Depending on your business’ annual turnover and how it deals with ‘personal information’, your business may be covered by the Privacy Act 1988 (Cth) (“the Act”) and need to also comply with the 13 Australian Privacy Principles.
The Act also covers some specific types of business with turnover below $3 million, including:
- Private sector health service providers (this applies to a broad range of businesses, including hospitals, gyms, and schools).
- Employee associations, as defined in the Fair Work Act 2009.
- Contracted service providers for a Commonwealth contract.
- Businesses that sell or purchase personal information.
- Credit reporting bodies.
- Businesses related to a business that is covered by the Act (such as a subsidiary of a company covered by the Act).
- Other types of business prescribed by regulations.
What are the Penalties for Breaches of the Privacy Law?
The penalties for the misuse of personal information by entities covered by the Act are severe. Infringement notices of up to $63,000 for companies, or $12,600 for individuals may be issued.
The maximum penalties for serious breaches range from $2.1 million for serious or repeated breaches, to the greatest of:
- $10 million,
- Three times the value of any benefit obtained through the misuse of information, or
- 10% of a company’s annual domestic turnover.