Protecting privacy and information in your business

As a business owner, you are responsible for protecting the privacy and personal information that your business handles.

In Australia, private and sensitive information is protected by state and federal privacy legislation. This legislation governs how businesses collect, store, and use information and data relating to their customers and employees.

On this page

Some businesses have specific obligations under this legislation.

For example, healthcare providers or businesses that sell databases that contain private information must comply with stricter obligations for how they collect, store and use it.

Small businesses with a turnover of $3 million or less are exempt from some components of the privacy legislation but all small businesses still have additional privacy obligations outside of the Privacy Act.

All businesses, regardless of size, should voluntarily comply with all privacy legislation. This can help consumer trust and ensure that your business maintains an ethical reputation.

Determining your privacy obligations

To assess the requirements for your business, complete the small business checklist from the Office of the Australian Information Commissioner (OAIC) to determine your obligations.

The Privacy Act and small business

The Privacy Act 1988 (Cwlth) was introduced to promote and protect the privacy of individuals and to regulate how businesses and Australian Government agencies handle personal information.

The Act regulates the privacy components of:

  • the consumer credit reporting system
  • tax file numbers
  • health and medical research.

The Act also contains 13 privacy principles that govern:

  • who can collect, use and disclose personal information
  • the rights of individuals to access their personal information
  • what information can be retained by a business
  • cases where it is appropriate to provide personal information to others.

Example of privacy obligations for business

A customer makes an application for consumer credit to purchase your product. It is then acceptable for the credit provider or a debt collector to access their credit report from a credit-reporting organisation to help them to decide on the application.

But if a member of the customer's family asks about the purchase from your business, you cannot pass the customer's information to them.

Read more about third-party access to credit reports (OAIC).

The privacy register

The OAIC has a privacy opt-in register for small businesses and not-for-profit organisations. This register lets you choose to be covered by the Privacy Act if you are exempt from the legislation (typically due to the annual turnover threshold).

The register:

  • provides a public record that can be viewed by customers
  • helps to increase customer confidence and trust in businesses who have opted in
  • demonstrates your public commitment to ethical privacy practice.

Protecting privacy and information in your business

If something goes wrong and your business does not keep information safe, you may be held responsible. You must ensure all your employees are aware of their obligations when it comes to protecting information held within the business.

Consider:

  • implementing a privacy policy across the business that includes
  • how your business collects data
  • how the data is stored
  • the cases where data can be used within the business
  • the restrictions on sharing the data with another party outside of the business
  • implementing a compliance program
  • using free online training courses—for example, Welcome to privacy in practice
  • preparing policies and procedures to cover all legal requirements of protecting privacy and information in your business
  • ensuring privacy and information management form part of your induction for new staff
  • ongoing and regular training programs for all staff on how to comply with the privacy obligations
  • adding privacy responsibilities to job descriptions (e.g. include the responsibility to protect the personal information of customers in all job descriptions).

Privacy for digital and internal records

If you use video or audio surveillance and recordings in your business, you must ensure that you do not breach section 227A of the Criminal Code. The Code makes it an offence to record video of people without their consent in places where they would reasonably expect privacy (e.g. a changeroom).

Employee records in the private sector are not covered by the Privacy Act. This means that if you own or operate a business in the private sector, you do not have to grant permission to your employees if they request access to their employee records. Learn more about collecting and handling employee personal information.

You can also read about:

Health information privacy

The Privacy Act provides added protections for a person's health information. All businesses that provide a health service are covered by the Act.

This means that if you operate or own a health services business, all health information must be collected, stored and used according to the Act. Learn more about protecting health information in your business.

Using customer data and the Spam Act

The Spam Act 2003 (Cwlth) is used to regulate commercial electronic messages and phone messages. Under this legislation, it is illegal to send unsolicited commercial emails and phone messages. As a business owner, to comply with this legislation, every commercial email or phone message you send must meet the following conditions:

  • Consent – the recipient must have either expressly consented to receiving your messages or must be an existing customer or person who has an existing relationship with your business.
  • Identify – the message must accurately identify your business.
  • Unsubscribe – the message must contain a functional unsubscribe facility to allow the recipient to opt-out from receiving further messages. You must honour unsubscribe requests within 5 working days.

To ensure that you meet these requirements, you should do the following:

  1. Obtain the customer's permission to communicate with them, either
    • expressed (e.g. the customer fills out a contact form indicating that they agree to receive communication from your business)
    • inferred (e.g. the customer has provided their email address to your business and would reasonably expect that you would send them information).
  2. Identify your business as being the sender of all communications—your communications should include your company name and details.
  3. Make it easy for your customers to unsubscribe to any communications from your business—you can do this by having an unsubscribe link in your digital communications or an opt-out message (e.g. 'STOP') on SMS.

Read more about avoiding sending spam from the Australian Communications and Media Authority.