The Privacy Act 1988 (Cth) (Privacy Act) contains the privacy principles that some business must comply with. The principles concern the consideration, collection, dealing, integrity, access to and correction of personal information. However, if your business is classified as a small business, it may not need to comply with the principles.
What Is a Small Business?
The Privacy Act defines a small business as a business with an annual turnover of less than $3,000,000 in the previous financial year. For small businesses that have not operated for a full financial year yet, you need to make a projection of your full year annual turnover based on your business’ income during that period. In this instance, annual turnover includes income from all sources, but does not include assets held, capital gains or proceeds of capital sales. Annual turnover does include the total of the:
- proceeds from goods and services sales;
- commission income;
- repair and service income;
- rent, leasing and hiring income;
- government bounties and subsidies;
- interest, royalties and dividends; and
- other operating income.
A small business with an annual turnover of less than $3,000,000 will still have to comply with the Privacy Act if it is:
- a health service provider;
- trading in personal information (such as buying or selling a mailing list);
- a contractor providing services for a Commonwealth contract;
- a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006;
- an operator of a residential tenancy database;
- a credit reporting body;
- an employee association under the Fair Work (Registered Organisations) Act 2009;
- a protected action ballot agent;
- related to a business that is covered by the Privacy Act;
- a service provider required to comply with the data retention provisions in the Telecommunications (Interception and Access) Act 1979;
- a business prescribed by the Privacy Regulation 2013; or
- a business that has elected to be covered by the Privacy Act.
Review the Office of the Information Commissioner’s checklist, for further details about the types of small businesses that are subject to the Privacy Act.
How Your Small Business Can Comply With the Privacy Act.
If your small business falls under the scope of the Privacy Act, then it will need to comply with the Australian Privacy Principles (APPs) contained in the Act. Therefore, compliance with the principles includes:
- implementing practices, procedures and systems to handle complaints;
- taking reasonable steps in order to protect the personal information collected or stored;
- giving individuals access to their personal information if requested;
- correcting personal information if you become aware it is incorrect;
- taking reasonable steps in order to ensure that personal information collected is accurate, complete and up to date;
- only collecting personal information if it is essential for the function of your business;
- deleting unsolicited personal information as soon as possible, if it is not essential for the functioning of your business;
- not using or disclosing personal information for a purpose other than its intended purpose; and
- Not collecting, using or disclosing personal information without the individual’s direct consent.
A privacy policy must be provided by a small business that has to comply with the Privacy Act, in order to cover all the requirements of the APP. For that reason, a privacy policy must outline the information you need to disclose to any individual whose personal information you intend to collect. Making a privacy policy available and requesting acknowledgement of it also ensures that you’ve received the individuals consent to use their information for the specified purpose.
Unsure where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.
