← Back to BlogCompliance

Protecting Your Customers' Data: A Privacy Law Primer for Aussie SMBs

Protecting Your Customers' Data: A Privacy Law Primer for Aussie SMBs

Many Australian small business owners assume privacy law is something big corporations worry about. But the truth is more nuanced — and the consequences of getting it wrong can be significant. Here's a practical overview of what you need to know.

The Australian Privacy Act:

The Privacy Act 1988 and the Australian Privacy Principles (APPs) regulate how personal information is collected, used, stored, and disclosed.

Who does it apply to?

The Privacy Act applies to:

  • Businesses with annual turnover over $3 million
  • All businesses that provide health services
  • Businesses that trade in personal information
  • Businesses that are related to larger covered organisations
  • Businesses that hold tax file numbers or other specific data types

However, even if you're technically exempt, it's worth following best practice — especially because:

  1. State-based privacy laws may apply
  2. Breach notification requirements can still apply in some circumstances
  3. Consumer expectations around data privacy are growing

The Notifiable Data Breaches (NDB) scheme:

If you're covered by the Privacy Act and experience a data breach likely to cause "serious harm," you must:

  1. Notify the Office of the Australian Information Commissioner (OAIC)
  2. Notify the individuals affected

Failure to comply can result in significant penalties — up to $50 million for serious or repeated breaches under amendments passed in 2022.

What "personal information" means:

Any information that identifies or could reasonably identify an individual:

  • Name, address, phone number, email
  • Tax file number, Medicare number
  • Financial account details
  • Health information
  • IP addresses and browsing data (in some contexts)

Practical compliance basics for SMBs:

  1. Collect only what you need. Don't collect personal information you don't have a clear, legitimate need for.
  1. Store it securely. Encryption, access controls, and secure disposal are all part of this.
  1. Tell people what you're collecting and why. Your privacy policy needs to be accurate and accessible.
  1. Don't share it without consent (with exceptions for law enforcement and legal requirements).
  1. Have a breach response plan. Know what to do if your customer data is compromised.

The phishing connection:

Many data breaches resulting in Privacy Act obligations start with a phishing attack. Stolen credentials lead to unauthorized access to systems holding customer data. Your obligation to protect that data extends to preventing phishing attacks from compromising it.

Protect your business from the inside out with Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →