The Privacy Act - is your business compliant?

Customer data is an asset in the world of commerce. Protecting customer information with a robust Privacy Policy can protect not only your customers, but also your business. Associate Principal Caroline Callegari explains.


With consumers sharing ever more information online, and businesses using new methods to collect information about their customers, it is becoming more and more important to ensure that, as a business, you have an up-to-date and enforceable Privacy Policy.  It is also important that you have steps in place to ensure the protection of the personal information you collect, with a growing risk that personal data may be compromised by third parties.

For any business, and individuals, too, it is more important than ever to understand how privacy law operates in Australia, what you need to do to ensure you don’t fall foul of the Privacy Act 1988 (Cth) (“The Privacy Act”) and how a breach may affect your business. Penalties for non-compliance are increasing.

What is the purpose of the Privacy Act?

The purpose of the Privacy Act is to protect the personal information collected, utilised and stored by businesses.

It limits a business’s ability to use the information only for disclosed purposes and with the consent of the person giving you the personal information.

Who does it apply to?

The Privacy Act applies to large businesses automatically, but it also applies to many smaller businesses. So it is important to check whether you need to be compliant. Even if you are not captured by the coverage of the Privacy Act, it is still good practice to have a Privacy Policy and to be careful in how you collect, use and store personal information.

Under the Privacy Act, a “large business” is defined as an entity with a turnover greater than $3 million per annum. Importantly, the Privacy Act also applies to not-for-profit operators where the turnover is greater than $3 million.

The Privacy Act also applies to health service providers, such as hospitals, irrespective of their size and annual turnover.

In addition, the Act may also apply to a "small business", if it has an annual turnover of less than $3 million and it does any of the following:

  • trades in personal information (i.e. selling customer databases);
  • provides services under a Commonwealth contract;
  • holds a residential tenancy database;
  • is related to a larger business (i.e. subsidiary business); or
  • is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.

The Australian Privacy Principles

Under the Privacy Act, there are 13 Australian Privacy Principles which set out:

  • how personal information can be collected and managed
  • the manner in which personal information can be used for direct marketing;
  • in what circumstances personal information is able to be disclosed and to whom; and
  • whether or not personal information can be disclosed to parties located overseas.

The most up-to-date version of the Principles can be found on the website of the Office of the Australian Information Commissioner.

How do you make sure you are complying with the Privacy Act?

The first step is to have a properly drafted, easy to understand and comprehensive Privacy Policy, and ensure that is communicated to all your customers and understood by your employees.

You should also regularly review it to make sure you have captured all the different ways you might wish to use the information and the ways you share it.

How is the Privacy Act enforced?

Compliance with the Privacy Act is overseen by the Office of the Australian Information Commissioner.

The Commissioner has the following powers:

  • To investigate serious breaches (including the right to impose significant penalties on businesses);
  • To assess the privacy performance of businesses; and
  • To require Federal government agencies to conduct privacy impact assessments.

What about data breaches?

There are also obligations on businesses where the information they hold may have been the subject of a serious data breach and the personal information they hold compromised.  Please see our article, "Failure to adequately manage cyber-security risks in the financial services industry", on what those obligations are and the consequences of not complying with notification requirements.

What are the penalties for breaching the Privacy Act?

Civil penalties may be imposed for businesses who fail to comply with their responsibilities under the Privacy Act.

For a serious or repeated breach, the penalty is substantial - $2,500,000 for a person, and for a company or other entity covered by the Act, an amount not exceeding the greater of:

  • $50,000,000; or three times the value of the benefit derived by the business (including any related businesses) whether, directly or indirectly.

If the court cannot determine the value of the benefit, the fine imposed will be 30%of the body business’ adjusted turnover during the breach.

Depending on the nature of the breach and the organisation at fault, civil penalties can also be applied under the My Health Records Act 2012 and the Competition and Consumer Act 2010. For a very serious breach, it is possible that a criminal order may be imposed.

Further, not only is being the subject of a Privacy Act complaint potentially costly, but could hurt your reputation.

Compliance tips!

The first step is to familiarise yourself with the Privacy Act or seek legal assistance to determine whether the Privacy Act applies to your business or not-for-profit enterprise

Secondly, business owners and managers should take practical legal steps to ensure that the entity complies with each of the 13 Australian Privacy Principles. If in doubt, contact the Office of the Australian Information Commissioner or, again, seek legal advice.

How Sharrock Pitman Legal can help?

For assistance with drafting a Privacy Policy or for a review of your current policy, please contact our Commercial Law Team on 1300 205506 or by email

If you want to know in what circumstances you are protected where you are asked to disclose personal information to a third party (and not for the purpose it was collected), or are the subject of an investigation or complaint that there has been a breach of the Privacy Act, please contact Caroline Callegari of our Disputes & Litigation Department on (03) 8561 3324 or by email at

The information contained in this article is intended to be of a general nature only and should not be relied upon as legal advice. Any legal matters should be discussed specifically with one of our lawyers.

Liability limited by a scheme approved under Professional Standards Legislation.

For further information contact  
Caroline Callegari

Caroline Callegari is an Associate Principal and leads our Disputes & Litigation team. She has an advisory and advocacy practice in the following areas: Commercial Litigation, corporate and personal disputes, debt recovery and, insolvency and bankruptcy matters. Caroline can be contacted on (03) 8561 3324 or by emailing


For fifty years Sharrock Pitman Legal has made a significant and long term contribution to meeting the legal needs of business owners and residents in the City of Monash and greater Melbourne area.

Get in touch

When you contact us you will soon discover that we really are caring lawyers who will always be ‘on your side®’.

Thank you, your form has been received.

We'll be in touch shortly.
Oops! Something went wrong while submitting the form.