Privacy Obligations for Small Business & NFP’s

I like to say compliance is fun (yes, really!) because ticking off those boxes means you’re protecting your business, your people, and your customers. But when it comes to privacy, things get serious. If you’re collecting and keeping customer information—even just names, phone numbers, or email addresses—you need to know your obligations under the Privacy Act.

The good news? You don’t need to wade through all the legal detail (the OAIC website has you covered there). What you do need is a clear understanding of what personal and sensitive information is, and a plan for managing it. That’s what this article is here to help with.

So let’s jump in …

What is the Privacy Act?

The Privacy Act 1998 (the Act) regulates how individual people’s information is handled in Australia.

The Act creates a privacy protection framework that is underpinned by the Australian Privacy Principles or APPs.

Australian Privacy Principles

The 13 Australian Privacy Principles govern standards, rights and obligations around:

• the collection, use and disclosure of personal information

• an organisation or agency’s governance and accountability

• integrity and correction of personal information

• the rights of individuals to access their personal information.

 Who is covered by the Privacy Act

In general (with exceptions of course) any organisation with an annual turnover of $3m or more per annum and all Australian Government Agencies are considered an APP Entity and have responsibilities and obligations under the Act.

An APP Entity is any type of entity operating a business, including sole traders, a body corporate, a partnership, any other incorporated association or a trust.  Organisations that turn over less than $3m, such as health services, may still be included as an APP Entity.

APP Entities are obliged to ensure personal and sensitive information is properly managed and protected.

What is Personal Information?

From the OAIC:

Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.

For example, personal information may include:

• an individual’s name, signature, address, phone number or date of birth

• sensitive information

• credit information

• employee record information

• photographs

• internet protocol (IP) addresses

• voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)

• location information from a mobile device (because it can reveal user activity patterns and habits).

 What is Sensitive Information?

From the OAIC:

Sensitive information is personal information that includes information or an opinion about an individual’s:

• racial or ethnic origin

• political opinions or associations

• religious or philosophical beliefs

• trade union membership or associations

• sexual orientation or practices

• criminal record

• health or genetic information

• some aspects of biometric information.

Generally, sensitive information has a higher level of privacy protection than other personal information.

Keeping Information Secure

Security of personal information is covered under APP 11 and requires an APP Entity to take reasonable steps to protect personal information.  Usually when we think of information protection we think of cyber security and keeping our systems secure to protect the information held within them.  But, under the act, we also need to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

So on top of keeping information safe from hackers, this could also mean ensuring only certain people have access to certain records, physically locking away information, laptops or other devices and having the ability to monitor systems and track changes to information.

Further, removing information once it is no longer necessary for the purpose it was collected is also important. 

What protocols do you have in place for removing the personal information on your system that you no longer need?

Notifiable Data Breach

When personal information is lost, or accessed or disclosed without authorisation, it becomes a data breach.  When that breach is likely to result in serious harm to an individual, that breach is notifiable under the Act and must be reported to the individual(s) the information belongs to and to the OAIC.

As an APP Entity, you need to ensure your staff understand what a data breach is and be able to identify when a breach occurs and whether it is an eligible breach that requires reporting.

Form more information OAIC.

Key Takeaways

Check if you’re an APP Entity – businesses with $3m+ turnover (and some smaller ones, like health services) must comply with the Privacy Act.

• Know what you collect – personal information includes more than just names; it can be emails, photos, IP addresses, or even location data.

• Handle sensitive information with extra care – things like health details, union membership, or sexual orientation require stronger protections.

• Protect data in every form – not just from hackers, but also from misuse, loss, or unauthorised access (think locked cabinets, restricted staff access, and secure devices).

• Have a disposal process – remove personal data once you no longer need it.

• Be breach-ready – know what a notifiable data breach is and ensure your staff can spot and report one.

If you are responsible for an organisation or business and you don’t have a privacy management plan, check out this free template.