Skip to content

5 Key Steps to Assist With Your Privacy Compliance Obligations

If you run a business that collects personal information, it is essential that you are aware of your privacy obligations. The Privacy Act 1988 (Cth) is the main piece of legislation governing privacy law in Australia, containing the Australian Privacy Principles (APPs). The APPs are a set of 13 principles that govern the standards, rights and obligations around the collection, use and disclosure of personal information, who is accountable for that use, and the rights of individuals to access or correct their information. This article will explore five key considerations about privacy compliance for your business. 

The Australian Privacy Principles  

All Australian businesses should comply with the Australian Privacy Principles (APPs) as a form of privacy best practice. It will also help you maintain good customer relationships and reduce complaints. The Office of the Australian Information Commissioner also recommends complying with the APPs.

The only exception is when you are a small business with an annual turnover of less than $3 million. 

Regardless of turnover, you may still be required by law to comply with the APPs. This will be true for you if you: 

  • are a healthcare provider
  • trade in personal information;
  • operate a residential tenancy database; 
  • are a credit reporting body, meaning you provide personal information to other businesses so that they can judge the creditworthiness of an individual; or
  • are a contractor that provides services under a Commonwealth contract. 

Overall, it is important to remember that it is best practice to comply, but only some must comply. 

The APPs were updated in 2015, with new obligations and significant fines for non-compliance. Companies that breach them can be fined up to $10 million, while sole traders can be fined $500,000. To steer clear of these penalties and to stay up to date with privacy best practices, carefully read through the following five steps to help your business achieve optimum privacy compliance.

1. Conduct a Privacy Audit

A great way to start evaluating privacy in your business is to conduct an audit of how you already deal with personal information. In particular, your audit could address:

  • what personal information your business collects;
  • how your organisation uses, discloses and stores personal information; and
  • how you address complaints.

The Privacy Act defines ‘personal information’ and includes any information that allows a person to be identified. For example:

  • names and email addresses;
  • tracking information for Google Analytics; and
  • information collected for your CRM.

You should also be aware of two areas of particular risk. First, when you conduct direct marketing, you need to provide an opt-out mechanism similar to what the Spam Act requires for email and SMS marketing.

Front page of publication
Spam Consent Factsheet

Before sending electronic messages, learn how your business can comply with the Spam Act with our free Spam Consent Factsheet.

Download Now

Secondly, if your business discloses personal information overseas, it may be responsible for any breach of the APPs by the third party it discloses the information to. For example, suppose you disclose personal information to a US-based marketing agency. Likewise, that agency has this information stolen. In this scenario, you may be held liable under Australian law. Therefore, before hiring any overseas third party, you should ensure that you have confidence in their privacy and data security capabilities or that any contractual agreement stipulates the need to comply with your privacy obligations.

Continue reading this article below the form
Loading form

2. Update Your Privacy Policy

You will need to frequently update your privacy policy to comply with the APPs, maintain privacy best practices and reflect your business’ current handling of personal information.

In addition to being up-to-date, your privacy policy should contain clear language and be freely and easily available. It should cover all the points discovered in your privacy audit, such as:

  • what information you collect; 
  • for what purpose you collect information; and 
  • how people can access or correct their information. 

In particular, you will want to state how your business exchanges information with third parties. For example, consider the following questions.

  • Do your customers book through a third-party booking agency?
  • Do you provide personal information to a third-party marketing agency?
  • Are you likely to disclose personal information overseas, and where are the recipients located?

Individuals should also be aware of how they can complain about a breach, or perceived breach, of the APPs. For example, they may discover that:

  • the address you have on file is incorrect; or
  • you have disclosed their information in a way they did not consent to.

Finally, your privacy policy should also explain how your business will deal with a complaint. Privacy complaints may be dealt with by the Office of the Australian Information Commissioner (OAIC) or by you directly. If a complaint is made to you, you must respond to that complaint within a reasonable period of time. 

3. Provide a Privacy Notification

You must provide a privacy notification to individuals when you collect personal information about them (or as soon as practicable after). You can do this by a short notice on each document, form, web page or other means of collection that collects personal information. The privacy notice needs to include why you collect personal information and how you will use and disclose it. The privacy notification essentially covers the items set out in your privacy policy.

4. Draft an Internal Privacy Manual

The APPs require organisations to take reasonable steps to implement procedures and systems to comply with the APPs. Drafting an internal privacy manual is a necessary ‘reasonable step’. It should cover, among other things:

  • an overview of privacy law requirements and why privacy compliance is important;
  • how your organisation collects, stores, uses and discloses personal information;
  • how your organisation will deal with a privacy complaint, a request by an individual for access to their data, or a privacy breach;
  • guidance on receiving personal information from third parties;
  • guidance on providing personal information to third parties, including disclosing personal information overseas; and
  • who is responsible for privacy compliance within your organisation.

5. Train Key Staff and Appoint a Privacy Officer

Finally, your compliance program should train key staff on how to comply with both privacy law and your privacy manual. The OAIC supplies basic training materials, or we can assist you in preparing some tailored, practical training for your organisation. As part of this training, it is prudent to appoint a privacy officer. This ensures that someone in your organisation is directly responsible for privacy compliance.

Key Takeaways

If your business collects personal information, it may need to comply with the APPs. Businesses that must comply include healthcare providers, businesses with an annual turnover of more than $3 million and small businesses that choose to opt in. To help comply with your privacy obligations, following these five key steps is beneficial:

  1. conduct a privacy audit;
  2. update your privacy policy;
  3. provide a privacy notification;
  4. create an internal privacy manual; and
  5. train key staff and appoint a privacy officer.

If your business needs assistance with your privacy obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What are my privacy and security obligations when storing data?

In addition to your Privacy Compliance Manual, you may wish to draft an internal Data Security Manual or Data Breach Response Plan. This manual can detail your internal approach to protecting data, how data breaches could occur, who is responsible for managing breaches and key steps to take to resolve any breach.

How can I ensure third parties comply with my business’ privacy obligations?

On a commercial level, ensuring you trust and have a good working knowledge of a third party’s approach to security and privacy is critical. You can also work to ensure their compliance by including a privacy clause in any agreement with that supplier. Likewise, outline the need to comply with the Privacy Act and, subsequently, the APPs.

Register for our free webinars

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now
See more webinars >
Stephanie Long

Stephanie Long

Senior Lawyer | View profile

Stephanie is a Senior Lawyer in LegalVision’s Corporate and Commercial team. She specialises in commercial contracts and business structuring to assist clients in achieving their ambitions with their startups and SMEs.

Qualifications: Bachelor of Laws, Bachelor of Social Sciences, Macquarie University.

Read all articles by Stephanie

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards