Laws around customer information


As a business owner, you’re responsible for protecting your customers’ personal information from:

  • theft
  • misuse
  • interference
  • loss
  • unauthorised access
  • modification
  • disclosure

This is a legal requirement under the Privacy Act 1988 (Privacy Act). When you no longer need your customers’ personal information you must destroy or de-identify it. This includes shredding documents or storing them in a secure area.

1. Check if your business needs to comply


If your business has an annual turnover of more than $3 million, you must comply with the Privacy Act.

If your business has an annual turnover of $3 million or less, you may have responsibilities under the Privacy Act if you’re a:

  • private sector health service provider
  • business that sells or purchases personal information
  • contractor providing services under a contract with the Australian Government
  • credit provider/credit reporting body
  • residential tenancy database operator

2. Decide what information is personal


Personal information is any information where you can identify (or reasonably identify) the person. It doesn’t matter if the information is true, or what form it’s in.

Personal information might include your customers’:

  • name
  • signature
  • address
  • email
  • telephone number
  • date of birth
  • medical records
  • bank account details
  • place of work
  • photos
  • videos
  • information about their opinions

3. Find out how to protect personal information


If the Privacy Act covers your business, you need to comply with the Australian Privacy Principles (APPs). These outline how you must handle, use and manage personal information. It’s a good idea to check the APPs and the APP guidelines – they’ll help you understand your responsibilities. For example, you:

  • must implement practices, procedures and systems to ensure compliance with the APPs and to handle complaints
  • must make available an up-to-date and clear privacy policy, setting out certain information on how you will manage personal information
  • must take reasonable steps to protect the personal information collected or held
  • must take reasonable steps to ensure that personal information collected is accurate, complete and up-to-date
  • must give individuals access to their personal information on request
  • must correct personal information where you become aware that it’s either
    • inaccurate
    • incomplete
    • out of date
    • irrelevant
    • misleading
    • requested by the individual
  • can only collect personal information if it is necessary for the function or activity of your business
  • must de-identify or delete unsolicited personal information as soon as is practical, if it’s not necessary for the function or activity of your business
  • should not use or disclose personal information for a purpose different from the original purpose of collection, except in limited circumstances
  • generally need the individual’s consent before you may collect and use personal information
  • must not use or disclose personal information for a direct marketing purpose, except in limited circumstances

Even if the Privacy Act doesn’t cover your business, it’s important to handle your customers’ personal information appropriately.

4. Prepare your privacy policy


You need to have a clear and up to date privacy policy that outlines the information you collect, what you use it for and how you protect it. It's a good idea to make this available on your website.

You may wish to seek specific legal advice when drafting your privacy policy or for any other privacy issues.

5. Report notifiable breaches


Your business needs to comply with the Notifiable Data Breaches scheme (as of February 2018). If a data breach involves personal information and is likely to cause serious harm to an individual, you need to notify both the:

  • individual involved
  • Office of the Australian Information Commissioner (OAIC)