1. Know the laws around customer information

Under the Privacy Act 1988, you may be required to protect your customers’ personal information from:

  • theft
  • misuse
  • interference
  • loss
  • unauthorised access
  • modification
  • disclosure.

When you no longer need your customers’ personal information, you must destroy or de-identify it.

2. Check if your business needs to comply

If your business has an annual turnover of more than $3 million, you must comply with the Privacy Act.

Some businesses with smaller turnovers still need to comply with the Privacy Act. For example, you must comply with the Act if you’re a:

  • private sector health service provider. This includes complementary therapists, gyms, weight loss clinics, childcare centres and private education providers
  • business that sells or buys personal information
  • contractor providing services under a contract with the Australian Government
  • credit provider or credit reporting body
  • residential tenancy database operator.

3. Know what information is personal

Personal information is any information that could be used to identify a person. It doesn’t matter if the information is true or what form it’s in.

Personal information might include your customers’:

  • name
  • signature
  • address, email or phone number
  • date of birth
  • medical records
  • bank details
  • photos and videos
  • IP address
  • opinions that could be used to identify them.

4. Find out how to protect personal information

If the Privacy Act covers your business, you need to comply with the Australian Privacy Principles (APPs). These outline how you must handle, use and manage personal information. You can check the APPs quick reference and APP guidelines to understand your responsibilities.

Even if the Privacy Act doesn’t cover your business, you can follow the APPs to protect your customers’ personal information.

5. Prepare your privacy policy

You need to have a clear and up-to-date privacy policy. This outlines:

  • the information you collect
  • what you use it for
  • how you protect it.

You might like to get legal advice when drafting your privacy policy.

It's a good idea to publish your privacy policy on your website.

6. Report notifiable breaches

If your business is covered by the Privacy Act, you need to comply with the Notifiable Data Breaches scheme.

If a data breach involves personal information and is likely to cause serious harm to someone, you need to notify both the:

  • person involved
  • Office of the Australian Information Commissioner (OAIC).
Was this page helpful?