We use cookies to give you a better experience on our website. Learn more about how we use cookies and how you can select your preferences.
Protect your customers' information
You may be legally responsible for protecting your customers’ personal information. Find out what customer information is personal and how to protect it.
1. Know the laws around customer information
Under the Privacy Act 1988, you may be required to protect your customers’ personal information from:
- theft
- misuse
- interference
- loss
- unauthorised access
- modification
- disclosure.
When you no longer need your customers’ personal information, you must destroy or de-identify it.
2. Check if your business needs to comply
If your business has an annual turnover of more than $3 million, you must comply with the Privacy Act.
Some businesses with smaller turnovers still need to comply with the Privacy Act. For example, you must comply with the Act if you’re a:
- private sector health service provider. This includes complementary therapists, gyms, weight loss clinics, childcare centres and private education providers
- business that sells or buys personal information
- contractor providing services under a contract with the Australian Government
- credit provider or credit reporting body
- residential tenancy database operator.
-
Learn more about which businesses have responsibilities under the Privacy Act.
Office of the Australian Information Commissioner
3. Know what information is personal
Personal information is any information that could be used to identify a person. It doesn’t matter if the information is true or what form it’s in.
Personal information might include your customers’:
- name
- signature
- address, email or phone number
- date of birth
- medical records
- bank details
- photos and videos
- IP address
- opinions that could be used to identify them.
4. Find out how to protect personal information
If the Privacy Act covers your business, you need to comply with the Australian Privacy Principles (APPs). These outline how you must handle, use and manage personal information. You can check the APPs quick reference and APP guidelines to understand your responsibilities.
Even if the Privacy Act doesn’t cover your business, you can follow the APPs to protect your customers’ personal information.
-
Read more about applying the APPs in small business.
Office of the Australian Information Commissioner
5. Prepare your privacy policy
You need to have a clear and up-to-date privacy policy. This outlines:
- the information you collect
- what you use it for
- how you protect it.
You might like to get legal advice when drafting your privacy policy.
It's a good idea to publish your privacy policy on your website.
-
Find out how to develop a privacy policy.
Office of the Australian Information Commissioner
6. Report notifiable breaches
If your business is covered by the Privacy Act, you need to comply with the Notifiable Data Breaches scheme.
If a data breach involves personal information and is likely to cause serious harm to someone, you need to notify both the:
- person involved
- Office of the Australian Information Commissioner (OAIC).
-
Report a data breach
Office of the Australian Information Commissioner
Read next
-
Learn about cyber security and protecting your business from cybercrime.
Cyber security checklist -
Learn more about business digital tools and software.
Digital tools and software