The Australian government’s Privacy Act reform, which came into effect in stages throughout 2025 and early 2026, fundamentally changes privacy obligations for small businesses. If your business turns over more than $3 million annually, you’re now subject to the same privacy laws as large corporations.

For years, small businesses with revenue under $3 million were exempt from the Privacy Act unless they dealt with health information or engaged in specific data-trading activities. That exemption is gone. If you collect personal information from customers, employees, or suppliers—and every business does—you now have legal obligations around how you collect, use, store, and disclose that information.

Most small business owners I speak to are either unaware of the changes or overwhelmed by what compliance actually means. Let me break it down.

What Counts as Personal Information

Personal information is any information that can identify an individual or from which their identity can reasonably be ascertained. This includes obvious things like names, addresses, email addresses, and phone numbers. But it also includes:

• Financial information (bank account details, payment history)
• Employment information (salary, performance reviews, employment contracts)
• Health information (medical certificates, workers’ compensation claims)
• Location data (if you track deliveries or staff movements)
• Digital identifiers (IP addresses, device IDs, cookies)
• Biometric data (fingerprints, facial recognition data)

If your business has customer records, employee files, or supplier contacts, you’re handling personal information.

The Core Obligations

The Privacy Act requires businesses that handle personal information to follow 13 Australian Privacy Principles (APPs). Here are the most practically relevant ones for small businesses:

APP 1: Open and Transparent Management of Personal Information

You must have a privacy policy that explains what personal information you collect, how you use it, who you disclose it to, and how people can access or correct their information. The policy must be publicly available—typically on your website.

This isn’t a 50-page legal document. A clear, plain-English policy of 2-3 pages is fine. Templates are available from the Office of the Australian Information Commissioner (OAIC).

APP 3: Collection of Solicited Personal Information

You can only collect personal information that’s reasonably necessary for your business functions. You can’t collect information “just in case” it’s useful later. And you must collect it lawfully and fairly—no deceptive practices.

Practical example: If you run a plumbing business, you need customer names, contact details, and addresses for service delivery. You don’t need their date of birth, marital status, or social media profiles. Collecting unnecessary information violates APP 3.

APP 5: Notification of Collection

When you collect personal information, you must tell people:

• Your identity and contact details
• Why you’re collecting the information
• Who you’ll disclose it to
• Whether disclosure is required or authorised by law
• Whether they can access and correct the information
• Your privacy policy details

This can be done through a privacy collection statement at the point of collection (e.g., a notice on a form or website, or verbal notification when collecting over the phone).

APP 6: Use or Disclosure of Personal Information

You can only use or disclose personal information for the purpose for which it was collected, unless you have consent for another use or there’s a legal exception (like law enforcement requests).

Practical example: If you collect customer email addresses for sending invoices, you can’t later use those addresses for marketing newsletters without explicit consent.

APP 11: Security of Personal Information

You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

What’s “reasonable” depends on the sensitivity of the information, the amount held, and potential harm from a breach. At minimum:

• Use passwords on computers and devices
• Encrypt sensitive data
• Limit access to personal information to employees who need it
• Dispose of information securely when no longer needed (shred paper records, wipe digital storage)

APP 12: Access and Correction

People have the right to access their personal information held by your business and request corrections if it’s inaccurate. You must respond to these requests within a reasonable time (usually 30 days).

Data Breach Notification

Under the Notifiable Data Breaches (NDB) scheme, if your business experiences a data breach that’s likely to result in serious harm to individuals, you must:

1. Notify affected individuals as soon as practicable
2. Notify the OAIC
3. Include specific details: what information was involved, what happened, recommendations for affected individuals

“Serious harm” includes identity theft, financial loss, serious psychological harm, or harm to reputation. A breach where customer credit card details, passwords, or health information is accessed usually meets this threshold.

Penalties for Non-Compliance

The reformed Privacy Act significantly increased penalties. Serious or repeated breaches can result in fines up to:

• $50 million
• Three times the value of any benefit obtained through the breach
• 30% of the company’s adjusted turnover during the breach period

For small businesses, the most likely enforcement outcome for non-compliance isn’t a massive fine—it’s a determination by the OAIC requiring you to take specific actions (like implementing better security measures or compensating affected individuals) and potential damage to reputation.

Practical Steps for Compliance

If you’re just starting on privacy compliance, here’s a priority order:

1. Create a privacy policy. Use the OAIC template. Customise it to your business. Put it on your website. This takes 1-2 hours.

2. Audit what personal information you hold. Go through customer databases, employee files, supplier records, and systems (email, CRM, accounting software). Document what you have and why you need it.

3. Review your collection practices. Are you collecting information you don’t actually need? Are you telling people why you’re collecting it? Adjust forms, websites, and processes accordingly.

4. Improve data security. Use strong passwords, enable two-factor authentication on systems that hold personal information, encrypt sensitive data, and limit access to personal information to only employees who need it.

5. Set up access request procedures. Create a process for responding to requests from individuals who want to access or correct their personal information. Assign someone to handle these requests.

6. Understand breach obligations. Make sure you know what constitutes a notifiable breach and who in your business would handle notification if one occurs.

7. Train staff. Your employees need to understand privacy obligations, especially those who handle customer information, answer phones, or manage systems. A 30-minute training session annually is sufficient for most small businesses.

Exemptions and Carve-Outs

While the small business exemption is gone, there are still some categories of information not covered by the Privacy Act:

• Information about deceased individuals (handled by state laws instead)
• Employee records (covered by Fair Work and employment law, not the Privacy Act, in most cases)
• Information held solely for personal, family, or household purposes

But for customer and supplier information, you’re covered by the Privacy Act.

Getting Help

The OAIC provides extensive free guidance including:

• Privacy Policy template
• Guide to securing personal information
• Small business privacy self-assessment tool

If your business has complex data practices or handles sensitive information (health, financial, children’s data), consider getting advice from a privacy specialist or lawyer. For straightforward cases (retail, trades, professional services), the OAIC resources plus a few hours of setup work should get you compliant.

The Bottom Line

Privacy compliance isn’t optional anymore for businesses over $3 million revenue. The good news is that for most small businesses, compliance doesn’t require expensive software or consultants. It requires documenting what you do with personal information, tightening security practices, and being transparent with customers and staff.

Do the basics now. Create a privacy policy, secure your data, and understand your breach notification obligations. That covers 90% of the compliance requirement and protects you from the most common risks.