The Privacy Act 1988 and Australian Privacy Principles: A Plain-English Guide for SMBs

Managed IT & Cybersecurity

The Privacy Act 1988 and Australian Privacy Principles: A Plain-English Guide for SMBs

Most small business owners think of privacy compliance as something that happens once — you grab a privacy policy template, paste it on your website, and move on. That view is both understandable and increasingly costly to maintain. The Privacy Act 1988 (Cth) is a substantive piece of legislation with specific, operational obligations. It tells you what information you can collect, why you can collect it, how you must store it, and what you owe the people whose information you hold. It is not satisfied by a two-paragraph footer statement.

This guide is written for Australian SMB owners and operations managers who want to understand what the law actually requires — not a legal opinion, but a plain-English account of the obligations you are likely to face. Given the significant amendments that received Royal Assent in December 2024, there is also no better time to revisit what you know.

Who Does the Privacy Act Apply To?

The Privacy Act 1988 applies to what the legislation calls "APP entities" — Australian Government agencies and certain private sector organisations. For private sector businesses, the default coverage threshold is an annual turnover of more than $3 million, calculated on a rolling 12-month basis. If your business falls under that threshold, you are not automatically covered — but the threshold is not the whole story.

Several categories of business are covered by the Act regardless of their turnover:

  • Health service providers. GPs, dentists, physiotherapists, allied health practitioners, gyms that collect health information about members, and other providers of health services are covered regardless of size. "Health information" is a form of sensitive information under the Act and attracts the highest level of protection.
  • Tax file number recipients. If your business receives, stores, or uses employee tax file numbers, the TFN Rules (which operate under the Act) apply to you.
  • Credit reporting bodies and credit providers. Businesses that participate in the consumer credit reporting system are covered by specific provisions in the Act regardless of turnover.
  • Commonwealth contractors. Businesses that handle personal information under a contract with a Commonwealth agency are covered for that information.
  • Voluntary opt-in. Small businesses can elect to be covered by the Act — some do so because their enterprise clients require it contractually.

The 2024 amendments to the Act have expanded its reach in a number of respects, and further reforms remain under consideration following the Privacy Act Review Report (2023). It is worth checking the Office of the Australian Information Commissioner (OAIC) website for the latest guidance on coverage if you are in any doubt.

A practical note for businesses that fall below the threshold: even if you are technically exempt, APP-consistent practices are increasingly expected. Larger clients, particularly ASX-listed companies and government agencies, regularly include data-handling requirements in their procurement contracts. If your business supplies services to enterprise customers, review those contracts carefully — you may be bound by APP-equivalent obligations regardless of your turnover.

What Is Personal Information?

The Act defines personal information as "information or an opinion about an identified individual, or an individual who is reasonably identifiable" — whether the information is true or not, and whether it is recorded in a material form or not. This definition is deliberately wide.

In practice, personal information includes:

  • Names, email addresses, phone numbers, and physical addresses
  • Employment history and financial information
  • Photos, voice recordings, and video footage
  • IP addresses and device identifiers, where they can be linked to an identifiable person
  • Location data captured by applications or devices
  • Cookie-based tracking data that can be associated with a specific individual
  • Health information (which is also "sensitive information" — discussed below)

The "reasonably identifiable" standard is important. You do not need to hold a person's name for the information to qualify as personal information. If you hold an email address, an IP address, or a customer ID that — alone or in combination with other information you hold — would allow you to identify the person, that is personal information.

Sensitive information is a subset of personal information with additional protections. It includes racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal records, health information, genetic information, biometric information, and biometric templates. Sensitive information generally requires explicit consent before collection, and its use for direct marketing purposes is prohibited without that consent. If your business collects any of this type of information — even incidentally — you need to apply heightened care.

The key practical point: if you collect email addresses, phone numbers, or names from customers, staff, or website visitors, you are handling personal information under the Act.

The 13 Australian Privacy Principles — Explained Simply

The core obligations of the Privacy Act 1988 for private sector organisations are set out in the 13 Australian Privacy Principles (APPs). The OAIC groups these into five functional categories. Here is a plain-English summary of what each APP requires.

Consideration of privacy (APPs 1–2)

APP 1 — Open and transparent management of personal information. You must manage personal information in an open and transparent way. This means having a clearly expressed, up-to-date privacy policy that is freely available (typically published on your website) and that explains, at minimum, what personal information you collect, how you collect it, why you collect it, and what you do with it. It also requires that you have internal practices and procedures in place to make sure you actually comply with the APPs — not just a policy that sits in a drawer.

APP 2 — Anonymity and pseudonymity. Where it is lawful and practicable to do so, you must give individuals the option to interact with your business without identifying themselves or by using a pseudonym. This is most relevant for enquiry forms and basic information requests. You cannot insist on knowing who someone is unless you genuinely need that information for what they are asking of you.

Collection (APPs 3–5)

APP 3 — Collection of solicited personal information. You may only collect personal information that is "reasonably necessary" for one or more of your functions or activities. For sensitive information, you may only collect it if the individual has consented and the collection is reasonably necessary for your functions. This principle establishes data minimisation at the collection point — only collect what you actually need.

APP 4 — Dealing with unsolicited personal information. If personal information arrives in your hands without you having sought it — an unsolicited email containing someone's details, a form submitted with information you did not request — you must assess whether you could have collected it under APP 3. If not, you must destroy or de-identify it as soon as practicable. You cannot simply retain unsolicited personal information on the basis that it might be useful later.

APP 5 — Notification of collection. At or before the time you collect personal information (or as soon as practicable afterwards if that is not possible), you must take reasonable steps to notify the individual of certain matters: who you are, your contact details, the fact and circumstances of collection, the purpose for which you are collecting the information, and who you might disclose it to. A well-drafted privacy policy, consistently linked from your collection points, typically satisfies APP 5 for standard web and email collection.

Dealing with personal information (APPs 6–8)

APP 6 — Use and disclosure of personal information. Once you have collected personal information for a particular purpose, you may only use or disclose it for that primary purpose, or for a secondary purpose where the individual would reasonably expect you to use it in that way and it is directly related to the primary purpose, or where you have obtained the individual's consent. This is one of the APPs that catches businesses out most frequently. Collecting an email address for a transaction and then adding that person to a marketing list without consent is a breach of APP 6 (and APP 7).

APP 7 — Direct marketing. If you use or disclose personal information for direct marketing, you must provide a simple mechanism by which the individual can opt out of receiving further direct marketing, and you must act on that opt-out promptly. You must not use sensitive information for direct marketing purposes without explicit consent. If you did not collect the information directly from the individual, you must tell them the source on request.

APP 8 — Cross-border disclosure of personal information. If you disclose personal information to an overseas recipient, you remain accountable under Australian law for how that recipient handles it. Before you disclose, you must take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to that information. This has significant implications for cloud services — if your customer data is stored on servers in the United States or the European Union, or processed by a software vendor based overseas, APP 8 applies. See the supply chain cybersecurity considerations that go alongside this obligation.

Integrity (APPs 10–11)

APP 10 — Quality of personal information. You must take reasonable steps to ensure that the personal information you collect, use, or disclose is accurate, up-to-date, complete, and relevant having regard to the purpose for which it is to be used or disclosed. This means periodically reviewing your records and not perpetuating errors you become aware of.

APP 11 — Security of personal information. This is the APP with the most direct operational implications for most SMBs. You must take reasonable steps to protect personal information you hold from misuse, interference, and loss, and from unauthorised access, modification, or disclosure. When personal information is no longer needed for any purpose for which it may be used or disclosed, and you are not required by law to retain it, you must take reasonable steps to destroy it or de-identify it. More detail on what "reasonable steps" looks like in practice is covered in the section below.

Access and correction (APPs 12–13)

APP 12 — Access to personal information. If an individual asks you for access to the personal information you hold about them, you must give them access unless an exception applies. You have 30 days to respond to an access request. Exceptions include where giving access would pose a serious threat to another person's safety, where the information relates to anticipated legal proceedings, or where access would unreasonably impact on the privacy of another individual. You cannot charge for access unless the cost of providing it is genuinely reasonable.

APP 13 — Correction of personal information. If an individual asks you to correct personal information you hold about them because it is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you must take reasonable steps to correct it. If you do not agree that the information requires correction, you must take reasonable steps to associate a notation with the information setting out what correction was sought. Again, you have 30 days to respond.

The 2024 Privacy Act Amendments — What Changed

The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It represents the most significant set of changes to Australian privacy law in years, and several of the amendments have direct relevance to SMBs.

Statutory tort for serious invasion of privacy. For the first time, Australian individuals can bring a civil action for damages against an entity or person who has seriously invaded their privacy — without needing to demonstrate economic loss. The tort applies where a person in similar circumstances would have had a reasonable expectation of privacy and the invasion was serious. This significantly raises the stakes of privacy breaches. Previously, enforcement was primarily regulatory (through the OAIC). Now, individuals have a private right of action.

Enhanced OAIC enforcement powers. The OAIC now has greater authority to investigate, take compliance action, and impose penalties. For serious or repeated interference with privacy, the maximum civil penalty for corporations has been increased to $50 million. This is no longer a regulatory environment where non-compliance carries only modest risk.

Children's online privacy protections. The 2024 amendments introduced additional protections for the personal information of children in online environments. Businesses operating services that are likely to be accessed by children are subject to heightened obligations.

Automated decision-making transparency. Organisations that use automated systems to make decisions that have a significant effect on individuals are now required to be transparent about this in their privacy policies. If your business uses algorithmic scoring, automated approval or rejection processes, or AI-driven decision tools that affect customers or employees, this obligation applies.

The Privacy Act Review Report (2023) recommended further significant changes that have not yet been legislated. The reform process is ongoing, and it is worth monitoring OAIC guidance and legislative announcements over the coming years.

What APP 11 (Security) Means in Practice for SMBs

APP 11 is the most operationally significant APP for most businesses handling customer or employee data. The Act requires "reasonable steps" — which is a contextual standard, not a fixed checklist. What is reasonable for a small professional services firm will differ from what is reasonable for a healthcare provider or a business holding sensitive financial data. That said, there are practical measures that OAIC guidance and general IT security practice consistently point to.

Access controls. Only staff who genuinely need access to personal information to perform their role should have it. Admin access to your CRM, accounting system, or HR platform should not be granted by default to everyone in the business. Role-based access controls ensure that personal information is compartmentalised appropriately.

Encryption. Personal information stored digitally should be encrypted at rest and in transit. This means using HTTPS for your website and web applications, encrypting stored files and databases that contain personal data, and avoiding the transmission of personal information in plain-text email without appropriate protections.

Multi-factor authentication. Multi-factor authentication on any system that stores or processes personal information is a baseline expectation. If a staff member's credentials are compromised, MFA is the control that prevents an attacker from accessing the personal information those credentials would otherwise reach. The Essential Eight framework, published by the Australian Signals Directorate, identifies MFA as one of the eight most effective mitigations against cyber intrusion — and it maps directly to APP 11 compliance.

Staff training. Staff who handle personal information must understand what counts as personal information, what their obligations are, and how to recognise situations where a privacy breach may be occurring. An untrained employee forwarding customer records to a personal email account, or responding to a phishing email, is a compliance risk as much as a cybersecurity risk.

Vendor and supplier agreements. If you share personal information with third parties — your accounting software provider, CRM vendor, cloud storage provider, IT support team, or any other supplier — you are responsible for ensuring they handle that information appropriately. APP 8 reinforces this for overseas recipients, but the general security obligation under APP 11 extends to any third party. Your agreements with these suppliers should include specific provisions about how they handle the personal information they access. This connects directly to supply chain cybersecurity practices.

Data minimisation. Do not collect personal information you do not need, and do not retain it longer than necessary. The more personal information you hold, the larger your compliance obligations and the greater your exposure in the event of a breach.

Secure disposal. Personal information you no longer need must not simply be deleted in the ordinary sense — it must be destroyed. Paper documents should be cross-cut shredded. Digital files should be securely wiped (not moved to the recycle bin and emptied). Storage media that is being decommissioned should be physically destroyed or professionally wiped to an appropriate standard.

Breach preparedness. A security breach that exposes personal information may trigger the Notifiable Data Breaches scheme under Part IIIC of the Act. If an eligible data breach occurs — one that is likely to result in serious harm to any of the affected individuals — you have an obligation to notify both the OAIC and the affected individuals. Having a documented response plan in place before a breach occurs is part of what "reasonable steps" looks like. See notifiable data breaches for a detailed account of your obligations under the scheme.

Building a Privacy-Compliant Culture for Your Business

Technical controls matter, but privacy compliance is as much about culture and process as it is about technology. The following steps give you a practical foundation.

Write and publish a plain-English privacy policy. Your privacy policy needs to cover what personal information you collect, how you collect it, why you collect it, how you use and disclose it, whether you disclose it to overseas recipients, how individuals can access or correct their information, and how they can make a complaint. It must be freely available — typically via a link in your website footer and in any collection form. A policy written in clear, readable language is both a legal requirement (APP 1 requires that it be "clearly expressed") and a signal to your customers that you take their privacy seriously.

Conduct a data mapping exercise. You cannot manage what you cannot see. A data mapping exercise involves documenting, systematically, every category of personal information your business collects, where that information is stored, who has access to it, with whom it is shared, and how long it is retained. This does not need to be a complex exercise for most SMBs — a structured spreadsheet is sufficient. But it is essential for understanding your actual compliance posture and identifying gaps.

Review your contracts with cloud providers and third parties. Your CRM, your accounting software, your email platform, your cloud storage — if any of these handle personal information you hold, review the contractual terms. What data processing terms do they include? Where are the servers located? Do they allow sub-processors to access your data? Do they notify you in the event of a breach? These questions are directly relevant to your APP 8 and APP 11 obligations.

Appoint clear responsibility for privacy compliance. Privacy compliance without an owner tends not to happen. Designate someone — a partner, a senior operations manager, or a person in an equivalent role — who is responsible for keeping your privacy policy current, reviewing your data mapping, ensuring staff are trained, and responding to any access or correction requests. In a small business, this person may have many other responsibilities, but privacy compliance needs to be explicitly theirs.

Train your staff. This does not need to be a full-day seminar. A structured briefing on what personal information is, why it matters, what staff can and cannot do with it, and how to handle a suspected breach is sufficient for most SMBs. Refresh the training when there are significant changes to your processes or to the law.

Set a data retention and destruction schedule. Decide how long you retain different categories of personal information — customer records, job applications, employee files, marketing lists — and build a process for reviewing and destroying records that have passed their retention period. Retaining personal information indefinitely is both a compliance risk and an unnecessary security exposure.

How Pickle Supports Privacy Compliance for Australian SMBs

Privacy compliance is not purely a legal or policy exercise. The technical controls that protect personal information — the access management, encryption, authentication, backup, and monitoring that together constitute APP 11 compliance — are the domain of IT. And for most SMBs, maintaining those controls without dedicated IT staff is genuinely difficult.

Pickle's managed IT services are built around the technical layer of compliance. Pickle manages access controls so that personal information is accessible only to the staff who need it. Pickle configures and enforces MFA across business systems. Pickle implements and monitors encryption for data at rest and in transit. Pickle maintains backup and recovery capabilities so that personal information is not lost due to hardware failure or a ransomware incident. And where a security incident does occur, Pickle provides the monitoring and response capability to identify it quickly and limit the damage.

For SMBs operating in the current regulatory environment — where civil penalties reach $50 million for serious breaches, where individuals now have a right of private action, and where the OAIC has broader enforcement powers than ever before — getting the technical foundations right is not optional.

To discuss how Pickle can support your business's privacy compliance posture, call 1300 688 588 or email [email protected].

Frequently Asked Questions

Q: Does the Privacy Act apply to my business if our annual turnover is under $3 million?

A: Not automatically. The $3 million threshold is the default for private sector coverage, but there are significant exceptions. Health service providers of any size are covered. If your business receives employee tax file numbers, the TFN Rules apply. If you handle personal information under a contract with a Commonwealth agency, you are covered for that information. Even if you are technically exempt, your contracts with clients or suppliers may require APP-equivalent practices, and the 2024 amendments have expanded coverage in some respects. Check the OAIC website or seek legal advice if you are unsure.

Q: What is the difference between personal information and sensitive information?

A: Personal information is the broader category — any information or opinion about an identified or reasonably identifiable individual. Sensitive information is a specific subset with higher legal protections. It includes health information, genetic and biometric data, racial or ethnic origin, political opinions, religious beliefs, and sexual orientation. Sensitive information generally requires the individual's explicit consent before you collect it, cannot be used for direct marketing without explicit consent, and must be treated with a higher standard of care throughout its lifecycle.

Q: Can I keep customer data indefinitely for marketing purposes?

A: No. Under APP 11, you must take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose for which it may lawfully be used or disclosed. Retaining customer data indefinitely "just in case" is not compliant. You should establish a data retention schedule that specifies how long different categories of personal information are kept and ensure records are destroyed securely when that period expires. Additionally, APP 7 requires that individuals can opt out of direct marketing at any time — if someone has opted out, you cannot continue to hold their information for marketing purposes.

Q: What are the penalties for a Privacy Act breach in Australia?

A: Following the 2024 amendments, the maximum civil penalty for a corporation for serious or repeated interference with privacy is $50 million. For individuals, the maximum is $2.5 million. Beyond regulatory penalties, the 2024 amendments introduced a statutory tort for serious invasions of privacy — individuals can now sue for damages in their own right, without needing to show economic loss. The OAIC also has the power to make determinations requiring compensation and to accept enforceable undertakings. Penalties at the lower end apply to more minor or isolated breaches; the maximum figures apply to serious or systemic failures.

Q: Do I need a privacy policy if I only collect email addresses for a newsletter?

A: Yes. An email address is personal information under the Act. If your business is covered by the Privacy Act (because your turnover exceeds $3 million, or you fall into a category covered regardless of turnover), APP 1 requires you to have a clearly expressed privacy policy that is freely available to the public. APP 5 requires you to notify individuals at or before collection of the key matters relating to that collection — including what you are collecting, why, and what you will do with it. A linked privacy policy at your signup form satisfies both requirements. If you are a small business below the threshold and technically exempt, publishing a privacy policy is still best practice — particularly because email marketing in Australia is also regulated by the Spam Act 2003 (Cth), which carries its own consent and identification requirements.