy policy?

If you are covered by the APPs you must have a clearly expressed, up-to-date privacy policy describing how you manage personal information, and make it available free of charge.

What should we do if we have a data breach?

Contain it, assess whether serious harm is likely, and if it is an eligible data breach notify affected individuals and the OAIC as soon as practicable. A response plan prepared in advance makes this far easier.

Related topics

Privacy & Data

How Sprintlaw can help

Privacy PolicyData Breach Response Plan

Update history

Reviewed29 May 2026

Privacy Act added to the business law tracker

The Privacy Act is now tracked as a priority law for Australian businesses that collect, use or disclose personal information.

Amendment22 Feb 2017

Notifiable Data Breaches history added

The 2017 Act introduced mandatory eligible data breach notification obligations for entities regulated by the Privacy Act.

Amendment12 Dec 2012

Australian Privacy Principles reform history added

The 2012 Privacy Act reforms created the Australian Privacy Principles framework and updated credit reporting, privacy codes and regulator powers.