Most small businesses are not covered by the Privacy Act 1988, but some are. A small business is one with an annual turnover of $3 million or less. Annual turnover for the purposes of the Privacy Act includes all income from all sources. It does not include assets held, capital gains or proceeds of capital sales.

If the Privacy Act covers your small business you have some obligations.

To see if your small business needs to comply with the Privacy Act complete our Privacy Checklist for Small Business, or seek advice from your industry association or lawyer.

Does the Privacy Act cover your business?

Regardless of turnover, the Privacy Act covers any business that is:

What obligations does your business have?

If the Privacy Act covers your small business, you’ll have to comply with the Australian Privacy Principles (APPs). It is important to remember that complying with the Privacy Act does not prevent you handling personal information for your business needs.

Do you have other obligations under the Privacy Act?

As well as the APPs, the Privacy Act includes specific matters that some small businesses may be required to comply with, including:

For more information, see Credit Reporting and The Privacy (Tax File Number) Rule 2015 and the Protection of Tax File Number Information.

What if your business breaches the Privacy Act?

An individual has the right to complain if they think a business the Privacy Act covers has not complied with the Privacy Act when handling their personal information.

If the Privacy Act covers your small business, the OAIC can investigate, conciliate and, if necessary, make determinations about complaints made about your handling of personal information. We may also commence a Commissioner-initiated investigation. Our Privacy Regulatory Action Policy explains our enforcement powers and regulatory approach.

Privacy checklist for small business

Our checklist can help you decide if your small business needs to comply with the Privacy Act. It is not a substitute for legal advice, and you may need to seek advice from your lawyer or other advisers.

Question 1

Does your small business handle personal information?

Yes: Please go to Question 2

No: You do not need to comply with the APPs.

Question 2

Has your small business had an annual turnover of more than $3,000,000 in any financial year since 2002?

Annual turnover for the purposes of the Privacy Act includes all income from all sources. Annual turnover does not include assets held, capital gains or proceeds of capital sales.

If your small business has not operated for a whole financial year, you need to make a projection of full year annual turnover based on the income of your business during that period.

Yes: You need to comply with the APPs.

No: Please go to Question 3

Question 3

Does your small business trade in personal information?

A business is considered to trade in personal information if they:

  • provide a benefit, service or advantage to collect personal information, or
  • disclose personal information for a benefit, service or advantage

A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service. For example, where a small business sells their customer list to a marketing company or gives their own list in return for another list.

Yes: Go to Question 4

No: Go to Question 5

Question 4

Does your small business trade in personal information without the consent of the individual and without being required or authorised by law?

Consent can either be express or implied.

Yes: You need to comply with the APPs.

No: Go to Question 5

Question 5

Is your small business a health service provider?

A health service provider provides services in relation to physical, emotional, psychological and mental health. They include: traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals; complementary therapists; child care centres; private schools and private tertiary educational institutions.

Yes: You need to comply with the APPs.

No: Go to Question 6

Question 6

Is your small business related to a larger body corporate that is subject to the Privacy Act?

To answer this question, use the test for related body corporate in the Corporations Act 2001. Companies might be related where they are a holding company or a subsidiary of another body corporate.

Yes: You need to comply with the APPs.

No: Go to Question 7

Question 7

Is your small business a Commonwealth contracted service provider?

Your business is a Commonwealth contracted service provider if you provide services to, or on behalf of, Australian Government agencies or the Norfolk Island administration under a Commonwealth contract or subcontract.

The provisions do not apply to businesses that receive funding from Commonwealth agencies for services that are not a function of the agency.

Yes: You need to comply with the APPs. Check your contract for more information about your privacy obligations.

No: Go to Question 8

Question 8

Are you a reporting entity or authorised agent of a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) or its regulations or rules?

For more information about the AML/CTF Act, visit AUSTRAC.

Yes: You need to comply with the APPs for your activities in relation to the AML/CTF Act and its Regulations and Rules.

No: Go to Question 9

Question 9

Does your small business operate a residential tenancy database?

A residential tenancy database is a database that stores personal information about individuals occupying residential premises as tenants and is accessible by an individual other than the operator of the database or an individual acting for the operator.

Yes: You need to comply with the APPs.

No: Go to Question 10

Question 10

Does your small business carry on a credit reporting business?

A credit reporting business is defined in section 6P of the Privacy Act.

Yes: You need to comply with Part IIIA of the Privacy Act and the APPs where Part IIIA does not apply.

No: Go to Question 11

Question 11

Is your small business an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009?

Yes: You need to comply with the APPs.

No: Go to Question 12

Question 12

Is your small business a protected action ballot agent for a protected action ballot conducted under Part 3-3 of the Fair Work Act 2009?

Yes: You need to comply with the APPs.

No: Go to Question 13

Question 13

Is your small business a service provider that is required to comply with the data retention provisions in Part 5-1A of the Telecommunications (Interception and Access) Act 1979?

Part 5-1A requires service providers to collect and retain certain information about communications.

Yes: You need to comply with the APPs for your activities in relation to data collected and retained under Part 5-1A.

No: Go to Question 14

Question 14

Does your small business hold accreditation for the Consumer Data Right system under the Competition and Consumer Act 2010?

Yes: You need to comply with the APPs in relation to any information held that is personal information, but not CDR data. (Where information held is CDR data, the privacy safeguards apply instead of the APPs.)

No: Go to Question 15

Question 15

Has your small business voluntarily opted into the Privacy Act?

The Privacy Act provides a mechanism to allow an organisation that is a small business operator to opt in to the Act.

Yes: You need to comply with the APPs.

No: You don’t need to comply with the Privacy Act. As a matter of best practice though, we recommend you protect any personal information you hold.

We also recommend you consider opting in to the Privacy Act. A small business that opts in to the Privacy Act could experience a number of benefits, including increased consumer confidence and trust in their operations.

For more information about how to comply with the Privacy Act, see Handling Privacy Complaints and Protecting Customers’ Personal Information

To help you meet your ongoing compliance obligations, see Privacy Management Framework: Enabling Compliance and Encouraging Good Practice

You may also need advice on Selling a Business