Protect your customers' information

As a business owner, you may be required under the Privacy Act 1988 (Privacy Act) to protect your customers’ personal information from:

• theft
• misuse
• interference
• loss
• unauthorised access
• modification
• disclosure.

When you no longer need your customers’ personal information you must destroy or de-identify it. This includes shredding documents or storing them in a secure area.

If your business has an annual turnover of more than $3 million, you must comply with the Privacy Act.

If your business has an annual turnover of $3 million or less, you may still need to comply with the Privacy Act depending on what your business does. For example, you need to comply with the Act if you’re a:

• private sector health service provider. This includes complementary therapists, gyms, weight loss clinics, child care centres and private education providers
• business that sells or buys personal information
• contractor providing services under a contract with the Australian Government
• credit provider or credit reporting body
• residential tenancy database operator.

Personal information is any information that can identify (or reasonably identify) an individual. It doesn’t matter if the information is true or what form it’s in.

Personal information might include your customers’:

• name
• signature
• address, email, telephone number and date of birth
• medical records
• bank details
• photos and videos
• IP address
• opinions which could be used to identify them.

If the Privacy Act covers your business, you need to comply with the Australian Privacy Principles (APPs). These outline how you must handle, use and manage personal information. It’s a good idea to check the APPs and the APP guidelines to understand your responsibilities.

Even if the Privacy Act doesn’t cover your business, it’s important to handle your customers’ personal information appropriately.

You need to have a clear and up-to-date privacy policy. This outlines the information you collect, what you use it for and how you protect it. It's a good idea to make your privacy policy available on your website.

You may wish to seek legal advice when drafting your privacy policy or for any other privacy issues.

If your business is covered by the Privacy Act, you need to comply with the Notifiable Data Breaches scheme. If a data breach involves personal information and is likely to cause serious harm to a person, you need to notify both the:

• person involved
• Office of the Australian Information Commissioner (OAIC).