Call 1800 POD LEGAL   

Does my business need to comply with the Privacy Act?

The collection of clients’ private information is an important everyday task for many businesses.

Private information helps businesses to give their clients the best possible service. However, many business owners may not be aware of the strict privacy rules, which operate within Australia. These rules restrict the way they can use the personal information that they collect.

This article will give you some guidance as to whether your business must comply with Australian privacy law, what happens if it does not comply, and how your business can collect and use personal information.

Who needs to comply with the law?
The rules governing privacy are set out in the Privacy Act 1988 (Cth) and the Australian Privacy Principles, which are in Schedule 1 to the Privacy Act (the Privacy Rules). Without getting too technical, these rules ensure that, for certain types of businesses, the collection and management of personal information is done in an open and transparent way.

The Australian Privacy Principles must be followed by a wide range of institutions, businesses and people. Precisely which organisations must abide by the Privacy Rules in Australia are outlined below, along with an explanation of how to identify such organisations.

Any entity which carries on a business with an annual turnover of more than $3 million
The Privacy Rules must be followed by any individual, body corporate, partnership, unincorporated association or trust (organisation) which carries on a business with an ‘annual turnover’ of over three million dollars.

This may seem straightforward, but as with almost all legal standards, it is not. The ‘annual turnover’ of a business is defined as the total of:
(a)  the proceeds of sales of goods and/or services;
(b)  commission income;
(c)  repair and service income;
(d)  rent, leasing and hiring income;
(e)  government bounties and subsidies;
(f)   interest, royalties and dividends; and
(g)  other operating income.

If the business is carried on by an entity, which carries on only one business, this amount will be around the same amount that the entity claims in its tax return.

If a business has only been carried on for part of the year, its annual turnover is calculated using the formula displayed here.

Any entity which provides a health service
Entities providing health services to individuals and holding any health information (except employee records) must follow the Privacy Rules.

A health service is an activity performed in relation to an individual that is intended or claimed to:

  • assess, record, maintain or improve an individual’s health;
  • diagnose an individual’s illness or disability;
  • treat an individual’s illness or disability or suspected illness or disability; or
  • dispense on prescribe a drug or medicinal preparation by a pharmacist.

The Office of the Australian Information Commissioner (OAIC) gives an overview of the types of organisations, which are generally accepted to provide health services. These are:

  • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals;
  • complementary therapists, such as naturopaths and chiropractors;
  • gyms and weight loss clinics; and
  • child care centres, private schools and private tertiary educational institutions.

As health information is a particularly sensitive category of personal information, any person or organisation, which collects health information must abide by strict rules when dealing with it. The types of health information, which a health service provider will hold are:

  • information or opinions about:
    • the health or disability of an individual;
    • an individual’s expressed wishes about the future provision of health services to him or her;
    • a health service provided or to be provided to an individual;
    • other information collected in the course of providing health services;
    • information about a person’s intention to donate organs; or
    • genetic information about a person.

Any entity which discloses personal information about another individual to anyone else for a benefit or provides a benefit in order to collect personal information about another individual
This category covers people and organisations, which trade in personal information. For example, marketing and advertising agencies may use such information to directly target certain audiences in order to sell and market different products or services. Therefore, traders that are using personal information for a purpose other than that for which it was handed over in the first place, must operate according to the Privacy Rules.

Contracted services providers for a Commonwealth contract
Organisations that fit into the following categories must also comply with the Privacy Rules:
(a)  Parties to a contract with the Commonwealth or any State government and responsible for the provision of services to the government under that contract; and
(b)  Subcontractors under a government contract.

Credit reporting bodies
Lastly, the Privacy Rules apply to any business, which involves collecting, holding, using or disclosing personal information about individuals for the purpose of providing an entity with information about the credit worthiness of an individual.

A helpful way of being sure of whether or not the Privacy Rules apply to your business is by going through the OAIC checklist which can be found at

What is personal information?
Personal information is information or an opinion about an identified individual, or an individual, who is reasonably identifiable, whether or not the opinion is true, and whether or not the information or opinion is recorded.

This is a wide category of information, encompassing a person’s name, address, email address, telephone number, date of birth, medical records, bank account details, and opinions.

What are the penalties for non-compliance?
If your business is required to comply with the Privacy Rules and fails to do so, it may be investigated by the OAIC. An OAIC investigation can be instigated either by a complaint from any individual, or by the Commissioner, on his or her own accord.

If the Commissioner finds your business to be in breach, he or she has broad powers, including:

  • Ordering your business to develop a Privacy Policy, and to take other necessary steps so that it complies with the Privacy Rules;
  • Conciliate any dispute between your business and a complainant; and/or
  • Other enforcement powers, including civil penalty orders.

How can I ensure that my business is operating within the law?
While common sense goes a long way in your management of personal information belonging to your clients, that alone is not enough. The best option is for you to make a small investment to have a proper Privacy Policy prepared for your business and then following it very closely. This will ensure that your business is being conducted in accordance with best practice, and that it complies with Australian law.

Pod Legal can assist you by preparing a Privacy Policy to suit your business and by advising you on a suitable privacy strategy for your business. Contact us to order a Privacy Policy for your business.