Lawpath Blog
Are Small Businesses Covered by the Privacy Act?

Are Small Businesses Covered by the Privacy Act?

Some small business may be exempt from the provisions of the Privacy Act 1988 (Cth). Read here to find out if your business is covered by the Act and how to comply if you are.

23rd April 2019

The Privacy Act 1988 (Cth) (Privacy Act) contains the privacy principles that some business must comply with. The principles concern the consideration, collection, dealing, integrity, access to and correction of personal information. However, if your business is classified as a small business, it may not need to comply with the principles.

What Is a Small Business?

The Privacy Act defines a small business as a business with an annual turnover of less than $3,000,000 in the previous financial year. For small businesses that have not operated for a full financial year yet, you need to make a projection of your full year annual turnover based on your business’ income during that period. In this instance, annual turnover includes income from all sources, but does not include assets held, capital gains or proceeds of capital sales. Annual turnover does include the total of the:

  • proceeds from goods and services sales;
  • commission income;
  • repair and service income;
  • rent, leasing and hiring income;
  • government bounties and subsidies;
  • interest, royalties and dividends; and
  • other operating income.

A small business with an annual turnover of less than $3,000,000 will still have to comply with the Privacy Act if it is:

Review the Office of the Information Commissioner’s checklist, for further details about the types of small businesses that are subject to the Privacy Act.

How Your Small Business Can Comply With the Privacy Act.

If your small business falls under the scope of the Privacy Act, then it will need to comply with the Australian Privacy Principles (APPs) contained in the Act. Therefore, compliance with the principles includes:

  • implementing practices, procedures and systems to handle complaints;
  • taking reasonable steps in order to protect the personal information collected or stored;
  • giving individuals access to their personal information if requested;
  • correcting personal information if you become aware it is incorrect;
  • taking reasonable steps in order to ensure that personal information collected is accurate, complete and up to date;
  • only collecting personal information if it is essential for the function of your business;
  • deleting unsolicited personal information as soon as possible, if it is not essential for the functioning of your business;
  • not using or disclosing personal information for a purpose other than its intended purpose; and
  • Not collecting, using or disclosing personal information without the individual’s direct consent.

A privacy policy must be provided by a small business that has to comply with the Privacy Act, in order to cover all the requirements of the APP. For that reason, a privacy policy must outline the information you need to disclose to any individual whose personal information you intend to collect. Making a privacy policy available and requesting acknowledgement of it also ensures that you’ve received the individuals consent to use their information for the specified purpose.

Unsure where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.

Jenelle Miranda

Jenelle is a legal Intern at Lawpath as part of the Content Team. She is in her third year of a Bachelor of Law and Bachelor of Science (Physics & Astronomy) at Macquarie University.