**NOTE: updated with minor amendments 27 November 2007.

About this Checklist

The Privacy Act 1988* currently protects personal information handled by large businesses and health service providers of any size. The Privacy Act also applies to some small businesses.

The Office of the Privacy Commissioner has prepared this Checklist. It should help you work out if your small business needs to comply with the Privacy Act and the National Privacy Principles.

Most small businesses will find that they do not need to comply with the Privacy Act.

Does your small business need to comply with the Privacy Act?

Does your small business have an annual turnover of $3 million or less AND is it either:

• a health service provider?
• trading in personal information?
• related to a larger business?
• a contractor that provides services under a Commonwealth contract?
• a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)?
• an operator of a residential tenancy database?

If so, your small business may need to comply with the Privacy Act. The steps in the Checklist should help you decide if your small business needs to comply with the Privacy Act. If you are still not sure if your business needs to comply you may need to get more advice from your lawyer or other advisers.

* Some terms we use in this Checklist may be new to you. More information about words in bold can be found at the end of the Checklist.

THE PRIVACY CHECKLIST

The Checklist has 9 Steps. You will need to work through all the steps unless the instructions tell you otherwise.

Step 1.  Does your small business collect personal information?

YES. Go to Step 2. NO. You do not need to comply with the Privacy Act. You do not need to answer any more questions.

Step 2.  Is your business an organisation for the Privacy Act?

YES. Go to Step 3. NO. You do not need to comply with the Privacy Act. You do not need to answer any more questions.

Step 3.  Does your small business have an annual turnover of $3 million or less?

YES. Go to Step 4. NO. If your business has an annual turnover of more than $3 million and is an organisation for the Privacy Act, the Act has applied since 21 December 2001. For information about how to comply see the resources listed at the end of the Checklist. You do not need to answer any more questions.

Step 4.  Is your small business a health service provider?

YES. Your small business has had to comply with the Privacy Act since 21 December 2001. For information about how to comply see the resources listed at the end of the Checklist. You do not need to answer any more questions. NO. Go to Step 5.

Step 5.  Does your small business trade in personal information?

A. Do you collect personal information from, or provide it to, someone else for a benefit, service or advantage?

YES. Go to Question B. NO. Go to Step 6.

B. Do you collect or provide personal information for a benefit, service or advantage and have the consent of all the individuals concerned?

YES. Go to Step 6. NO. Go to Question C.

C. Do you collect or provide personal information for a benefit, service or advantage that is required or authorised by law?

YES. Go to Step 6. NO. You need to comply with the Privacy Act. For information about how to comply see the resources list at the end of the Checklist. You do not need to answer any more questions.

Step 6.  Is your small business related to a larger body corporate that is subject to the Privacy Act?

YES. You need to comply with the Privacy Act. For information about how to comply see the resources list at the end of the Checklist. You do not need to answer any more questions. NO. Go to Step 7.

Step 7.  Are you a Commonwealth contract service provider?

Does all or part of your small business involve contracting or subcontracting to a Commonwealth government body?

YES. The Privacy Act will apply, via provisions in your contract, to that part of your business that is a Commonwealth contracted service provider. For information about how to comply see the resources list at the end of the Checklist. NO. Go to Step 8.

Step 8.  Are you a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)?

Does all or part of your business undertake reporting activities for AML/CTF purposes?

YES.The Privacy Act will apply to those reporting activities that you carry out to comply with your AML/CTF obligations. AML/CTF reporting requirements will progressively come into force from 12 December 2007. For information about how to comply see the resources list at the end of the Checklist. NO. Go to Step 9.

Step 9.  Does your business operate a residential tenancy database?

YES. The Privacy Act will apply to the operation of that database as a result of the Privacy (Private Sector) Amendment Regulations 2007 (No.3). The Regulations commence on 1 December 2007. For information about how to comply see the resources list at the end of the Checklist. NO. You do not need to comply with the Privacy Act.

More information about annual turnover for the Privacy Act

What is included in the annual turnover of a business for a financial year?

Annual turnover for the Privacy Act includes all income from all sources. Annual turnover does not include assets held by the small business, capital gains or proceeds of capital sales.

The income reported on the PAYG income tax instalment section of your BAS or IAS over a year will give a good estimate of annual turnover for the Privacy Act for some but not all businesses.

For example, the BAS or IAS figure will not be a good estimate of annual turnover for the Privacy Act for: superannuation or life insurance or approved deposit funds; not-for- profit bodies; or a small business that is part of a GST group, or is notionally divided into a GST group for taxation purposes.

Annual turnover of a business for a financial year is the total of the following items earned in the year in the course of the business:

(a) the proceeds of sales of goods and/or services; (b) commission income; (c) repair and service income; (d) rent, lease and hiring income; (e) government bounties and subsidies; (f) interest, royalties and dividends; (g) other operating income.

Annual turnover of a full or part year

Small businesses that have been operating for more than one year should calculate their annual turnover on the previous financial year.

If a small business was not operating in the previous financial year it needs to make a projection of full year annual turnover based on the total income to date and the amount of time it has been operating.

Resources and Help

Contact details for the Office of the Privacy Commissioner

www.privacy.gov.au

Enquiries Line 1300 363 992 (local call charge)

GPO Box 5218 SYDNEY NSW 2001

Useful information available from the Office includes:

• Website page for Small Business
• A brief overview of The Privacy Act and Small Business - a Snapshot
• Privacy Checklist for Small Business
• Health Information and The Privacy Act 1988. A Short Guide for the private health sector
• Guidelines to the National Privacy Principles and Information Sheets 1-15
• The National Privacy Principles
• The Privacy Act
• Frequently asked questions (FAQs)

Meanings of Words

BAS - Business Activity Statement IAS - Instalment Activity Statement Businesses (and others) use these activity statements to report Pay As You Go instalment income at label TI on the statement. Some businesses however, do not report instalment income during the year at label TI on these statements but use an instalment amount calculated by the Commissioner of Taxation. In these circumstances, businesses will need to work out their turnover by other means.

Benefit, Service or Advantage This includes income, financial concessions, subsidies or some other return to the small business. For example, where a small business sells its customer list to a marketing company or gives its own list in return for another list.

Commonwealth contract service provider This means organisations that provide services to Commonwealth agencies under contract or subcontract. The new provisions do not apply to private sector contractors providing services under contracts with State or Territory governments.

Health service provider Health includes physical, emotional, psychological and mental health. Health service providers: assess, record, maintain or improve a person's health; diagnose or treat a person's illness or disability; or dispense on prescription a drug or medicinal preparation by a pharmacist.

National Privacy Principles (schedule 3 to the Privacy Act) The Privacy Act includes 10 standards or rules known as the National Privacy Principles (NPPs). There are Principles about collection, use and disclosure, quality and security, openness, access, anonymity, sending personal information overseas and sensitive information. There are special rules for sensitive information, including health information. For more information see the Resources and Help section above.

Organisation The Privacy Act defines organisation broadly. It includes sole traders, body corporates, partnerships, trusts and unincorporated associations. It excludes others, for example, state run corporations, political parties or media organisations. The Act also does not apply to individuals acting in a private or domestic capacity.

PAYG Pay As You Go This is a taxation term relating to income tax payments made on your own behalf or withheld on behalf of others.

Personal information Personal information is information or an opinion that identifies an individual or allows their identity to be readily worked out from the information. It includes such things as a person's name, address, financial information, marital status or billing details.

The Privacy Act exempts employment records used for employment purposes in your business. If employee information is the only personal information your business holds and it is only used for employment purposes the Privacy Act will not apply.

Privacy Act 1988 The Privacy Act regulates the handling of personal information by Commonwealth and ACT government agencies and many private sector organisations. It also regulates the credit reporting industry and the handling of tax file number information.

Related body corporate (Section 50, Corporations Act 2001) The Privacy Act defines related body corporate by reference to the Corporations Act. Companies might be related where they are a holding company or a subsidiary of another body corporate.

Residential tenancy database The Privacy (Private Sector) Amendment Regulations 2007 (No.3) state that a residential tenancy database means a database: (a) that stores personal information in relation to an individual''s occupation of residential premises as a tenant; and (b) that can be accessed by a person other than the operator of the database or a person acting for the operator.

Trade in personal information Trading in personal information happens where businesses collect or disclose an individual's personal information for a "benefit, service or advantage", for example they buy or sell a list of personal information for income, concessions or some other return. The Privacy Act will not apply where the trading happens with the consent of the individual concerned or is authorised or required by law.

The Act does not prevent trading in personal information but does set principles that need to be followed.

Note: In some circumstances sale of the assets of a business that include personal information will also be trading in personal information.

For more information about consent, sale of businesses and trading in personal information see the Frequently Asked Questions on the Small Business page of the Privacy Commissioner's website.