The most common thing we hear from small business owners on this topic is some version of “we’re too small to worry about privacy laws.” It’s understandable — the legislation sounds like it’s written for banks and hospitals, not a 12-person professional services firm or a regional trade business.
But “too small” isn’t always accurate, and the consequences of getting it wrong have become considerably more serious since the Privacy Act was amended in 2022 and the Cyber Security Act came into force in 2024.
Here’s a plain-English guide to where you actually stand.
The basic rule — and the exceptions that catch people out
The Privacy Act 1988 (Cth) generally applies to businesses with an annual turnover over $3 million. If you’re under that threshold, you might reasonably conclude it doesn’t apply to you.
But there are exceptions, and several of them are common in small business:
You handle health information. Any business that collects or holds health information about individuals is covered regardless of turnover. This includes allied health practitioners, gyms collecting health questionnaires, pharmacies, and anyone providing health-adjacent services.
You’re a contractor to the federal government. If any of your revenue comes from federal government contracts, you’re covered regardless of size.
You hold Tax File Numbers. If you collect TFNs — as any employer does — the Tax File Number Rule applies to you. This is separate from the Privacy Act but carries similar obligations around data handling.
You’re a credit provider or involved in credit reporting. Covered regardless of turnover.
You’ve opted in voluntarily. Some businesses adopt a privacy policy that commits them to Privacy Act compliance even though they’re not legally required to. Generally good practice — but it does create obligations you then need to meet.
Your state has its own rules. Health records legislation in Victoria, NSW, and other states can apply independently of the federal Privacy Act. If you’re in health or community services, check your state-specific obligations too.
The Notifiable Data Breaches scheme
Even if the Privacy Act’s general provisions don’t apply to you, it’s worth understanding the Notifiable Data Breaches (NDB) scheme — because this is the one with real teeth.
If you’re covered by the Privacy Act and you experience a data breach likely to result in serious harm to any individual, you are legally required to:
- Notify the Office of the Australian Information Commissioner (OAIC)
- Notify the affected individuals
You have 30 days from becoming aware of a suspected breach to assess it, and notification must follow promptly if the threshold is met.
Penalties for failing to notify were increased substantially in 2022. Serious interference with privacy can now attract fines of up to $50 million, or three times the benefit obtained, or 30% of adjusted turnover — whichever is greater.
For most small businesses the risk isn’t the maximum fine. It’s the reputational damage, the mandatory disclosure to customers, and the OAIC investigation process.
What “serious harm” actually means
Not every breach triggers a notification obligation. The threshold is whether a reasonable person would conclude the breach is likely to result in serious harm — which includes:
- Financial loss through fraud
- Physical harm
- Serious psychological harm
- Serious reputational damage
- Discrimination or harassment enabled by the exposed data
A breach of names and email addresses is unlikely to meet the threshold. A breach of financial account details, health records, identity documents, or passwords very likely does.
The practical question: what data do you actually hold?
Most small businesses hold more sensitive data than they realise:
- Customer records — contact details, purchase history, sometimes payment information
- Employee records — tax file numbers, bank account details, health information for leave purposes, performance records
- Health or identity information — if relevant to your service
- Supplier and contractor details — including individual sole traders whose data counts as personal information
Running a quick data audit — just listing what you collect, where it lives, who has access, and how long you keep it — is the most useful first step. It almost always surfaces something that needs attention.
What you should have in place
If you’re covered by the Privacy Act, or if you hold sensitive data even outside the formal coverage threshold, the baseline is:
A privacy policy. Must be publicly available and accurately describe how you collect, use, store, and disclose personal information. A generic template isn’t enough if it doesn’t reflect what you actually do.
A data breach response plan. Knowing what to do in the first 24–48 hours of a breach — who gets notified internally, who assesses the severity, who contacts the OAIC — is much easier to figure out before something goes wrong than during it.
Basic access controls. Limiting who in your business can access sensitive data is both a legal obligation and a practical risk reduction.
A retention and deletion policy. You should only hold personal information as long as you need it for the purpose it was collected. Keeping customer records indefinitely “just in case” is both a privacy risk and a legal exposure.
The honest answer to the question
If your turnover is under $3 million and none of the exceptions above apply, the Privacy Act’s general obligations probably don’t apply to you — yet. The $3 million threshold has been under review and may change.
If you’re over $3 million, or any exception applies, you have legal obligations and they’re worth taking seriously.
Either way, the more useful frame isn’t “does the law apply to me?” It’s “what happens to my business and my customers if the data I hold gets exposed?” That question usually leads to the same practical outcomes regardless of the legal threshold.
If you’re not sure where you stand, get in touch. We’ll give you a straight read on your obligations and what’s actually worth doing about them — without the legal bill.
This article provides general information only and is not legal advice. For advice specific to your circumstances, consult a qualified privacy lawyer or the OAIC’s guidance at oaic.gov.au.