A business’s obligations in relation to the collection and storage of personal data is covered under the Privacy Act and in compliance with the Australian Privacy Principles (APPs).

There are 13 principles, and they govern the way in which businesses communicate, request, collect and hold people’s personal information in any type of database you might manage in your organisation.

Australian privacy principles

The principles also affect how businesses can:

  • Handle and process personal information (such as collecting personal data via forms).
  • Use that personal information for direct marketing
  • Disclose personal information to people overseas

If your business has previously been collecting personal data for the purposes of sending electronic direct mail, maintaining customer accounts, loyalty programs, etc. then it’s likely that you’re already applying the APPs to some extent. But it doesn’t hurt to review your processes and make sure that you comply.

While many small businesses are exempt under the Privacy Act, whether your business has a legal obligation to comply or not, it is beneficial to take some practical steps to implement good privacy practice.

The first of the 13 APPs covers the requirements around a privacy policy. There’s a list of things you need to make sure you’re doing, including having privacy policy which discloses how you collect information, what you are collecting it for and how someone can make a complaint.

If you’re collecting data from people but don’t have a clear reason for collecting it, you could be in breach of the Act. Make sure you’re only asking for what you need to be able to communicate and provide your products and services.

If you are communicating via Electronic Direct Marketing (EDM), SMS or MMS, principle seven covers the minimum requirements that a should be including in those communications, including how a recipient can unsubscribe.

As the Privacy Act is the core privacy legislation in Australia, it is useful to take practical steps to comply with this Act, whatever your reason for doing so. However there are other possibly relevant laws, which may or may not apply based on the location of your business:

  • Marketing Laws
  • Health Privacy Act
  • Surveillance Device Laws

When working with third-party vendors in software, you must also ensure that they are compliant within the region of your staff. Collection of personally identifiable content in areas such as Europe are controlled under measures such as GDPR. These responsibilities will fall on the third-party vendors and should be handled at a supplier level.

What you should be doing

  • Assess whether the Privacy Act applies to your small business
  • Review your data collection processes to ensure they are compliant
  • Review the third parties you disclose personal information to and confirm that they are reputable
  • Put in place security controls for access to personal data
  • Keep in mind that this extends to employee information and personnel files
  • review your privacy procedures from time to time to ensure that you are complying with your legal obligations

Final Statement:

You should ensure you understand whether you have legal obligations under privacy laws and, if so, that you are meeting these. Regardless of whether you have a legal obligation to comply, it is beneficial to take practical steps to implement good privacy practice.


  • The Office of the Australian Information Commissioner (OAIC) has a great fact sheet that will help you determine if you need to comply