According to the SME Association of Australia, Small and Medium Enterprises (SMEs) make up about 99.7% of total business in Australia. Small and medium businesses are often thrown together and talked about in the same category, however, there are some significant changes that occur when a small business expands and becomes medium-sized. In this series, we examine the privacy legal considerations that affect medium-sized businesses.

The Privacy Act and Australian Privacy Principles (APPs)

Only businesses that fall under the category of an “Australian Privacy Principle Entity”, or APP Entity, are required to comply with the Privacy Act and the Australian Privacy Principles. For private businesses, an APP entity only includes those with an annual turnover of more than $3 million, with the exception of health service providers, which must comply with the Privacy Act regardless of turnover amount. If your business has grown from a small to medium business, there is a higher chance that you will now be included as an APP Entity.

Implement New Practices to Ensure Compliance

As an APP entity, you must also take reasonable steps to implement any new practices, procedures and systems that will ensure you comply with the APPs. These measures could include starting staff training on the obligations of an APP entity or creating new procedures to manage potential risks and data breaches.

Sensitive Information

The APPs and Privacy Act has placed restrictions on the collection and use of personal and sensitive information. Note that there is a difference between the two; if your business handles sensitive information, the APPs have more stringent obligations where this is concerned. Under the Privacy Act (Cth), sensitive information is defined under section 6 and includes information on:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious beliefs;
  • Membership of a trade union;
  • Sexual orientation or practices;
  • Health.

The APPs state that sensitive information must not be collected unless it is with the consent of the individual and the information is reasonably necessary for the entity’s functions or activities. An organisation also cannot use sensitive information for the purposes of direct marketing unless the individual has consented.

Unsolicited Personal Information

If your business receives unsolicited personal information, you must determine whether or not they could have collected this information for the purposes for or in relation to your business’ functions or activities. If it is determined that you could not have done so, then the information must destroy or de-identify the information as soon as practicable.


All APP entities must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. This may include new procedures or protective measures that will increase the safety of the business’s data.
Furthermore, the APPs makes it mandatory for APP entities to destroy or de-identify personal information if it is no longer needed.

Mandatory Notification Laws

It is also expected that the Federal Government will pass the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 which will make it mandatory for APP entities to give notification if a serious data breach has occurred.

A serious data breach will have occurred if:

  • There is unauthorised access, disclosure or loss of personal information and
  • As a result, there is a risk of serious harm to the individuals involved.

As a medium business, it is expected that your company will hold more substantial data than a small business or startup. Your business then has a higher risk of a data breach and you should be aware of when the amendment will come into effect to remain up to date on your obligations.

COVID-19 Business Survey
LegalVision is conducting a survey on the impact of COVID-19 for businesses across Australia. The survey takes 2 minutes to complete and all responses are anonymous. We would appreciate your input. Take the survey now.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Lachlan McKnight
Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy