Skip to content
LegalVision

Privacy Laws: Your Obligations as a Business

Avatar photo

By Steven Tang
Law Graduate

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn

In Short

  • Australian businesses must comply with privacy laws, including the Privacy Act and the Australian Privacy Principles (APPs).
  • Businesses need to manage personal information securely, including collecting, using, and storing data responsibly.
  • Non-compliance with privacy laws can lead to significant penalties and damage to your business’ reputation.

Tips for Businesses

Ensure your business is compliant with Australian privacy laws by implementing robust data management practices. Regularly review your privacy policy, train staff on handling personal information, and establish procedures for responding to data breaches. Staying proactive will help you avoid penalties and maintain customer trust.

Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Your business should take privacy compliance seriously. Privacy laws apply to personal information, any information or opinion that identifies a person or makes them reasonably identifiable.

Examples of personal information include:

  • name;
  • address;
  • email;
  • telephone number;
  • photographs of people;
  • preferences; and
  • opinions.

There are many reasons why your business should care about privacy. Whether your business has a legal obligation to comply or not, it is beneficial to take some practical steps to implement good privacy practices and avoid the mistakes seen in the Optus and Medibank data breaches. This article will outline why it is important to comply with privacy laws and how your business can do so.

Why Should You Care About Privacy?

You should ensure your business has sound privacy practices for two core reasons. These are:

  1. because you have a legal obligation to do so; and 
  2. to establish trust in your business.

Legal Obligation

Firstly, your business may have a legal obligation to meet privacy requirements. While overseas privacy laws like the General Data Protection Regulation (GDPR) in the European Union are quite well known, Australian privacy laws are less well advertised or understood. 

However, being unaware of your privacy obligations is not a defence for non-compliance. Accordingly, you must determine your business obligations and take practical steps to comply with them.

These legal obligations continue to evolve rapidly.

In December 2019, a review of the key piece of legislation, the Privacy Act began. Following the review and significant data breaches at Optus and Medibank in 2022, which impacted over 10 million Australians, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed. The amendments significantly increased the maximum penalties for serious or repeated privacy breaches to greater than $50 million, three times the value of any benefit derived or 30% of a company’s adjusted turnover for the relevant period compared to the previous maximum penalty of $2.5 million per contravention.

This demonstrates the importance of ensuring your business is in full compliance with all of its privacy obligations.

Trust and Expectation

In this digital age, privacy is increasingly becoming a focus for individuals and businesses worldwide. With the recent introduction of prominent overseas privacy laws, such as the GDPR and the California Consumer Privacy Act (CCPA), individuals have received a multitude of communications about changes to privacy and their enhanced privacy rights. With this has come a focus on privacy protections. 

In addition, the media attention Optus and Medibank have received following their respective data breaches should be a significant deterrent. The lost trust and damage to reputation are hard to quantify and may remain a problem for these businesses for some time. 

While not all businesses must comply with Australian privacy laws, trust is the cornerstone of many business relationships, and good privacy management builds trust with customers. Maintaining customer trust where others have failed is paramount and will set your business in good stead.

Further, the public expects that a business will only use their personal information in ways they would reasonably expect. Customers also expect businesses to secure personal information from:

  • unauthorised access;
  • unauthorised use; or
  • loss.

It is, therefore, important to meet these expectations to retain the trust of your customers. This is particularly true if your business handles a lot of personal information, such as:

  • if you provide a customer relationship management software solution; 
  • if you manage people’s health information; or
  • run a recruitment business.

Which Privacy Laws are Relevant?

The Privacy Act

While overseas laws such as the GDPR and CCPA may be relevant for some Australian businesses, this article focuses on Australian privacy law. The key privacy legislation you should be aware of is the Privacy Act.

The Privacy Act will apply to your business if you have an annual turnover of over $3 million. 

If you have a lower turnover, you may still need to comply with other requirements, such as if you:

  • provide a health service and hold health information;
  • are a Commonwealth contractor;
  • are a credit reporting body, meaning you provide personal information to other businesses so that they can judge the creditworthiness of an individual; or
  • trade in personal information; and
  • are a contractor that provides services under a Commonwealth contract; or in some other specific circumstances. 

Within the Privacy Act, there are 13 Australian Privacy Principles (APPs) that set out how your business may:

  • collect;
  • use;
  • disclose; and
  • store personal information.

The APPs also set out access and correction rights for individuals and a requirement for regulated businesses to:

Marketing Laws

You will also need to be aware of the Spam Act where you send electronic marketing, such as email or SMS marketing. The Spam Act prohibits the sending of commercial electronic messages unless you:

  • have consented;
  • include your sender details in the message; and
  • provide an unsubscribe facility in the message, which is functional for at least 30 days after the date of sending.

Honouring any unsubscribe requests within five working days of such request is important. You must consider the Do Not Call Register Act if you also market via telephone calls.  

Health Privacy Laws

If your business handles health information, you may also have obligations under state and territory-based health legislation. Locations that have health record laws that apply to private sector organisations include:

  • New South Wales; 
  • Victoria; and
  • the Australian Capital Territory. 

For example, the Health Records and Privacy Act 2002 requires private-sector health service providers in New South Wales to comply with 15 Health Privacy Principles.

Surveillance Device Laws

Surveillance device laws are state- and territory-based laws that must be considered. These apply to activities such as:

  • call recording;
  • data surveillance; and 
  • CCTV.

These laws vary across Australia and must be carefully considered if you engage in surveillance. Recording calls for training purposes is a common surveillance activity.

Continue reading this article below the form
Loading form

New technology like AI and facial recognition create new privacy risks for businesses. AI decision-making can be biased and violate privacy rights by lacking transparency. Facial recognition raises issues with consent, securing biometric data, and allowing for invasive surveillance. As these technologies grow, laws often lag behind, and businesses cannot wait for updated regulations.

To stay ahead, you must assess privacy impacts early, design with privacy in mind, and have strong oversight for high-risk AI and facial recognition uses. Failing to address these privacy risks could severely damage customer trust in your business.

6 Practical Tips to Comply With the Privacy Act

As the Privacy Act is the core source of privacy law in Australia, it is useful to take practical steps to comply with this Act, whatever your reason for doing so.

Some practical tips for startups and small businesses to comply with the Privacy Act are:

  1. if you collect personal information, tell the person you are collecting it and what you will do with it. You can do this by developing a privacy policy and making the person aware of the privacy policy when collecting their information;
  2. collect de-identified information where possible. If you need to collect personal information but wish to keep it for longer than strictly necessary, anonymise the information;
  3. only use personal information for the purpose it was obtained or for related reasons the person would reasonably expect. If the information is sensitive, seek consent to collect, use and disclose the information;
  4. review the third parties you disclose personal information to and confirm that they are reputable businesses and have processes in place to protect the privacy of the information;
  5. keep personal information safe by putting technical security measures in place to secure it against digital threats and prepare a plan for responding to data breaches; and
  6. review your privacy procedures from time to time to ensure that you are complying with your legal obligations.
Front page of publication
2024 Key Data and Privacy Developments

The Australian Government is changing the law to protect consumer privacy after a series of high-profile data breaches and to bring the law into line with the safer and more protective laws in other regions. This fact sheet outlines what is expected in 2024.

Download Now

Key Takeaways

Your business’ compliance with privacy laws is crucial in avoiding investigation by privacy regulators and meeting your customers’ expectations regarding privacy management. You should ensure you understand whether you have legal obligations under privacy laws and, if so, that you are meeting these. Regardless of whether you have a legal obligation to comply, taking practical steps to implement good privacy practices is beneficial. 

If you have any questions about implementing this sound privacy practice, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

Are any further changes expected in the new amendments to the Privacy Act?

Not only are there changes to the penalties available under the Privacy Act, but the Office of the Australian Information Commissioner, the regulatory office responsible for enforcing the laws, is expected to have new broad powers to request information, investigate breaches, or issue notices of infringement

How do I know if other privacy laws, like the GDPR or the CCPA, apply to me?

The major hint will be the location of the people you collect personal information. If the people you collect or hold personal information about are in California, the CCPA will apply to you. If they are in the UK or the European Union, the GDPR may apply to you. However, these pieces of legislation have many unique applications, and you will need specialist advice on whether to comply. 

Register for our free webinars

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now
See more webinars >
Steven Tang

Steven Tang

Read all articles by Steven

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Will The Privacy Act Impact My Small Business?

How Do Australian Privacy Principles Impact the Real Estate Industry?

5 Key Steps to Assist With Your Privacy Compliance Obligations

How Do I Comply With the Privacy Act?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards