Understanding Australian Data Privacy Laws for Small Business

Data privacy is not just a concern for large corporations. As an Australian small business owner or IT manager, you have legal obligations around how you collect, store, use, and dispose of personal information. Getting it wrong can result in regulatory action, financial penalties, and reputational damage.

This guide breaks down the key privacy legislation affecting Australian SMBs in plain language, with practical steps you can take to ensure compliance.

The Privacy Act 1988: The Foundation

The Privacy Act 1988 is the primary piece of federal legislation governing the handling of personal information in Australia. It sets out the Australian Privacy Principles (APPs), which establish standards for how organisations should manage personal information.

Does It Apply to Your Business?

The Privacy Act applies to:

• Australian Government agencies
• Businesses and not-for-profit organisations with annual turnover of more than $3 million
• Private sector health service providers
• Businesses that trade in personal information
• Credit reporting bodies
• Businesses that are related to an entity covered by the Act
• Businesses that have opted in to coverage

The small business exemption: Businesses with annual turnover of $3 million or less are generally exempt from the Privacy Act. However, this exemption has significant exceptions, and there are strong arguments for treating privacy obligations seriously regardless of turnover.

Even if your business is technically exempt, consider this:

• Your customers and staff expect you to protect their information.
• A data breach can be devastating for a small business’s reputation.
• State and territory laws may impose additional obligations.
• Industry codes of practice may require compliance.
• If you handle health information, you are covered regardless of turnover.

Our strong recommendation is to comply with the Privacy Act’s principles regardless of your turnover. It is good business practice and protects you and your customers.

The 13 Australian Privacy Principles

The APPs cover the entire lifecycle of personal information. Here is a practical summary of each:

Collection (APPs 1-5)

APP 1 — Open and transparent management: You must have a clearly expressed and up-to-date privacy policy. This should be freely available on your website.

APP 2 — Anonymity and pseudonymity: Where practical, give people the option of dealing with you anonymously or using a pseudonym.

APP 3 — Collection of solicited personal information: Only collect personal information that is reasonably necessary for your business activities. Do not collect information “just in case.”

APP 4 — Dealing with unsolicited personal information: If you receive personal information you did not ask for, you must determine whether you could have collected it under APP 3. If not, destroy or de-identify it.

APP 5 — Notification of collection: When you collect personal information, tell the individual what you are collecting, why, and how it will be used.

Use and Disclosure (APPs 6-9)

APP 6 — Use or disclosure: Only use or disclose personal information for the purpose for which it was collected, unless the individual consents or an exception applies.

APP 7 — Direct marketing: You can use personal information for direct marketing only in specific circumstances, and you must always provide an opt-out mechanism.

APP 8 — Cross-border disclosure: If you disclose personal information to an overseas recipient (including storing data on overseas cloud servers), you must take reasonable steps to ensure the recipient complies with the APPs.

APP 9 — Government-related identifiers: Do not adopt government identifiers (like Tax File Numbers) as your own identifier for individuals.

Data Quality and Security (APPs 10-11)

APP 10 — Quality of personal information: Take reasonable steps to ensure personal information you collect, use, or disclose is accurate, up-to-date, complete, and relevant.

APP 11 — Security of personal information: Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Destroy or de-identify personal information when it is no longer needed.

Access and Correction (APPs 12-13)

APP 12 — Access to personal information: On request, you must give individuals access to their personal information that you hold.

APP 13 — Correction of personal information: You must take reasonable steps to correct personal information if an individual asks or if you become aware it is inaccurate.

The Notifiable Data Breaches Scheme

Since February 2018, the Notifiable Data Breaches (NDB) scheme has required organisations covered by the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches.

What Is an Eligible Data Breach?

An eligible data breach occurs when:

1. There is unauthorised access to, or disclosure of, personal information held by the organisation, or information is lost in circumstances where unauthorised access or disclosure is likely to occur; AND
2. A reasonable person would conclude that the access or disclosure is likely to result in serious harm to any of the individuals to whom the information relates.

What Counts as Serious Harm?

Serious harm can include:

• Identity theft
• Financial loss
• Damage to reputation
• Loss of business or employment opportunities
• Humiliation or emotional distress

The sensitivity of the information, the nature of the harm, and the individuals affected all factor into the assessment.

Notification Requirements

If you experience an eligible data breach, you must:

1. Notify the OAIC: Provide a statement including the identity and contact details of the organisation, a description of the breach, the kinds of information involved, and recommendations for affected individuals.
2. Notify affected individuals: Provide the same information directly to individuals whose information was involved, or publish the statement if direct notification is not practicable.
3. Act quickly: Notification must be made as soon as practicable after becoming aware of the breach. The OAIC expects this to occur within 30 days of becoming aware.

Penalties

The maximum penalty for serious or repeated interferences with privacy is currently $2.1 million for bodies corporate. For repeated breaches or failures to comply with the NDB scheme, the consequences can be severe.

Practical Steps for Compliance

1. Create a Privacy Policy

Every business should have a clear, accessible privacy policy. It should cover:

• What personal information you collect
• How you collect it
• Why you collect it
• How you use and disclose it
• How you store and protect it
• How individuals can access and correct their information
• Your complaint handling process

Use plain language. Avoid legal jargon. The OAIC provides template guidance that can help you get started.

2. Audit Your Data

Conduct a data audit to understand:

• What personal information you hold
• Where it is stored (on-premises servers, cloud services, paper files, email)
• Who has access to it
• How long you have held it
• Whether you still need it

Many businesses are surprised by the amount of personal information they hold, often scattered across systems with inconsistent security.

3. Minimise Data Collection

Only collect what you genuinely need. The less personal information you hold, the less risk you face in a breach. Review your forms, processes, and systems to remove unnecessary data collection points.

4. Secure Your Data

Implement appropriate security measures based on the sensitivity of the information you hold. As a minimum:

• Encrypt data at rest and in transit
• Use strong access controls and multi-factor authentication
• Keep systems patched and updated
• Train staff on security awareness
• Use business-grade antivirus and firewall solutions
• Regularly back up data and test restoration

5. Manage Third-Party Access

If you share personal information with third parties (cloud providers, outsourced services, software vendors), ensure you have appropriate agreements in place covering data handling, security, and breach notification.

Pay particular attention to overseas service providers. Under APP 8, you are accountable for ensuring overseas recipients handle personal information in accordance with the APPs.

6. Prepare a Data Breach Response Plan

Do not wait for a breach to figure out your response. Develop a plan that covers:

• How to identify and contain a breach
• Who is responsible for managing the response (internal contacts and external advisors)
• How to assess whether the breach is eligible for notification
• Templates for notification to the OAIC and affected individuals
• Post-incident review processes

7. Train Your Staff

Staff are often the weakest link in data protection. Regular training should cover:

• What personal information is and why it matters
• Your business’s privacy policy and procedures
• How to handle personal information safely
• How to recognise and report a potential data breach
• Common scenarios specific to your business

8. Establish Retention and Disposal Policies

Do not keep personal information longer than necessary. Establish clear policies for:

• How long different types of information should be retained
• How information should be securely destroyed when no longer needed (shredding paper documents, securely wiping digital storage)
• Regular reviews of stored information

Cloud Computing and Data Privacy

Many Australian SMBs use cloud services that store data in overseas data centres. This raises specific privacy considerations:

Data Residency

Where possible, choose cloud providers that offer Australian data centres. Both Microsoft Azure and Amazon Web Services have Australian regions. When your data is stored in Australia, you avoid some of the complexity of cross-border disclosure requirements.

Contractual Protections

When using cloud services, review the provider’s terms of service and data processing agreements. Key points to check:

• Where your data will be stored
• How the provider protects your data
• What happens to your data if you terminate the service
• The provider’s obligations in the event of a breach
• Whether the provider uses sub-processors and where they are located

Shared Responsibility

Cloud security operates on a shared responsibility model. The cloud provider secures the infrastructure; you are responsible for securing your data, access controls, and configurations within the platform.

Looking Ahead

Data privacy regulation is evolving. The Australian Government is currently reviewing the Privacy Act, with potential changes that could:

• Remove or narrow the small business exemption
• Introduce a direct right of action for individuals
• Strengthen enforcement powers
• Introduce a statutory tort for serious invasions of privacy

Regardless of the outcome of the review, the trend is clear: privacy obligations are increasing, not decreasing. Investing in good privacy practices now positions your business well for any future changes.

Getting Started

If privacy compliance feels overwhelming, start with these three steps:

1. Write or update your privacy policy and publish it on your website.
2. Conduct a basic data audit to understand what personal information you hold and where it is stored.
3. Review your security measures and address the most critical gaps.

From there, work through the other recommendations systematically. Privacy compliance is not a one-time project — it requires ongoing attention. But with a solid foundation, it becomes a manageable part of running your business.

For businesses unsure about their obligations, seeking advice from a privacy consultant or a managed IT services provider with privacy expertise is a worthwhile investment. The cost of getting professional guidance is far less than the cost of a data breach.