Generally speaking, most small businesses will not have to comply with the Privacy Act. A small business with an annual turnover of $3 million or less will have to comply with the Privacy Act only if it is:

• a health service provider; or
• trading in personal information (e.g. buying or selling a mailing list); or
• related to a business that is not a small business; or
• a contractor that provides services under a Commonwealth contract; or
• a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act); or
• an operator of a residential tenancy database.

If your business has an annual turnover of $3 million dollars or less and meets one of the criteria above, the Privacy Act will apply to your business or some aspects of it.

To check whether you need to comply, you can complete the Privacy Checklist for Small Business, or seek advice from your industry association or lawyer.

If your small business is covered by the Privacy Act you will have to comply with the National Privacy Principles. The Guide to Privacy for Small Business will help you meet your privacy obligations. More information can be found in the Guidelines to the National Privacy Principles and the Information Sheets. The precise definition of an exempt small business is set out in section 6D of the Privacy Act.