Reading time: 5 minutes

If you run a business that collects personal information, you may have to comply with the Australian Privacy Principles (APPs). The APPs were updated in 2015, with new obligations and significant fines for non-compliance. Companies that breach them can be fined up to $1.7 million, while sole traders can be fined $340,000. This guide sets out five key steps to help your business achieve privacy compliance.

Businesses that must comply with the APPs include healthcare providers and any business with an annual turnover of more than $3 million. Healthcare providers must comply with the APPs regardless of turnover. Other businesses that deal in personal information, such as operators of residential tenancy databases, may also need to comply.

However, if your business has turnover under $3 million, you can still opt into the APPs. The Office of the Australian Information Commissioner recommends this as best practice for all businesses to maintain good customer relations and reduce complaints.

1. Conduct a Privacy Audit

Audit your business to understand how you deal with personal information, addressing:

  • what personal information your business collects;
  • how your organisation uses, discloses and stores personal information; and
  • how you address complaints.

‘Personal information’ includes any information that allows a person to be identified. For example:

  • names and email addresses;
  • tracking information for Google Analytics; and
  • information collected for your CRM.

You should also be aware of two areas of particular risk. First, when you conduct direct marketing you need to provide an opt-out mechanism, similar to what the Spam Act requires for email and SMS marketing.

Secondly, if your business discloses personal information overseas, it may be responsible for any breach of the APPs by whom it discloses the information to. For example, if you disclose personal information to a US-based marketing agency, and it allows the information to be stolen, then you may be held liable under Australian law. Therefore, before you hire any overseas third party, you should ensure that you have confidence in  their privacy and data security capabilities.

2. Update Your Privacy Policy

If your privacy policy is over two years old, you will likely need to update it to comply with the recent reforms.

First, ensure that you refer to the APPs, not the National Privacy Principles (NPP). The APPs replaced the NPP in 2014.

Secondly, state how your business exchanges information with third parties. For example:

  • Do your customers book through a third party booking agency?
  • Do you provide personal information to a third party marketing agency?
  • Are you likely to disclose personal information overseas, and where are the recipients located?

Thirdly, explain how an individual can correct their information and how they can complain about a breach of the APPs. For example, they may discover that:

  • the address you have on file is incorrect; or
  • you have disclosed their information in a way they did not consent to.

Your privacy policy should also explain how you’ll deal with a complaint.

3. Provide a Privacy Notification

You must provide a privacy notification to individuals when you collect personal information about them (or as soon as practicable after). This can be done by a short notice on each document that collects personal information. The privacy notice needs to include why you collect the personal information and how you will use and disclose it. The privacy notification essentially covers the items set out in your privacy policy.

4. Draft an Internal Privacy Manual

The APPs require organisations to take reasonable steps to put procedures and systems in place to comply with the APPs. Drafting an internal privacy manual is a necessary ‘reasonable step’. It should cover, among other things:

  • an overview of privacy law requirements and why privacy compliance is important;
  • how your organisation collects, stores, uses and discloses personal information;
  • how your organisation will deal with a privacy complaint, a request by an individual for access to their data, or a privacy breach;
  • guidance on receiving personal information from third parties;
  • guidance on providing personal information to third parties, including disclosing personal information overseas; and
  • who is responsible for privacy compliance within your organisation.

5. Train Key Staff and Appoint a Privacy Officer

Finally, your compliance program should train key staff on how to comply with both privacy law and your privacy manual. The Office of the Australian Information Commission supplies basic training materials, or we can assist you to prepare some tailored, practical training for your organisation. As part of this training, it is prudent to appoint a privacy officer. This ensures that someone in your organisation is directly responsible for privacy compliance.

Key Takeaways

If your business collects personal information, it may need to comply with the APPs. Businesses that must comply include healthcare providers, any business with an annual turnover of more than $3 million and small businesses that choose to opt-in. If you do need to comply, you should follow five steps to ensure privacy compliance:

  1. Conduct a privacy audit
  2. Update your privacy policy
  3. Provide a privacy notification
  4. Create an internal privacy manual
  5. Train key staff and appoint a privacy officer

If your business needs assistance on complying with its privacy obligations, call LegalVision’s online lawyers or fill out the form on this page.


Redundancies and Restructuring: Understanding Your Employer Obligations

Thursday 7 July | 11:00 - 11:45am

If you plan on making a role redundant, it is crucial that you understand your employer obligations. Our free webinar will explain.
Register Now

How to Sponsor Foreign Workers For Your Tech Business

Wednesday 13 July | 11:00 - 11:45am

Need web3 talent for your tech business? Consider sponsoring workers from overseas. Join our free webinar to learn more.
Register Now

Advertising 101: Social Media, Influencers and the Law

Thursday 21 July | 11:00 - 11:45am

Learn how to promote your business on social media without breaking the law. Register for our free webinar today.
Register Now

Structuring for Certainty in Uncertain Times

Tuesday 26 July | 12:00 - 12:45pm

Learn how to structure to weather storm and ensure you can take advantage of the “green shoots” opportunities arising on the other side of a recession.
Register Now

Playing for the Prize: How to Run Trade Promotions

Thursday 28 July | 11:00 - 11:45am

Running a promotion with a prize? Your business has specific trade promotion obligations. Join our free webinar to learn more.
Register Now

Web3 Essentials: Understanding SAFT Agreements

Tuesday 2 August | 11:00 - 11:45am

Learn how SAFT Agreements can help your Web3 business when raising capital. Register today for our free webinar.
Register Now

Understanding Your Annual Franchise Update Obligations

Wednesday 3 August | 11:00 - 11:45am

Franchisors must meet annual reporting obligations each October. Understand your legal requirements by registering for our free webinar today.
Register Now

Legal Essentials for Product Manufacturers

Thursday 11 August | 11:00 - 11:45am

As a product manufacturer, do you know your legal obligations if there is a product recall? Join our free webinar to learn more.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards