Skip to content

How Do I Comply With the Privacy Act?

As a business owner, you must be aware of the responsibilities that come with collecting, possessing and disclosing information about individuals (“personal information”). This applies even if you unintentionally collect the information or have no plans to use or deal with it in any way. This article explores how you can proactively ensure that your business complies with the Privacy Act 1988 (Cth).

1. Ensure You Have a Privacy Policy

A privacy policy is a standard document for a business that receives or handles personal information. If your business is an APP entity, then you must have a privacy policy. However, even if it is not compulsory for your business, we recommend you have one for best practice. 

An APP entity is subject to the Australian Privacy Principles. Your business may be an APP entity if it: 

  • generates over $3 million in annual turnover; or
  • engages in specific activities, including but not limited to handling health information, trading personal information, or fulfilling a Commonwealth contract. 

You should speak to a lawyer to confirm whether your business is an APP entity.

A privacy policy can address the key Australian Privacy Principles. Your privacy policy should outline to your customers what information you collect from them. Also, your privacy policy should state how you intend to use this information. Businesses commonly use this document for dealings with the public. Furthermore, it can help foster trust amongst your customer base. Your privacy policy should be available to customers through a link or pop-up on your website. If customers can create an account on your website, you should clearly indicate which personal information is optional for them to disclose.

2. Develop a Privacy Manual 

While a privacy policy is a public-facing document, a privacy manual is an internal document that outlines how you will collect, use, store and handle the personal information of people in your organisation. You can introduce a privacy manual into your business through formal training processes. Sometimes businesses appoint a privacy officer who can answer employee questions or take enquiries from the public regarding privacy compliance. You will be more inclined to successfully manage privacy if you ensure your employees understand your policy.

Continue reading this article below the form
Loading form

3. Ensure Data Security 

There are some practical methods you can implement to ensure your compliance with the Australian Privacy Principles. This can include limiting access to personal information to authorised personnel who require it to perform their everyday tasks. This can also include only collecting and storing personal information that is absolutely necessary and nothing more, as well as ensuring the proper disposal of personal information if you have no plans to use it. By ensuring you have properly destroyed personal information once you no longer need it, you lessen the likelihood of external third parties gaining access to this information. Periodically reviewing the personal information you store can ensure you are purging outdated or unnecessary data from your systems.

You should implement strong data protection controls, including: 

  • data encryption; 
  • access control;
  • cyber security detection systems; and
  • employee training. 

4. Plan for Data Breaches 

A data breach involves unauthorised access to or disclosure of personal information. In today’s digital landscape, it is not a question of whether your business will experience a data breach but when. Therefore, preparing for these incidents is crucial.

If your business is an APP entity, under the Notifiable Data Breaches (NBD) scheme, you must notify the Office of the Australian Information Commissioner (OAIC) and your affected customers of the breach if it is likely to lead to significant harm to individuals involved. 

You can prepare a Data Breach Response Plan that clearly outlines all roles and responsibilities in handling a data breach. This will position your business in good stead when a data breach occurs, and your business will be able to respond proactively instead of reactively, minimising brand or reputational damage and financial losses. 

5. Privacy Collection Notice

Having a Privacy Collection Notice (PCN) available at the point of collecting personal information of your customers is essential if you are an APP entity, but also best practice if you are not. A PCN is like a mini Privacy Policy and will inform your customers of what personal information you are collecting from the individual in that particular situation, why you are collecting it, and how it will be used or disclosed. 

Front page of publication
2023 Key Data and Privacy Developments

This fact sheet outlines the changes to data and privacy protection in 2023.

Download Now

Key Takeaways

As a business owner, you must ensure your business is compliant with the Privacy Act. Non-compliance with the Privacy Act can have adverse repercussions. Customers may be releasing their information through various means. Although you may find it quite easy or straightforward to collect personal information, you must understand and do need to consider your obligations around privacy. Whatever your business does, you will likely have a level of access to your customers’ personal information. By keeping the above pointers in mind, you will be better equipped to address privacy issues in your organisation.

If you are unsure of your privacy obligations or what your organisation needs to do to comply with the Privacy Act, contact our experienced privacy lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Elise Willett

Elise Willett

Lawyer | View profile

Elise is a Lawyer at LegalVision with previous experience in Commercial, Corporate and Estate Planning law. She also has experience in the Wealth Management and Finance sector. Elise provides expert advice to commercial clients, particularly startups and SMEs, on a range of commercial matters.

Qualifications: Bachelor of Laws, Bachelor of Arts, University of Sydney, University of Wollongong, Master of Laws, College of Law.

Read all articles by Elise

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards