The Australian Privacy Act for small business — APP-by-APP

The Privacy Act 1988 (Cth) is the federal statute that governs how Australian organisations handle personal information. It applies to a much larger universe of small businesses than most operators realise, and the obligations have materially broadened over the last 18 months.

This guide walks through the Australian Privacy Principles in plain English, sets out the small-business exemption (and the eight categories that override it), and explains what a current Privacy Management Plan actually contains.

The small-business exemption — and why it probably doesn't apply

Section 6D of the Privacy Act provides a small-business operator exemption. A small-business operator is a business with annual turnover of $3 million or less. Prima facie, the Act doesn't apply.

Then come the exceptions. The exemption does not apply to:

1. A business that provides a health service and holds health information.
2. A business that holds tax file numbers.
3. A business that trades in personal information (sells, buys, or discloses for benefit).
4. A business that is a contracted service provider for a Commonwealth contract.
5. A business that is a credit reporting body.
6. A business that operates a residential tenancy database.
7. A business that is related to a body that is not a small business operator.
8. A business that operates a website that collects personal information from visitors and uses cookies (in practice, almost every modern website).

If any of these apply, the Privacy Act applies in full. If you run an allied health practice, a dental clinic, a physiotherapist's room, you are categorically captured. If you handle TFNs (any business with employees, in practice), you are captured. If you have a website with a contact form and analytics, you are captured.

The number of Australian small businesses that genuinely operate outside the Privacy Act is small. Most operators who think they're exempt aren't, and the consequence of being wrong has materially increased post the 2024 Privacy Act reforms (we'll come back to this).

The thirteen Australian Privacy Principles

The Act sets out thirteen Australian Privacy Principles. Each one is a discrete obligation. A compliant Privacy Management Plan addresses each one, even if briefly. Here they are, in plain English.

APP 1 — Open and transparent management of personal information

You must have a clearly expressed and up-to-date privacy policy. It must be available, free of charge, in an appropriate form (typically a website page). The policy must describe the kinds of personal information you collect, how you collect it, why you collect it, how you handle it, how an individual can access or correct their information, how they can complain, and whether you disclose information overseas.

This is the public-facing privacy policy. Every Australian website needs one. The OAIC has issued guidance on what a "clearly expressed" policy looks like — short, plain English, no legal disclaimers buried in 14-point text.

APP 2 — Anonymity and pseudonymity

Where lawful and practicable, you must give individuals the option to deal with you anonymously or under a pseudonym. The exception is where the law requires identification (you can't open a bank account anonymously) or where dealing anonymously isn't practicable (you can't deliver a parcel to "Anonymous").

For a small business, this means: if a customer wants to make an enquiry without giving their name, you should accommodate them where you can. Most of the time, you can.

APP 3 — Collection of solicited personal information

You may only collect personal information that is reasonably necessary for one or more of your functions or activities. You must collect it by lawful and fair means. For sensitive information — health, religion, political opinion, sexual orientation, biometric data — you generally need consent.

The practical test: every time you collect a piece of personal information, ask whether you actually need it. A signup form that asks for the user's date of birth when there's no business reason to know it fails APP 3.

APP 4 — Dealing with unsolicited personal information

If you receive personal information you didn't ask for, you must determine whether you could have collected it under APP 3 if you had asked. If yes, you can keep it under the same rules. If no, you must destroy or de-identify it as soon as reasonably practicable.

APP 5 — Notification of collection

When you collect personal information, you must take reasonable steps to notify the individual (or ensure they are aware) of certain matters: who you are, why you are collecting, who you'll disclose to, the consequences if they don't provide the information, how to access the privacy policy, and whether you'll send it overseas.

This is your collection notice. It is distinct from your privacy policy. The collection notice sits at the point of collection (the form, the call script, the in-store signage). The privacy policy sits on your website and provides the full picture.

APP 6 — Use or disclosure of personal information

You can only use or disclose personal information for the purpose you collected it (the primary purpose). You can use it for a related secondary purpose only if the individual would reasonably expect it, or if you have consent.

The practical test: if you collected an email address to deliver a service, you can't add it to a marketing list unless the individual gave consent or would reasonably expect that use.

APP 7 — Direct marketing

You may use personal information for direct marketing only in limited circumstances. The individual must be able to easily opt out at any time. Sensitive information may not be used for direct marketing without consent.

This APP works alongside the Spam Act 2003 for electronic marketing and the Do Not Call Register Act 2006 for telemarketing.

APP 8 — Cross-border disclosure

Before you disclose personal information to an overseas recipient, you must take reasonable steps to ensure the recipient does not breach the APPs in relation to the information. There are exceptions (the recipient is in a jurisdiction with substantially similar laws, the individual consents after being told the protections won't apply, and so on).

This APP captures every Australian business using overseas cloud infrastructure — AWS US, Microsoft 365 outside Australia, any SaaS that processes data offshore. The compliance pathway is usually a contract clause requiring the overseas recipient to comply with the APPs.

APP 9 — Adoption, use, or disclosure of government-related identifiers

You generally cannot adopt a government-issued identifier (Medicare number, TFN, passport number) as your own customer ID. You cannot use or disclose it except in narrow circumstances.

APP 10 — Quality of personal information

You must take reasonable steps to ensure the personal information you hold is accurate, up-to-date, and complete. This is an active obligation. A customer database that hasn't been touched in three years is, by definition, drifting toward inaccuracy.

APP 11 — Security of personal information

You must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. You must destroy or de-identify personal information that is no longer needed for any authorised purpose.

The OAIC has issued Guide to securing personal information which sets out the security expectations in detail. For a small business, the floor is: encryption in transit and at rest, role-based access, multi-factor authentication on administrative accounts, a documented incident response plan, and a data retention schedule.

APP 12 — Access to personal information

If an individual requests access to the personal information you hold about them, you must give it to them within a reasonable period (typically 30 days). There are limited exceptions (commercially confidential information, information that would prejudice an investigation).

APP 13 — Correction of personal information

If an individual requests correction, you must take reasonable steps to correct the information. If you decline, you must give written reasons and tell the individual how they can complain.

The 2024 reforms

The Privacy and Other Legislation Amendment Act 2024 made the most significant changes to the Privacy Act since its enactment. The reforms were tabled in response to a comprehensive review by the Attorney-General's Department concluded in 2023, and several tranches of reform are still being implemented.

The headline changes that have already commenced:

• A statutory tort for serious invasions of privacy. Individuals can now sue directly in the Federal Court for serious privacy breaches, with statutory damages up to $478,550.
• Expanded enforcement powers for the OAIC, including a new mid-tier civil penalty (currently $3.3m) and new infringement notice powers for low-level breaches.
• A specific protection for children's personal information, including a Children's Online Privacy Code under development by the OAIC.
• Increased transparency obligations on automated decision-making — businesses using AI to make decisions affecting individuals will need to disclose this in privacy policies (commencing late 2026).

The practical effect for a small business is that the cost of a privacy breach has increased materially. The 2024 amendments also lowered the threshold for what counts as a notifiable data breach under the Notifiable Data Breaches scheme.

What a current Privacy Management Plan contains

A Privacy Management Plan is the internal operating document. It is distinct from the public-facing privacy policy that satisfies APP 1. The plan sets out, for each APP, how your business actually meets the obligation.

The structure that holds up looks like this:

1. Scope — the business entities covered, the categories of personal information held, the data flows.
2. APP-by-APP control register — for each APP, the specific procedure or document that demonstrates compliance.
3. Collection notices — the actual collection notice text used at each point of collection (web form, contact form, customer signup, EDM signup).
4. Public privacy policy — the website-facing document that satisfies APP 1.
5. Data retention schedule — what you keep, how long, and when you destroy or de-identify.
6. Data breach response procedure — the process for assessing, notifying, and remediating a notifiable data breach within 72 hours.
7. Access and correction procedure — how an individual makes a request and how you respond.
8. Cross-border disclosure register — every overseas recipient, the country, and the contractual basis for the disclosure.
9. Training — how staff are inducted on privacy obligations and how the training is recorded.
10. Review schedule — when the plan is reviewed and by whom.

PolicyPack generates each of these components by default for any pack that includes the Privacy Management Plan document. The plan is generated against your specific industry — a clinic plan emphasises health information handling under the Health Records Acts, a professional services plan emphasises confidentiality and APP 8 cross-border issues — rather than a one-size-fits-all template.

What to do next

If you don't have a Privacy Management Plan: generate one. The pack ships with a public privacy policy and the internal management plan as default documents.

If you have an old privacy policy from before 2024: read it against the APP 1 requirements above. The post-reform policies must address automated decision-making (where applicable), the updated cross-border disclosure obligations, and the new children's-information protections. Pre-reform templates almost universally don't.

If you handle health information, hold tax file numbers, contract to the Commonwealth, or run a website with a contact form: the small-business exemption does not apply. The Privacy Act applies in full, and you need a Privacy Management Plan in writing.

The OAIC's enforcement posture in 2025 and 2026 has shifted notably. Inspections that used to be paper-only now include interviews with staff about how they handle data subject requests in practice. A plan that exists on paper but isn't operationalised is a plan that fails the new enforcement standard. The remedy is the same as for WHS: a current, structured, operational compliance system rather than a folder of documents.