data breach, personal information, Privacy Week, Working From Home, Myths V Facts, Data Breach, Personal information

Myth v Fact – Small Business and the Privacy Act

06 May 2020

We’re a small business. The Privacy Act and Notifiable Data Breach Scheme don’t apply to us.

Generally, businesses do not need to comply with the Privacy Act until their annual turnover reaches $3 million. However, some businesses are required to comply regardless of their size.

This includes businesses that:

  • provide a health service (this captures almost all businesses in the health, well-being and medical space);
  • provide services to the Commonwealth government; or
  • are related to another organisation that has an annual turnover of more than $3 million.

Where compliance is not mandatory, a properly implemented privacy policy is a helpful tool to allow you to use personal information to help your business (including by carrying out direct marketing). In addition, consumers now also expect businesses to handle their personal information in accordance with the Privacy Act and to be transparent in relation to their personal information handling practices.

If you are required to comply with the Privacy Act, you must also comply with the Notifiable Data Breach Scheme. This requires mandatory reporting of data breaches to the Privacy Commissioner and affected individuals.

Talk to our Privacy and Data Protection team to properly understand your obligations.

Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.

Liability limited by a scheme approved under Professional Standards Legislation.

©2020 Rigby Cooke Lawyers