Following the major data breach at Optus earlier this month as well as the rise in scams and cyber-attacks against businesses, it is now more important than ever to ensure you understand exactly how businesses are required to handle your personal information. Also, how you are obligated under Australian law to protect your consumers’ personal information should it be something you regularly acquire in the course of business.

Under the current circumstances, it is crucial to consider the importance of a privacy policy, and whether you, as a business might need one.

The Privacy Act 1988 (Privacy Act) sets out the regulations imposed on business’ concerning the way an individual’s personal information is stored and shared. Therefore, your business must meet the obligation of having a privacy policy in place. A privacy policy is simply a statement that outlines exactly how an organisation or business handles your personal information.

Rights of Individuals Under the Privacy Act

The rights of individuals under the Privacy Act are outlined by the Office of the Australian Information Commissioner (OAIC), the national regulator for privacy and freedom of information.

These rights include:
– know why your personal information is being collected, how it will be used and who it will be disclosed to;
– have the option of not identifying yourself or of using a pseudonym in certain circumstances;
– ask for access to your personal information (including your health information);
– stop receiving unwanted direct marketing;
– ask for your personal information that is incorrect to be corrected; and
– make a complaint about an organisation or agency the Privacy Act covers, if you think they have mishandled your personal information.

Does My Business Need a Privacy Policy?

Businesses with an annual turnover of 3 million dollars must have a privacy policy. Additionally, certain small businesses and other organisations are required to have a privacy policy and have responsibilities under the Privacy Act if they collect and store personal or sensitive information about individuals. Other organisations may include an individual (including sole traders), a body corporate, a partnership or a trust.

The Privacy Act also covers specified persons handling certain information. This information may include but is not limited to:
– Tax file numbers;
– Consumer credit reporting information;
– Personal information contained on the Personal Property Securities Register;
– Sensitive information.

Australian Privacy Principles

In accordance with the Privacy Act, the Office of the Australian Information Commissioner may set out guidelines to help businesses avoid ‘acts or practices that may or might be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals’ These guidelines are referred to as the Australian Privacy Principles (APPs). Bodies covered by the APPs are referred to as APP entities, which include agencies and organisations (defined above).

The 13 APPs are set out by the Office of the Australian Information Commissioner which concern:
– The collection, use and disclosure of personal information;
– An organisation or agency’s governance and accountability;
– Integrity and correction of personal information; and
– The rights of individuals to access their personal information.

What goes into a Privacy Policy?

In addition, the APPs outline that a ‘collection statement’ must be provided to an individual when a business is to collect their personal information. This statement will outline the information a business will collect, what the information will be used for and whom it will be shared with. This collection of personal information is referred to as a ‘collection event’. A collection statement must be provided to an individual before, during or shortly after a collection event and a copy of the business’ privacy policy should be provided upon request.

Therefore, it is in the interests of best practice to have a privacy policy if an entity collects any information about individuals, as anyone can be the victim of unauthorised access by a third party.

Consequences of Not Having a Privacy Policy

If you or your entity engages in business without a privacy policy or adequate protections in place and you are subject to a breach, you will potentially be exposed to extremely serious civil penalties.

Individuals who are found to have contravened the APPs may face fines of up to $340,000 per breach, while businesses and corporations may be fined up to 2.22 million dollars per breach (including for serious or repeated breaches of privacy). The maximum penalty amount varies depending on whether the entity is subject to penalty provisions for breaches under the Health Records Act 2001, My Health Records Act 2012 and the Competition and Consumer Act 2010. Regardless, it is vital that you consider whether your business needs to implement a privacy policy and if so, ensure that it is done right.

Benefits of Having a Privacy Policy

Having a modern and up to date Privacy Policy shows individuals and the public engaging with your business (or who may wish to engage with your business) that you have the right procedures in place to handle their personal and sensitive information with care. This is a significant factor in improving the credibility and reputation of your business.

Who Should I Contact For Assistance With Privacy Policies?

At Lord Commercial Lawyers, we have the skill and expertise to walk you through all elements of privacy policies. For information on privacy policies, including whether you are required to have one, help drafting one or assistance if you believe your personal information has been unlawfully handled, please contact Patrick Iafrate at or phone (03) 9600 0162.


About us

Lord Commercial Lawyers is a commercial and business-focused law firm based in the Melbourne CBD. We work with businesses and individuals to help them achieve their legal and commercial goals.

Share Article


What our clients say

We had a great experience with Sue handling our conveyancing. She always got back to us straight away with any questions. Very efficient. Everything ran smoothly. I would not hesitate to deal with her again. Thanks Lord Commercial Lawyers

Jennifer Thompson

I had the pleasure of working with Andrew and Patrick from Lord Lawyers on a share-sale deal, and I must say, their expertise and efficiency truly impressed me. They handled the transaction with precision and delivered results promptly. If you're in need of top-notch legal services, especially in the realm of commercial law, I highly recommend Andrew and Patrick at Lord Lawyers. They certainly have my vote of confidence.

Anthony Maluccio

    Make an Enquiry

    contact Lord Commercial Lawyers using the handy contact form


    By submitting this form, you agree to receive legal updates from Lord Commercial Lawyers. You can unsubscribe at any time.