Private Information: Legal Obligations, Privacy And Data Security

If you run a small business, you’re probably collecting more private information than you realise.

It might be as simple as customer names and emails for bookings, invoices and newsletters. Or it could be more sensitive details like health information, identity documents, payment data, CCTV footage, or staff records.

The reality is that private information is valuable. It’s valuable to you (because it helps you operate and grow), but it’s also valuable to scammers and cybercriminals. That’s why privacy and data security aren’t just “big business problems” anymore.

Below, we’ll walk you through what “private information” usually means in an Australian business context, when the Privacy Act 1988 (Cth) may apply to you, and the practical steps you can take to reduce legal risk while building trust with customers.

What Counts As “Private Information” In A Small Business?

In Australia, the law often talks about personal information rather than “private information”. In practice, when people search “private information”, they’re usually talking about information that identifies someone (or could reasonably identify them) and should be handled carefully.

Common Types Of Private Information You Might Collect

Depending on your business, you might collect private information such as:

• Basic identity details: name, address, email, phone number, date of birth.
• Account and login details: usernames, passwords (or password hashes), security questions.
• Financial details: bank account details, payment history, invoices, billing addresses.
• Customer interactions: support tickets, call recordings, chat transcripts, complaints.
• Marketing data: newsletter subscriptions, consent records, customer preferences.
• Employee and contractor details: TFN declarations, superannuation details, emergency contacts.
• Images and video: CCTV footage, photos of clients, event recordings.

Sensitive Information Usually Requires Extra Care

Some private information is treated as more sensitive under Australian privacy laws. For example, information about someone’s:

• health
• biometrics (like facial recognition data)
• racial or ethnic origin
• political opinions
• religious beliefs
• sexual orientation or practices

If your business deals with any of these categories (even occasionally), you should be especially careful about what you collect, how you store it, and who you share it with.

Do Australian Privacy Laws Apply To Your Business?

This is one of the biggest questions small businesses ask: “Do we actually have to comply with the Privacy Act?”

The answer depends on factors like your size, what you do, and what kind of private information you handle.

The “Small Business” Privacy Act Exemption (And Why It’s Not Always A Free Pass)

Generally, the Privacy Act 1988 (Cth) applies to organisations with an annual turnover of more than $3 million.

However, many smaller businesses can still be covered if they fall into certain categories or choose to be covered. For example, a business may be covered if it:

• provides health services and handles health information (even if turnover is under $3 million)
• trades in personal information (for example, buying/selling mailing lists)
• opts in to being regulated under the Privacy Act (for example, to meet customer or supplier requirements)
• is related to a larger business (in some corporate group structures)
• is a credit reporting body or otherwise involved in credit reporting in a regulated way
• is an operator of a residential tenancy database
• handles government-related identifiers (for example, Medicare numbers, driver licence numbers, passport details) in a way that triggers additional restrictions on how you collect, use and disclose them

Even where the Privacy Act does not strictly apply, customers and business partners often still expect privacy compliance. In practice, putting good systems in place early can save you time, money and reputational damage later.

Employee Records Are A Common “Grey Area”

Many business owners assume all employee data is covered by privacy law in the same way customer data is. Australia has an “employee records” exemption in certain contexts, but it’s not a blanket excuse to ignore confidentiality or data security.

From a risk perspective, you still want to handle staff private information carefully, because data breaches can create serious operational and reputational issues (and may trigger other legal obligations even if the Privacy Act doesn’t apply in full).

What Legal Obligations Usually Come With Handling Private Information?

If your business is covered by the Privacy Act, you’ll generally need to comply with the Australian Privacy Principles (APPs).

Even if you’re not technically covered, these principles are still a helpful best-practice framework for handling private information in a way that customers expect.

Collect Only What You Need (And Be Clear About Why)

A practical rule: don’t collect private information “just in case”. Collect only what you need to deliver your product or service.

When you collect information, you should be able to answer:

• What is the purpose of collecting this?
• Is this information necessary for that purpose?
• How long do we need to keep it?

This is also where a clear Privacy Collection Notice can help, especially at the point of collection (for example, website forms, onboarding documents, or booking systems).

Have A Privacy Policy That Matches What You Actually Do

Many businesses post a Privacy Policy and never revisit it. That’s risky, because your systems change over time (new software, new marketing tools, new payment providers, new staff access).

A good Privacy Policy should explain, in plain English:

• what private information you collect and hold
• how and why you collect it
• who you may share it with (including overseas providers)
• how a person can access or correct their information
• how they can make a privacy complaint

From a business perspective, this is also about trust. Customers are more likely to buy from you when they feel confident you won’t misuse their private information.

Take “Reasonable Steps” To Keep Information Secure

Privacy law often focuses on whether you took reasonable steps to protect private information from misuse, interference, loss, unauthorised access, modification, or disclosure.

What’s “reasonable” depends on your business size, the type of information you hold, and the harm that could result if it was leaked.

For many small businesses, “reasonable steps” usually includes:

• strong password policies and multi-factor authentication (MFA)
• restricting staff access to “need to know”
• keeping systems updated (patching and updates)
• staff training (especially on phishing and payment scams)
• secure storage and disposal practices (including shredding physical files)
• vendor due diligence (choosing reputable software providers)

It can be helpful to formalise these expectations in an Information Security Policy, particularly if you have staff, contractors, remote work arrangements, or multiple systems handling private information.

Be Careful When Sharing Private Information With Suppliers And Contractors

Small businesses often rely on third parties to operate efficiently, such as:

• cloud accounting and invoicing providers
• booking and practice management software
• email marketing platforms
• IT support providers
• virtual assistants
• payment processors

If those providers can access your customers’ private information, your risk increases.

At a minimum, you should know:

• what data they can access
• where the data is stored (including whether it’s stored overseas)
• what security controls they have in place
• what happens if there’s a data breach

It’s also worth thinking about confidentiality in your commercial relationships. If you’re sharing internal customer lists, business processes, pricing, or product plans, a Non-Disclosure Agreement can help set clear boundaries and reduce the risk of misuse.

Data Breaches: What To Do If Private Information Is Exposed

Even if you do everything right, incidents can still happen. A staff member might click a phishing link, a laptop might be stolen, or a system might be misconfigured.

When private information is involved, the key is to act quickly and methodically.

Step 1: Contain The Breach

As soon as you suspect a breach, focus on stopping further access or loss. Depending on the situation, that might include:

• resetting passwords and revoking compromised logins
• disabling affected accounts
• isolating affected devices from your network
• contacting your IT provider immediately

Step 2: Assess What Private Information Was Affected

Try to identify:

• what data was accessed or lost
• how many individuals are affected
• whether the information was encrypted or otherwise protected
• the likely harm (for example, identity theft, financial fraud, or distress)

This assessment matters because some data breaches may trigger notification obligations under Australia’s Notifiable Data Breaches (NDB) scheme (where applicable).

Step 3: Notify Where Required (And Communicate Clearly)

If you need to notify affected individuals and/or a regulator, you’ll want to make sure your message is accurate, timely, and contains the right details.

A tailored Data Breach Notification approach can help you communicate with customers in a way that is clear and minimises confusion (while still meeting legal requirements).

Step 4: Document, Fix And Improve

After the immediate crisis is managed, the next step is reducing the chance of a repeat incident.

This is where having a Data Breach Response Plan can be extremely valuable. It helps you map out roles, responsibilities, communication steps, and decision-making before an incident happens (so you’re not trying to build a process under pressure).

Practical Data Security Tips For Small Businesses (That Also Reduce Legal Risk)

Privacy compliance can feel abstract until you translate it into everyday business habits. The good news is that you don’t need a huge budget to improve how you handle private information.

Build Privacy And Security Into Your Day-To-Day Processes

Try to “design” your workflows so that protecting private information is the default.

• Limit access: not every team member needs access to every system.
• Use role-based permissions: for example, admin access for managers only.
• Review access regularly: especially when staff leave or change roles.
• Set retention periods: decide how long you keep documents before deleting or securely disposing of them.

Pay Special Attention To Payment Data

If you take payments online or store card details for subscriptions, your risk profile changes quickly.

Beyond privacy considerations, payment data can involve additional obligations and security standards. If you’re unsure what’s allowed, it’s worth reviewing your approach to storing credit card details so you don’t accidentally create compliance issues or expose customers to unnecessary risk.

Train Your Team (And Make It Part Of Onboarding)

One of the most effective ways to protect private information is to make sure your people understand what good handling looks like.

Your training doesn’t need to be complicated. It just needs to be consistent and practical. For example:

• how to spot phishing emails
• how to verify bank account change requests
• when it’s okay (and not okay) to share client details internally
• how to report suspicious activity quickly

Make Sure Your Website And Marketing Practices Match Your Privacy Promises

If you collect private information through your website (contact forms, cookies, online bookings), make sure your public-facing statements match reality.

Common problem areas include:

• forms that collect more information than necessary
• marketing emails without clear consent records
• unclear disclosures about third-party analytics tools
• not having a clear process to handle access or correction requests

When your actual practices line up with what you say, you reduce legal risk and improve customer confidence at the same time.

Key Takeaways

• “Private information” for small businesses usually means personal information that can identify an individual (and it can include sensitive information that needs extra care).
• Even if you’re under the $3 million turnover threshold, privacy obligations can still apply depending on what you do, including if you provide health services, trade in personal information, opt in to coverage, or operate in regulated areas like credit reporting or residential tenancy databases.
• Strong privacy practices usually start with collecting only what you need, being transparent about why you collect it, and keeping your records secure.
• A clear Privacy Policy and point-of-collection messaging (like a collection notice) help set expectations and build trust.
• Data breaches are a business risk as well as a legal risk, so it’s worth having a response plan and a clear notification process ready before anything happens.
• Practical steps like staff training, limiting system access, and improving payment data handling can significantly reduce your exposure if something goes wrong.

If you’d like help getting your privacy and data security documents in place (or reviewing what you already have), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.