That will depend on several factors. These factors include the type of entity you operate, the kind of industry you are in, your business’s gross annual turnover, the location of your customers, the kind of information you collect, and how you propose to manage and use that information.
NSW privacy laws only apply to the NSW Government, local governments, healthcare providers, and universities. They protect personal information held by those agencies from inappropriate disclosure.
Commonwealth laws about privacy and protection of personal information are not particularly burdensome for most businesses with less than $3 million annual turnover, which do not fall into the other reasonably restricted categories subject to the Commonwealth Privacy Act 1988.
Nevertheless, businesses not strictly required to comply with the Australian Privacy Principles appended to the Privacy Act should consider using at least some of them as a guideline for handling personal information, mainly if they provide goods and services to many different customers. At the very least, businesses should look at Principle 11, covering the security of information from hacking or leaking, and Principle 7, surrounding the use of personal data for direct marketing. (See the Australian Privacy Principles summarised below). Nothing upsets customers like their personal information being stolen, sold or given to other businesses, so there is a distinct business benefit in being careful with personal information.
Does your small business need to comply with the Australian Privacy Principles?
The Commonwealth Privacy Act 1988 only applies to businesses which:
- Have an annual turnover of more than $3 million, or
- Trade in personal information, or
- Provide healthcare, or
- Create or hold health or healthcare records other than employee records, or
- Perform service contracts for the Commonwealth Government, or
- Provide credit reports, or
- Provide telecommunications, or
- Maintain tenancy databases, or
- cover them.
Small business activities covered by the money laundering laws of the Anti-Money Laundering And Counter-Terrorism Financing Act 2006 (Cth) include:
- The carrying on of a finance leasing business;
- Operating a bank or credit union or supplying bank services,
- Providing remittance services facilitating payments made from one party to another,
- Issuing a money order or postal order,
- Issuing shares or derivatives in the course of carrying on a business of issuing or selling securities or derivatives,
- An insurer under a life policy or sinking fund policy,
- The holder of an Australian financial services licence makes arrangements for a person to receive a ‘designated service’ per the Act.
Any businesses engaged in one or several activities above must comply with the Australian Privacy Principles mandated by the Commonwealth Privacy Act 1988, irrespective of business or turnover size.
What is the Australian law on privacy?
Businesses covered by the Act must comply with the thirteen Australian Privacy Principles. In summary, these are:
- Allowing people to use a pseudonym or remain anonymous,
- Collecting solicited personal information following procedures outlined,
- Collecting unsolicited personal information under procedures outlined,
- Notifying people in certain transactions that their information will be collected and held,
- Using or disclosing personal information only following policies outlined,
- Using personal data for direct marketing only following procedures outlined,
- Disclosing personal information overseas only in accordance with procedures outlined,
- Recording, using, and disclosing government-issued identifiers (e.g., driver’s licence numbers) only where necessary and per procedures outlined,
- Ensuring personal information held is accurate, complete, and up to date,
- Securing personal information against hacking or leaking, and destroying or de-identifying it following procedures outlined,
- Rectifying inaccurate personal information where necessary.
In NSW, health service providers are also subject to the Health Records Information Privacy Act 2002 NSW (HRIP Act) requirements.
Metadata retention obligations for some providers of Internet or telephone services
The Australian Telecommunications Act 1997 and the Telecommunications Interception and Access Act 1979 (TIA) apply additional privacy obligations on suppliers of telecommunications services. Certain exceptions under the TIA allow government agencies to access the customer’s telecommunications metadata. Metadata is the activity log of the who, when, how and where someone accessed the telecommunications service. The TIA also requires some telecommunications service providers to oversee metadata retention for two years.
The Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 (Cth) enables an Internet or phone service provider to disclose specific customer data to financial services entities. When handling such information, financial services entities must comply with the requirements in the Telecommunications Regulations 2021 and their existing obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Is an Australian-based business offering goods or services to people in Europe required to have a data protection policy?