Does your small business need to comply with the Privacy Act?

Is your small business:

• a health service provider?
• trading in personal information?
• related to a larger business?
• a contractor to Commonwealth agencies?
• a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)?
• an operator of a residential tenancy database?

If so, it may need to comply with the Privacy Act. Information Sheet 12 gives more information about coverage of the Privacy Act.

The majority of small businesses that do need to comply with the Privacy Act should find the requirements straightforward and not difficult or expensive to manage.

Small businesses covered by the Privacy Act will need to review how they handle personal information including how they collect, use, disclose personal information and how they keep it secure.

In practical terms complying with the Privacy Act is likely to mean:

• Telling people you collect personal information and what you will do with it;
• Only using personal information about people in ways that they might expect;
• Not passing personal information on without telling people;
• Giving people the chance to see any information you hold about them if they ask;
• Keeping personal information safe; and
• If people ask, telling them how you handle personal information in your small business.

These obligations are set out in the National Privacy Principles. As well, the Privacy Act exempts employment records where information about employees is only used for employment purposes. If employee information is the only personal information held then there are probably no obligations under the Privacy Act.