Personal Data in Australia: What It Is and What You Must Do

If you run a small business in Australia, you’re almost certainly handling personal data - whether that’s customer names and emails, employee records, website analytics or payment details.

Getting personal data wrong can damage customer trust and land you in legal hot water. The good news? With a clear plan and the right documents, you can manage data confidently, comply with Australian laws, and turn privacy into a competitive advantage.

In this guide, we’ll unpack what counts as personal data, when the Privacy Act applies to small businesses, and the practical steps to set up your data practices the right way from day one.

What Counts As Personal Data In Australia?

In Australia, “personal information” (often called personal data) is any information or opinion about an identified person, or a reasonably identifiable person. It doesn’t have to include a name to be personal - if it can be tied back to a person, it’s likely covered.

Common examples for small businesses include:

• Customer details: names, emails, phone numbers, postal addresses
• Identifiers and account data: customer numbers, loyalty IDs, device IDs, IP addresses (where reasonably identifiable)
• Marketing and analytics data: browsing behaviour linked to an individual, purchase history, preferences
• Financial details: payment information, invoices, credit applications
• Employee and contractor data: contact details, tax and bank information, performance records, emergency contacts
• Audio and visual data: CCTV or call recordings when linked to a person

Some data is more sensitive than others. Health information, biometric data and some financial information can attract higher expectations and risk. If you handle this kind of data, it’s critical to adopt extra care and security.

Does The Privacy Act Apply To My Small Business?

Many Australian small businesses have heard “the Privacy Act doesn’t apply if you turn over less than $3 million.” That threshold exists, but there are important exceptions.

Your business is generally covered by the Privacy Act 1988 (Cth) if one or more of the following applies:

• Your annual turnover is more than $3 million; or
• You trade in personal information (e.g. buy, sell or rent customer lists); or
• You provide certain services (e.g. health services, private education, finance/credit reporting functions, or operate a residential tenancy database), regardless of turnover; or
• You’re a contractor for a Commonwealth contract handling personal information; or
• You’ve opted in to the Act.

Even if you’re under $3 million and outside the exceptions, two things still matter:

• Customers expect transparency about how you use their data.
• Other Australian laws and industry rules can still apply to aspects of data handling (for example, record-keeping obligations or cybersecurity expectations from partners and platforms).

Bottom line: it’s wise to act as if the Privacy Act applies. That means being open about what you collect and why, limiting collection to what you actually need, keeping data secure, and giving people simple choices.

What Personal Data Should You Collect (And Why)?

As a rule of thumb, collect only what you need to deliver your product or service and meet legal obligations - no more, no less.

Start by mapping your business goals to the minimum data required. For example:

• Fulfilling orders: name, delivery address, contact details, payment confirmation
• Booking or appointment systems: name, contact details, service preferences, necessary health disclosures (if genuinely required)
• Marketing emails: an email address and lawful consent or a clear relationship that allows direct marketing (with an easy opt-out)
• Analytics: aggregated or de-identified data where possible, rather than identifiable profiles

It’s also important to plan how long you’ll keep different types of data and why. Some information must be retained for a period (for example, tax records), while other data should be deleted once you don’t need it. Having a clear approach to data retention laws helps you manage risk and avoid stockpiling information unnecessarily.

How To Handle Personal Data Lawfully: A Step-By-Step Plan

Here’s a practical roadmap you can apply in any small business - whether you run an online store, a clinic, a consultancy, or a hospitality venue.

1) Map Your Data Flows

List every touchpoint where you collect personal data (website forms, point of sale, phone calls, social media messages, third-party integrations). Note what you collect, why you collect it, where it’s stored, who has access, and who you share it with.

This simple audit becomes the foundation for your policies, consents and security measures.

2) Be Clear, Open And Lawful

People should understand what you’re collecting, how you’ll use it, and who you’ll share it with - in plain English. The core tool here is a fit-for-purpose Privacy Policy that reflects your actual practices, not a copy-paste template that doesn’t match your business.

At the point of collection (for example, on a checkout page or lead form), use a short, practical Privacy Collection Notice. This tells people exactly what you’re collecting right now and gives them the right context to make an informed choice.

3) Get Consent Right (And Provide Choice)

Consent should be informed, specific and unambiguous, especially for direct marketing or when collecting sensitive information. Use unticked boxes for optional marketing, avoid bundling consent with unrelated terms, and always offer a clear opt-out.

4) Limit And Secure What You Keep

Only collect what you need. Only keep it for as long as you need it. Store it securely with appropriate technical and organisational measures (for example, strong access controls, encryption in transit and at rest, and staff training).

Document your controls in an Information Security Policy so your team knows what “secure” actually means in daily practice.

5) Manage Third Parties Properly

If you share personal data with suppliers or software platforms (for example, CRM, email marketing, payment gateways, IT support), make sure your contracts cover privacy, security and breach responsibilities. A tailored Data Processing Agreement sets clear rules for vendors handling your customer data.

6) Prepare For Incidents (And Respond Fast)

No security is perfect. Have a playbook to identify, contain, assess and notify if a breach occurs. A practical, tested Data Breach Response Plan helps you meet legal expectations and preserve trust with customers and regulators.

7) Train Your Team And Review Regularly

Most breaches start with human error. Train staff on phishing, safe data handling and your internal processes. Revisit your data map, policies and vendor list at least annually or when you launch a new product, open a new location, or integrate new software.

What Laws And Rules Apply To Personal Data In Australia?

Beyond general good practice, here are key Australian rules a small business should be aware of when working with personal data.

Privacy Act And Australian Privacy Principles (APPs)

If the Privacy Act applies to you, the Australian Privacy Principles set out how you must collect, use, disclose and secure personal information, and how you handle access and correction requests. Even if you’re not strictly covered, aligning with the APPs is a smart way to meet customer expectations and partner requirements.

Spam And Direct Marketing Rules

Sending commercial electronic messages requires consent, accurate sender identification and a functional unsubscribe. Consent can be express or inferred in certain relationships, but if in doubt, build clear opt-ins and make opting out easy.

Payment And Financial Data

If you accept card payments or store cardholder data, follow your gateway’s security requirements and never store sensitive card details in plain text. Our guide to storing credit card details explains the risks and safer alternatives, like tokenisation via trusted payment providers.

Records And Retention

Some records must be kept for specific periods under tax or employment laws, while other data should be deleted when you no longer need it. Build a retention schedule that balances business needs with your obligations under data retention laws.

CCTV, Call Recording And Photography

If you use CCTV in your store, record calls, or take photos of customers for marketing, additional rules can apply depending on the state or territory. Be transparent with clear notices and only capture what you need. If in doubt, get advice and update your notices, policies and scripts accordingly.

What Legal Documents Should You Have In Place?

Putting the right documents in place is the quickest way to embed good privacy practices across your business and reduce risk.

• Privacy Policy: Sets out how your business collects, uses, stores and shares personal information, in line with your actual processes. A tailored Privacy Policy is essential if you collect any personal data (which most businesses do).
• Privacy Collection Notice: A short notice at the point of collection explaining what you’re collecting right now and why, with links to your full policy. Use a Privacy Collection Notice on web forms, checkout pages and account sign-ups.
• Data Processing Agreement: Contract terms with suppliers and platforms that handle personal information on your behalf. A robust Data Processing Agreement sets security, confidentiality, breach and deletion obligations.
• Information Security Policy: Internal rules that tell your team how to protect data day to day - access controls, passwords, storage, portable devices and incident reporting. An Information Security Policy makes expectations clear.
• Data Breach Response Plan: A practical, step-by-step playbook for identifying, containing, assessing and notifying if things go wrong. A tested Data Breach Response Plan saves precious time in an incident.
• Website Or App Terms: If you sell or interact online, set rules for users, IP protection, acceptable use and liability. Pair these with your Privacy Policy so customers have a complete picture of how your platform operates.
• Payment Terms And Policies: If you take recurring payments or direct debits, ensure your contracts and systems reflect banking and consumer requirements, and avoid storing unnecessary card data. Where possible, let secure payment providers handle sensitive details.

If you employ staff, consider training materials and internal guidance (for example, onboarding checklists and role-based access standards) alongside your formal policies. Good paperwork only works when people follow it.

Key Takeaways

• Personal data covers any information that can identify a person, from names and emails to IP addresses, payment details and staff records.
• Even if you’re under the $3m threshold, acting in line with the Privacy Act and the APPs is smart business - customers expect transparency and security.
• Collect only what you need, be clear at the point of collection, and set retention limits so you’re not holding data longer than necessary.
• Secure your systems and your people: document controls in an Information Security Policy, use strong vendors, and train staff regularly.
• Lock down your supply chain with a Data Processing Agreement and prepare for the worst with a Data Breach Response Plan.
• Core documents like a Privacy Policy and a concise Privacy Collection Notice turn your data map into clear, customer-friendly commitments.

If you’d like a consultation on handling personal data in your small business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.