Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

Types

Topic(s): Compliance

Snapshot of the Privacy Act for Small Business

document icon pdf (43.83 KB)

**NOTE: updated with minor amendments 27 November 2007.

The Federal Privacy Act 1988 sets rules for businesses handling personal information. It also allows individuals to make a complaint if personal information is mishandled.

Some small businesses, including those that are non-profit bodies or unincorporated associations, need to comply with the Privacy Act.

Small businesses that collect personal information (other than their own employees' information) may need to comply. Personal information is any information about an identifiable individual, e.g. a person's name and address, marital status or income.

If your business has an annual turnover of more than $3 million or is a health service provider, the Privacy Act applies to your business.

Does your small business need to comply with the Privacy Act?

Is your small business:

a health service provider?
trading in personal information (e.g. buying or selling a mailing list)?
related to a larger business (a related body corporate)?
a contractor that provides services under a Commonwealth contract?
a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)?
an operator of a residential tenancy database?

If you answered yes to any of these, your business may need to comply with the Privacy Act.

You may also need to comply if your business buys or sells business assets that include personal information (eg. a customer database).

The Privacy Commissioner's checklist, A Privacy Checklist for Small Business. can help you to work out whether your business may need to comply.

Compliance with the Privacy Act - the basics

For many small businesses, complying with the Privacy Act means that the key things to do are:

tell people when you collect personal information what you expect to do with it
use personal information only for the reason you collected it, or in ways people would think reasonable unless you have their consent, have given them an opportunity to opt-out or the use is authorised by another law
pass on personal information only for the reason you collected it, or in ways people would think reasonable, unless you have consent or the disclosure is authorised by another law
if people ask, give them a chance to see any information you hold about them
keep personal information secure, accurate and up-to-date.

These requirements are set out in the Act in 10 National Privacy Principles (NPPs).

See A Guide to Privacy for Small Business for more information.

Getting up to speed on the Privacy Act - the basics

When making a privacy plan, you should:

Have someone responsible for privacy

This could be you or your office manager or someone in another position depending on the size of your business.

Be familiar with the NPPs

They cover collection, use, disclosure, access and other matters.

Do a privacy stocktake

Look at how you handle personal information in your small business, from the time you collect the information to the time you dispose of it. See how your procedures measure up to the obligations in the NPPs.

Have a privacy complaint handling process

Think about who will handle complaints, timeframes, records you might need.

Train any staff in privacy

If you need to make changes, plan how you will do this

Some other tips for compliance with the Privacy Act

Keeping personal information secure

Check computers for personal information before you sell them.
Keep personal information away from those who do not need to see it - staff as well as customers.
Destroy information securely. Do not dump it in a street bin.

What to tell people when collecting information

The name of your business.
How the business can be contacted.
How you expect to use the personal information.
To whom you expect to pass on the personal information.
That they can see (access) personal information you hold about them.
Give an opportunity to opt-out of any direct marketing you do.

Some notes on how to tell people about the information you hold on them

You may give this on a form, on a separate brochure, by telephone or a website.
You may need to give this information even if you are collecting from someone else (rather than from the individual).

For more information contact the Office of the Privacy Commissioner.

The Office handles complaints and also provides information and advice about the Privacy Act. All publications mentioned in this brochure are available from the Office or on our website.

www.privacy.gov.au

Enquiries Line 1300 363 992 (local call charge)

GPO Box 5218 SYDNEY NSW 2001