Collecting and storing customer information

Collecting and storing information about your customers is essential for managing the sales and customer service aspects of your business.

Laws protect the privacy of your customers and the information you collect. You must only collect, store or use customer information for the primary purpose for which it was collected.

Protecting the privacy of customers

Before collecting customer information, be aware that as a business owner you are responsible for ensuring you, and the staff within your business, handle and protect customer information correctly. This can include complying with privacy laws.

You may be required to protect your customer information from:

  • theft or loss
  • misuse
  • interference
  • unauthorised access
  • modification
  • disclosure to others.

Types of information

The information you collect from your customers might include:

  • personal contact details
  • personal residential details
  • government-issued identification
  • medical history
  • emergency contact and next of kin
  • buying habits and preferences
  • product or service preferences
  • financial statements and credit history.

Collecting customer information

Customers could provide information through:

  • order forms
  • enquiries
  • complaints
  • warranty cards
  • customer rewards programs
  • customer satisfaction surveys
  • feedback cards
  • customer competitions
  • your website
  • in-person or over-the-counter surveys
  • social media polls or messages
  • online subscriptions
  • email correspondence.

Customers can either provide information in writing or electronically, or they can provide it verbally and you record it.

Storing customer information

How you store your customer information is important. You must maintain the security of customer information, but also store the records in a way that suits your business.

For example:

  • A sole trader may operate with paper-based records to store customer information or transactions. They should store records in a lockable filing cabinet that is not accessible to the public or to unauthorised staff.
  • A consultancy firm may have multiple electronic methods of storing customer information. They may use a database for sales records and customer relationship management (CRM) software for customer information. The firm may store records electronically on a server based within their office, as well as on a cloud-based storage system.

Where records are stored

It is vital for you to know where your data is being stored when using third party cloud-based data storage. For example, if your data is being stored within Australia or overseas.

This is particularly relevant if your business holds contracts with government agencies who normally require all records to be stored within Australia.

It is more difficult to maintain the integrity of the data if being stored overseas. It can also be more difficult to restore data if there has been a breach or system failure.

Find out more information about online risks, cyber security and the legal requirements for data storage.

Using customer information appropriately

Your business can only collect, store or use customer information for the primary purpose for which it was collected. Read these scenarios to understand how you can appropriately use customer information.

ScenarioUse of customer information
You own a mechanical workshop and have just told your customer that it will be very costly to repair their vehicle and that they would be better to shop around for a new car You are not allowed to contact your friend who sells cars to give them your customer's details as a potential sale, unless your customer has given you permission to specifically provide their details to them
You own an electrical appliance store. You have sold a customer a washing machine with delivery included You are allowed to provide the customer's details to the delivery contractor, but you must advise the customer you will be providing their details to a third-party delivery contractor

You own a furniture retail store. One of your staff has sold a lounge suite that is on display on the showroom floor

You are allowed to place a sign on the lounge to show that it's been sold but you are not allowed to include any of the customer's details on the sign while the lounge is on public display

Tips for protecting customer information

Find tips for how your business can protect customer information.*

  1. Familiarise yourself (and your staff) with the documented privacy policies, processes and procedures of your business.
  2. Understand it is everybody's responsibility to respect and protect the privacy of customer information.
  3. Consider undertaking a privacy impact assessment if you are planning a project that will collect and handle customer information to ensure it will be protected.
  4. Only collect relevant information that your business needs, for example, there is no need to collect medical history of a customer if you own a retail furniture outlet.
  5. Before using and disclosing specific customer information, think about whether you actually need to use or disclose those specifics or if you can conduct that task using generic information.
  6. If you intend providing customer information to a business overseas, remember they may not comply with our state or federal requirements, but your business must comply regardless of where that customer's information gets used.
  7. Personal information considered to be sensitive, such as race, gender, ethnicity, religion, sexual orientation etc., has additional considerations under the Privacy Act 1988. Make sure your business understands and respects these sensitivities.
  8. Access customers' personal information only if, and when. you need to, for example, your cleaner has no need to access a customer's personal information if they are cleaning an accountancy firm.
  9. Keep customers' personal information secure. As a business owner, you are required to take reasonable steps to ensure customer records, whether paper-based or electronically stored, are protected from unauthorised access, modification or disclosure.
  10. Develop a data breach response. This will enable your business to respond quickly and reduce the impact to a customer if their information has been compromised or breached.

*Adapted from protecting customers' personal information available from the Office of the Australian Information Commissioner and published under a Creative Commons Attribution 3.0 Australia Licence.