Laws around customer information


As a business owner, you may be required under the Privacy Act 1988 (Privacy Act) to protect your customers’ personal information from:

  • theft
  • misuse
  • interference
  • loss
  • unauthorised access
  • modification
  • disclosure

When you no longer need your customers’ personal information you must destroy or de-identify it. This includes shredding documents or storing them in a secure area.

1. Check if your business needs to comply


If your business has an annual turnover of more than $3 million, you must comply with the Privacy Act.

If your business has an annual turnover of $3 million or less, you may still be required to comply with the Privacy Act depending on your business type and what you do within your business. For example, you will still be required to comply if you’re a:

  • private sector health service provider, including complementary therapists, gyms, weight loss clinics, child care centres and private education providers
  • business that sells or purchases personal information
  • contractor providing services under a contract with the Australian Government
  • credit provider/credit reporting body
  • residential tenancy database operator

Learn more about which businesses have responsibilities under the Privacy Act.

2. Decide what information is personal


Personal information is any information where you can identify (or reasonably identify) an individual. It doesn’t matter if the information is true, or what form it’s in.

Personal information might include your customers’:

  • name
  • signature
  • address, email, telephone number, date of birth
  • medical records
  • bank details
  • photos and videos
  • IP address
  • opinions which can be used to identify them

3. Find out how to protect personal information


If the Privacy Act covers your business, you need to comply with the Australian Privacy Principles (APPs). These outline how you must handle, use and manage personal information. It’s a good idea to check the APPs and the APP guidelines – they’ll help you understand what your responsibilities are.

Even if the Privacy Act doesn’t cover your business, it’s important to handle your customers’ personal information appropriately.

Read the Privacy checklist for small business to find out if your business complies with the APPs.

4. Prepare your privacy policy


You need to have a clear and up to date privacy policy that outlines the information you collect, what you use it for and how you protect it. It's a good idea to make this available on your website.

You may wish to seek specific legal advice when drafting your privacy policy or for any other privacy issues.

Find out what you should include in your privacy policy.

5. Report notifiable breaches


If your business is covered by the Privacy Act, then you will need to comply with the Notifiable Data Breaches scheme. If a data breach involves personal information and is likely to cause serious harm to an individual, you need to notify both the:

  • individual involved
  • Office of the Australian Information Commissioner (OAIC)

Lodge a statement about an eligible data breach to the Commissioner through the Notifiable Data Breach statement form.

Read next

Learn about cyber security and protecting your business from cybercrime.

Learn more about what digital operation tools can offer you and what is available.

Find out if you’re processing electronic card payments securely and ensure your customer’s card information is always secure.