Most businesses and not-for-profit organisations with an annual turnover greater than $3 million will be subject to the Privacy Act. The Privacy Act also covers some specific types of businesses and not-for-profits with less than $3 million annual turnover, including:
- Private sector health service providers. (This includes a very broad range of businesses, including hospitals, doctors’ clinics, and similar traditional health service providers, but also gyms, weight loss clinics, childcare centres, and private schools.)
- Employee associations under the Fair Work (Registered Organisations) Act 2009.
- Contracted service providers for a Commonwealth contract.
- Businesses that sell or purchase personal information.
- Credit reporting bodies.
- Businesses related to a business that is covered by the Privacy Act (e.g. a subsidiary of a company covered by the Privacy Act).
- Other types of businesses prescribed by regulations.
If the Privacy Act does apply to your business or not-for-profit, then you need to comply with the Australian Privacy Principles. The Australian Privacy Principles only took effect in March 2014.*
- the kinds of personal information that your business collects and holds;
- how you collect and hold personal information;
- the purposes for which you collect, hold, use and disclose personal information;
- how an individual may access personal information about that individual that is held by your business and seek the correction of such information;
- how an individual may complain about a breach of the Australian Privacy Principles and how your business will deal with such a complaint;
- whether your business is likely to disclose personal information to overseas recipients; and
- if your business is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
We can also provide advice about broader privacy issues, such as advice as to whether your business practices in relation to your customers’ personal information are fully compliant with privacy laws.
* Note: If you are doing your own research about the Australian Privacy Principles, be careful not to confuse them with the “National Privacy Principles”. The National Privacy Principles applied to businesses before March 2014, and they are quite different to the Australian Privacy Principles. The National Privacy Principles have now been repealed, but there is still a lot of information about them on the Internet, which could be misleading.