What are your current obligations under the Privacy Act?

After almost 10 million Optus customers and around four million Medibank members were potentially affected by recent data hacks, there is talk of class actions being launched, either for negligence or breach of privacy.

The government has also announced changes to the Privacy Act including significantly higher fines for serious privacy breaches, and additional powers for the information commissioner.

This may have you wondering – what obligations does my business have under the Privacy Act right now, to protect customers’ privacy?

Privacy Act

The Privacy Act 1988 is federal legislation that governs how personal information should be collected, used, stored and disclosed in Australia.

If a business’ annual turnover is more than $3 million it must comply with the Privacy Act. If a business has an annual turnover of $3 million or less, it is classified as a small business. Only some small businesses are covered by the Privacy Act, including but not limited to those that ‘trade in personal information’, are health service providers or credit reporting agencies, etc.

The Office of the Australian Information Commissioner has a helpful checklist for small businesses to help them work out if they are covered by the Privacy Act. It is important to know if your business is covered by the Privacy Act because it if is, it means your business has some obligations in relation to protecting the privacy of its customers.

Privacy principles

At the end of the Privacy Act is a schedule of 13 Australian Privacy Principles that all businesses covered by the Privacy Act must comply with.

One key thing to know is that if your business is covered by the Privacy Act, you must have a privacy policy that complies with the requirements of the Privacy Act.

There are some other obligations on businesses in relation to their customer’s personal information including but not limited to:

  • notifying a person when their personal information has been collected;
  • only using a person’s personal information for the purpose specified;
  • not using a person’s personal information for direct marketing;
  • allowing a person access to their personal information; and
  • updating a person’s personal information if it is out of date or inaccurate.

Destroying personal information

One of the issues that has arisen in the Optus breach is that it appears that Optus may have been holding personal information of customers that they no longer needed to hold.

Some of the Privacy Principles require businesses to destroy personal information in certain circumstances. For example, Privacy Principle #4 says that if a business receives unsolicited personal information about a person, they must either destroy or de-identify the information.

Likewise, Privacy Principle #11 says that if a business holds personal information that it no longer needs for any purpose that is allowed under the Privacy Principles, it must destroy or de-identify the information.

Data breach reporting obligations

After Optus found out about their data breach, they notified relevant agencies and individuals of the breach. This was because of a scheme called the Notifiable Data Breach Scheme that requires businesses to notify the Office of the Australian Information Commissioner and affected individuals if:

  • there is unauthorised access to personal information; or
  • there is unauthorised disclosure of personal information; or
  • personal information is lost.


  • the above event(s) is likely to result in serious harm to one or more individuals; and
  • the business has not been able to prevent the likely risk of serious harm with remedial action.

If you’re unsure about your obligations under the Privacy Act, now would be good time to seek legal advice to ensure you are compliant. And at the same time, have an IT expert review your data and cyber security protocols, as hackers are increasingly targeting small businesses.