DownloadPDF of this ArticleExpertiseCorporate & CommercialExpertiseHealth & Aged Care

The Office of the Australian Information Commissioner (OAIC) has recently issued its Privacy Business Resource 10: Does my small business need to comply with the Privacy Act?[1] This is a reminder that a business which is a small business with an annual turnover of $3 million or less may nevertheless be bound by the requirements of the Privacy Act.[2]

If a small business is caught by the provisions of the Privacy Act then it must, among other things:

  • comply with the Australian Privacy Principles (APPs);
  • have a Privacy Policy;
  • have internal policies, procedures and resources to ensure compliance with the Privacy Act and the APPs.

The requirements of the Privacy Act and the APPs relate to personal information which is:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not;
  • whether the information or opinion is recorded in material form or not.

What Small Businesses are APP Entities?

A small business will be an APP entity, and subject to the requirements of the Privacy Act and the APPs if the business:

  • provides a health service or holds any health information, except employee records (this is a very wide field – see below);
  • discloses personal information about individuals for a benefit, service or advantage (an example given by OAIC is a small business that sells its customer list to a marketing company or gives its own list in return for another list);
  • is a related body corporate to an entity that is an APP entity;
  • is a service provider to a Commonwealth entity;
  • operates a residential tenancy database;
  • carries on a credit reporting business.

These are only a summary of some of the main activities that can lead to a small business becoming an APP entity. It would be wise for all small businesses that handle personal information to review the checklist on the OAIC Website to ascertain whether or not the business is an APP entity.

Health Services

The definition of health services in the Privacy Act is very wide and reads:

health service means:

  • an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
  • to assess, record, maintain or improve the individual’s health; or
  • to diagnosis the individual’s illness or disability; or
  • to treat the individual’s illness or disability or suspected illness or disability; or
  • the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

Obvious examples of businesses which provide health services include health care providers such as doctors, specialists, clinics, private hospitals and day surgeries. The definition also includes other forms of health providers such as physiotherapists, chiropractors and naturopaths. More widely, it can in circumstances include other businesses such as schools, child care centres, weight loss clinics, gyms and fitness services. These are only a few examples.

Information held by a business providing a health service will most likely include health information, which will be personal information if the individual concerned is identifiable, and this will be sensitive information. Sensitive information is subject to higher standards of care and control in accordance with the APPs.

Credit Reporting

The provisions of the Privacy Act which apply to credit reporting are separate from the requirements relating to personal information. The requirements in relation to credit reporting are stricter than provisions relating to personal information.

A small business can be a credit provider. This will be the case even if the business does not make loans or extend credit in a manner similar to a bank or financial institution.

A small business (or other business) will be a credit provider if:

  • a substantial part of the business is the provision of credit;
  • it carries on a retail business and issues credit cards;
  • it allows credit for the sale of goods or supply of services or hiring, leasing or renting of goods, for at least 7 days (it will be a credit provider only in relation to the credit that is provided).

As well as other specific requirements for management of credit information, a credit provider must have a policy about the management and credit information and credit eligibility information.

Warning to Small Businesses

The issue by the OAIC of its Privacy Business Resource team may be a wake‑up call to small businesses and an indication that the Privacy Commissioner will look more closely at the operations of small businesses and the application of the Privacy Act.

Small businesses should consider their activities and if necessary get advice, to determine whether they are either an APP entity that is required to comply with the APPs in relation to personal information, or the provisions of the Privacy Act in relation to credit reporting, or both. If the business is required to comply, it should put in place the necessary policies and procedures.

  1. See http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-10

  2. Privacy Act 1988 (Commonwealth)

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this article, or what it means for you, your business or your clients' businesses, please feel free to contact us.

For more information, please contact...

Sandy Donaldson

View Profile →

Related Articles

View All News
June 16, 2025 NDIS and Aged Care sectors on notice from ACCC: NDIS sector online platform gives court enforceable undertaking to ACCC to amend unfair contract terms
Health & Aged Care Corporate & Commercial Dispute Resolution & Insolvency
November 04, 2024 DW Fox Tucker Lawyers welcomes Dr Mark Giancaspro to boost the firm’s commercial team and add a new sports law offering
Firm News Corporate & Commercial Sports Law
October 29, 2024 Disqualifications and Jail Time: ASIC Increasing Pressure on Directors for Mismanagement
Corporate & Commercial Dispute Resolution & Insolvency
June 19, 2024 When Are Goods or Services Acquired by a “Consumer”? When Do Guarantees Under the Australian Consumer Law Apply? Can Suppliers and Manufacturers Liability Be Limited?
Corporate & Commercial
April 18, 2024 2025 Edition of Best Lawyers: Celebrating Our Leaders and a Rising Star
Firm News Corporate & Commercial Employment, Workplace Relations & Safety + 6
December 20, 2023 New Reasons to Keep Your Contract Terms Fair
Corporate & Commercial
December 20, 2023 Deeds vs Agreements
Corporate & Commercial
December 20, 2023 When Can You Send Unsolicited Electronic Messages?
Corporate & Commercial
November 28, 2023 Payroll Tax and Medical Practices: An Update and Warning to Others
Tax Health & Aged Care Employment, Workplace Relations & Safety
September 15, 2023 Payroll Tax and Medical Practices
Tax Employment, Workplace Relations & Safety Health & Aged Care
September 11, 2023 Advertising Health Services
Corporate & Commercial Health & Aged Care
August 28, 2023 Guidelines: Telehealth Consultations With Patients
Insurance & Risk Management Health & Aged Care
October 14, 2022 Lessons From Theranos
Corporate & Commercial
October 12, 2022 Vendor Safety Nets
Corporate & Commercial
October 06, 2022 Bind Games
Corporate & Commercial
May 11, 2022 Health Sector: Preparing for the End of State-Imposed COVID-19 Vaccination Mandates
Employment, Workplace Relations & Safety Health & Aged Care
May 02, 2022 Privacy Week - Top Tips
Corporate & Commercial Intellectual Property (IP)
March 30, 2022 Domain Names and Cyber Security
Corporate & Commercial Intellectual Property (IP)
March 29, 2022 Are You a Director Who Still Needs to Get Your Director ID?
Corporate & Commercial
March 25, 2022 SA Labor to Apply Criminal Law to Workplaces Under its Industrial Relations Policy
Employment, Workplace Relations & Safety Agribusiness Defence + 7