Protecting your customers' information

There are privacy laws around the collecting and storing of your customer’s personal information.

As a business owner, you have the responsibility to:

  • Protect personal information from:
    • theft
    • misuse
    • interference
    • loss
    • unauthorised access
    • modification
    • disclosure.
  • Take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose permitted under the Privacy Act 1988. This might include shredding documents or storing them in a secure area.

What is the Privacy Act?

The Privacy Act 1988 (Privacy Act) is an Australian law which regulates the management, storing, access and correction of personal information about individuals.  The Privacy Act includes thirteen Australian Privacy Principles (APPs) that businesses covered by the Privacy Act will need to comply with.

Defining customer’s personal information

Customers’ personal information is any information where you can identify or reasonably identify the individual. It doesn’t matter if the information or opinion is true or what form it is recorded in.

Personal information might include your customers’:

  • name
  • signature
  • address
  • email
  • telephone number
  • date of birth
  • medical records
  • bank account details
  • where they work
  • photos
  • videos
  • information about their opinions.

Does your business need to comply with the Privacy Act 1988?

Businesses with an annual turnover of more than $3 million must comply with the Privacy Act 1988. Some small businesses with an annual turnover of $3 million or less also have responsibilities under the Privacy Act if they are:

  • private sector health service providers
  • businesses that sell or purchase personal information
  • contractors providing services under a contract with the Australian Government
  • credit providers and credit reporting bodies
  • operators of a residential tenancy database.

Australian Privacy Principles (APPs)

The Australian Privacy Principles (APPs) are guidelines which businesses under the Privacy Act will need to comply with. It’s a good idea to consult the APPs and the APP guidelines to help you understand your responsibilities, such as:

  • You must implement practices, procedures and systems to ensure compliance with the APPs and to handle complaints.
  • You must make available an up-to-date and clear privacy policy, setting out certain information on how you will manage personal information.
  • You must take reasonable steps to protect the personal information collected or held.
  • You must take reasonable steps to ensure that personal information collected is accurate, complete and up to date.
  • You must give individuals access to their personal information on request.
  • You must correct personal information where you become aware that it is either:
    • inaccurate
    • incomplete
    • out of date
    • irrelevant
    • misleading
    • where requested by the individual.
  • You can only collect personal information if it is necessary for the function or activity of your business.
  • You must de-identify or delete unsolicited personal information as soon as is practical, if it is not necessary for the function or activity of your business.
  • You should not use or disclose personal information for a purpose different from the original purpose of collection, except in limited circumstances.
  • Although you can collect and use personal information, you generally need the individuals consent first.
  • You must not use or disclose personal information for a direct marketing purpose, except in limited circumstances.

Even if the Privacy Act doesn’t cover your business, it’s important to handle your customer’s personal information appropriately.

Drafting your privacy policy

You need to have a clear and up to date privacy policy that outlines the information you:

  • collect
  • what you use it for
  • how you protect it.

It's a good idea to make this available on your website.

You may wish to seek specific legal advice in relation to the drafting of your privacy policy or any other privacy issues you may encounter.

If you would like more information on what you should include in your privacy policy, the Office of the Australian Information Commissioner is a good place to start.

Find out more:



Thanks for your feedback. If you have any ideas on how we can improve, we'd love to hear them.

Please provide your comments in the feedback form.