What is the Privacy Act?
What is the Privacy Act?
What is the Privacy Act?
10 Aug 2023
In Australia, businesses are responsible for protecting the personal information provided to them by customers. In 1988, the Privacy Act was introduced to regulate how businesses and federal government agencies handle personal information, and ensure that their customers’ privacy is protected.
Who Does the Privacy Act Apply to?
Australian government agencies and organisations with an annual turnover of more than $3 million have responsibilities under the Privacy Act. An organisation can be defined as a sole trader, a body corporate, partnership, trust, or any other unincorporated association.
At the moment, businesses with an annual turnover of less than $3 million are exempt under the “small business exemption” – although this will change if the Federal Government’s proposed amendments to the Privacy Act are implemented.
According to data from the Australian Bureau of Statistics (ABS), out of a total of 2.5 million Australian businesses operating in 2022, over 2.3 million do not need to comply with the Privacy Act under the ‘small business exemption’ *.
Data privacy just isn’t an issue for small businesses – yet.
What is Considered Personal Information?
Personal information is defined as any information that allows you to identify an individual – regardless of whether it is true or what form it is in. This might include your staff or customers’:
• name
• contact details, such as address, email, or phone number
• date of birth
• signature
• banking and credit information
• IP address
• employee record
• medical or health records
• photos or videos
• voice print or facial recognition biometrics
• location information from a mobile device
• opinions that are identifiable.
What Obligations Do Businesses Have?
Under the Privacy Act, organisations must adhere to 13 Australian Privacy Principles (APP) that govern the collection, use and disclosure of personal information. As a business owner, you are required to handle your customers’ personal information in a clear and transparent way, and protect customer information against theft, loss, misuse, interference, modification, and unauthorised access.
This means you need to have a clear and up-to-date privacy policy outlining the information you collect, what you use it for, and how you protect it. It’s a good idea to make your privacy policy available to customers on your website.
You may only collect personal information where it is necessary for your business activities, and this information can only be used or disclosed for the specific purpose it was collected. You must also take reasonable steps to ensure the personal information you collect is accurate, up-to-date, and complete. When you no longer need your customers’ personal information, you must de-identify or destroy it – for example, by shredding documents.
If a data breach occurs, you must comply with the Notifiable Data Breaches Scheme. Where the data breach involves personal information, you’re required to notify the customer or customers involved, as well as the Office of the Australian Information Commissioner (OAIC).
What Rights Do Customers Have?
The Privacy Act gives individuals greater control over how their personal information is handled – so it’s important to understand the rights your customers have. They are allowed to:
• request access to their personal information
• know why their information is being collected, how it will be used, and who it will be disclosed to
• opt out of unwanted direct marketing
• choose not to identify themselves or to use a pseudonym, under certain circumstances
• make a complaint about a business that mishandles their personal information.
What Are the Penalties for Breaching the Privacy Act?
There are severe penalties for failing to comply with the Privacy Act. In 2022, the Federal Government increased the maximum penalty for serious or repeated interference with the privacy of an individual, with fines of up to $50 million for corporate bodies and $2.5 million for non-corporates.
The OIAC was also granted enhanced investigative powers, including the ability to conduct assessments of an organisation’s compliance, obtain information related to suspected data breaches, and share information with other authorities.
If you’re a business owner, or you’re interested in seeing how the upcoming changes to the privacy act might impact you. Read our article on Privacy Act Reforms here.
* It should be noted that there are a few exceptions to the ‘small business exemption’. For example, health service providers, and businesses that trade in personal information for benefit, service or advantage.
In Australia, businesses are responsible for protecting the personal information provided to them by customers. In 1988, the Privacy Act was introduced to regulate how businesses and federal government agencies handle personal information, and ensure that their customers’ privacy is protected.
Who Does the Privacy Act Apply to?
Australian government agencies and organisations with an annual turnover of more than $3 million have responsibilities under the Privacy Act. An organisation can be defined as a sole trader, a body corporate, partnership, trust, or any other unincorporated association.
At the moment, businesses with an annual turnover of less than $3 million are exempt under the “small business exemption” – although this will change if the Federal Government’s proposed amendments to the Privacy Act are implemented.
According to data from the Australian Bureau of Statistics (ABS), out of a total of 2.5 million Australian businesses operating in 2022, over 2.3 million do not need to comply with the Privacy Act under the ‘small business exemption’ *.
Data privacy just isn’t an issue for small businesses – yet.
What is Considered Personal Information?
Personal information is defined as any information that allows you to identify an individual – regardless of whether it is true or what form it is in. This might include your staff or customers’:
• name
• contact details, such as address, email, or phone number
• date of birth
• signature
• banking and credit information
• IP address
• employee record
• medical or health records
• photos or videos
• voice print or facial recognition biometrics
• location information from a mobile device
• opinions that are identifiable.
What Obligations Do Businesses Have?
Under the Privacy Act, organisations must adhere to 13 Australian Privacy Principles (APP) that govern the collection, use and disclosure of personal information. As a business owner, you are required to handle your customers’ personal information in a clear and transparent way, and protect customer information against theft, loss, misuse, interference, modification, and unauthorised access.
This means you need to have a clear and up-to-date privacy policy outlining the information you collect, what you use it for, and how you protect it. It’s a good idea to make your privacy policy available to customers on your website.
You may only collect personal information where it is necessary for your business activities, and this information can only be used or disclosed for the specific purpose it was collected. You must also take reasonable steps to ensure the personal information you collect is accurate, up-to-date, and complete. When you no longer need your customers’ personal information, you must de-identify or destroy it – for example, by shredding documents.
If a data breach occurs, you must comply with the Notifiable Data Breaches Scheme. Where the data breach involves personal information, you’re required to notify the customer or customers involved, as well as the Office of the Australian Information Commissioner (OAIC).
What Rights Do Customers Have?
The Privacy Act gives individuals greater control over how their personal information is handled – so it’s important to understand the rights your customers have. They are allowed to:
• request access to their personal information
• know why their information is being collected, how it will be used, and who it will be disclosed to
• opt out of unwanted direct marketing
• choose not to identify themselves or to use a pseudonym, under certain circumstances
• make a complaint about a business that mishandles their personal information.
What Are the Penalties for Breaching the Privacy Act?
There are severe penalties for failing to comply with the Privacy Act. In 2022, the Federal Government increased the maximum penalty for serious or repeated interference with the privacy of an individual, with fines of up to $50 million for corporate bodies and $2.5 million for non-corporates.
The OIAC was also granted enhanced investigative powers, including the ability to conduct assessments of an organisation’s compliance, obtain information related to suspected data breaches, and share information with other authorities.
If you’re a business owner, or you’re interested in seeing how the upcoming changes to the privacy act might impact you. Read our article on Privacy Act Reforms here.
* It should be noted that there are a few exceptions to the ‘small business exemption’. For example, health service providers, and businesses that trade in personal information for benefit, service or advantage.
In Australia, businesses are responsible for protecting the personal information provided to them by customers. In 1988, the Privacy Act was introduced to regulate how businesses and federal government agencies handle personal information, and ensure that their customers’ privacy is protected.
Who Does the Privacy Act Apply to?
Australian government agencies and organisations with an annual turnover of more than $3 million have responsibilities under the Privacy Act. An organisation can be defined as a sole trader, a body corporate, partnership, trust, or any other unincorporated association.
At the moment, businesses with an annual turnover of less than $3 million are exempt under the “small business exemption” – although this will change if the Federal Government’s proposed amendments to the Privacy Act are implemented.
According to data from the Australian Bureau of Statistics (ABS), out of a total of 2.5 million Australian businesses operating in 2022, over 2.3 million do not need to comply with the Privacy Act under the ‘small business exemption’ *.
Data privacy just isn’t an issue for small businesses – yet.
What is Considered Personal Information?
Personal information is defined as any information that allows you to identify an individual – regardless of whether it is true or what form it is in. This might include your staff or customers’:
• name
• contact details, such as address, email, or phone number
• date of birth
• signature
• banking and credit information
• IP address
• employee record
• medical or health records
• photos or videos
• voice print or facial recognition biometrics
• location information from a mobile device
• opinions that are identifiable.
What Obligations Do Businesses Have?
Under the Privacy Act, organisations must adhere to 13 Australian Privacy Principles (APP) that govern the collection, use and disclosure of personal information. As a business owner, you are required to handle your customers’ personal information in a clear and transparent way, and protect customer information against theft, loss, misuse, interference, modification, and unauthorised access.
This means you need to have a clear and up-to-date privacy policy outlining the information you collect, what you use it for, and how you protect it. It’s a good idea to make your privacy policy available to customers on your website.
You may only collect personal information where it is necessary for your business activities, and this information can only be used or disclosed for the specific purpose it was collected. You must also take reasonable steps to ensure the personal information you collect is accurate, up-to-date, and complete. When you no longer need your customers’ personal information, you must de-identify or destroy it – for example, by shredding documents.
If a data breach occurs, you must comply with the Notifiable Data Breaches Scheme. Where the data breach involves personal information, you’re required to notify the customer or customers involved, as well as the Office of the Australian Information Commissioner (OAIC).
What Rights Do Customers Have?
The Privacy Act gives individuals greater control over how their personal information is handled – so it’s important to understand the rights your customers have. They are allowed to:
• request access to their personal information
• know why their information is being collected, how it will be used, and who it will be disclosed to
• opt out of unwanted direct marketing
• choose not to identify themselves or to use a pseudonym, under certain circumstances
• make a complaint about a business that mishandles their personal information.
What Are the Penalties for Breaching the Privacy Act?
There are severe penalties for failing to comply with the Privacy Act. In 2022, the Federal Government increased the maximum penalty for serious or repeated interference with the privacy of an individual, with fines of up to $50 million for corporate bodies and $2.5 million for non-corporates.
The OIAC was also granted enhanced investigative powers, including the ability to conduct assessments of an organisation’s compliance, obtain information related to suspected data breaches, and share information with other authorities.
If you’re a business owner, or you’re interested in seeing how the upcoming changes to the privacy act might impact you. Read our article on Privacy Act Reforms here.
* It should be noted that there are a few exceptions to the ‘small business exemption’. For example, health service providers, and businesses that trade in personal information for benefit, service or advantage.
© Secureroo Pty Ltd, 2021-2023
© Secureroo Pty Ltd, 2023