Are Small Businesses Covered by the Privacy Act?
Some small business may be exempt from the provisions of the Privacy Act 1988 (Cth). Read here to find out if your business is covered by the Act and how to comply if you are.
The Privacy Act 1988 (Cth) (Privacy Act) contains the privacy principles that some business must comply with. The principles concern the consideration, collection, dealing, integrity, access to and correction of personal information. However, if your business is classified as a small business, it may not need to comply with the principles.
What Is a Small Business?
The Privacy Act defines a small business as a business with an annual turnover of less than $3,000,000 in the previous financial year. For small businesses that have not operated for a full financial year yet, you need to make a projection of your full year annual turnover based on your business’ income during that period. In this instance, annual turnover includes income from all sources, but does not include assets held, capital gains or proceeds of capital sales. Annual turnover does include the total of the:
- proceeds from goods and services sales;
- commission income;
- repair and service income;
- rent, leasing and hiring income;
- government bounties and subsidies;
- interest, royalties and dividends; and
- other operating income.
A small business with an annual turnover of less than $3,000,000 will still have to comply with the Privacy Act if it is:
- a health service provider;
- trading in personal information (such as buying or selling a mailing list);
- a contractor providing services for a Commonwealth contract;
- a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
- an operator of a residential tenancy database;
- a credit reporting body;
- an employee association under the Fair Work (Registered Organisations) Act 2009;
- a protected action ballot agent;
- related to a business that is covered by the Privacy Act;
- a service provider required to comply with the data retention provisions in the Telecommunications (Interception and Access) Act 1979;
- a business prescribed by the Privacy Regulation 2013; or
- a business that has elected to be covered by the Privacy Act.
Review the Office of the Information Commissioner’s checklist, for further details about the types of small businesses that are subject to the Privacy Act.
How Your Small Business Can Comply With the Privacy Act.
If your small business falls under the scope of the Privacy Act, then it will need to comply with the Australian Privacy Principles (APPs) contained in the Act. Therefore, compliance with the principles includes:
- implementing practices, procedures and systems to handle complaints;
- taking reasonable steps in order to protect the personal information collected or stored;
- giving individuals access to their personal information if requested;
- correcting personal information if you become aware it is incorrect;
- taking reasonable steps in order to ensure that personal information collected is accurate, complete and up to date;
- only collecting personal information if it is essential for the function of your business;
- deleting unsolicited personal information as soon as possible, if it is not essential for the functioning of your business;
- not using or disclosing personal information for a purpose other than its intended purpose; and
- Not collecting, using or disclosing personal information without the individual’s direct consent.
Unsure where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.
Jenelle is a legal Intern at Lawpath as part of the Content Team. She is in her third year of a Bachelor of Law and Bachelor of Science (Physics & Astronomy) at Macquarie University.