Australia

A small business with less than $3 million turnover mishandled my data. Does the Privacy Act still apply?

$3 million
Annual turnover threshold
APP 1–13
Privacy Principles
2012
Privacy Act year
OAIC
Regulator
The Short Answer

Yes, the Privacy Act applies to your small business even with under $3 million turnover — because it handles personal information in connection with providing a service or product to you.

What the Law Says

The Privacy Act 1988 (Cth) generally applies to Australian Government agencies and organisations with an annual turnover of more than $3 million. However, important exceptions mean many small businesses are still covered — including yours.

Under section 6C(1) of the Privacy Act, a small business operator (with turnover under $3 million) is *not* an 'organisation' for the purposes of the Act — but this exemption does not apply in several key situations.

One major exception is when the small business collects or holds personal information 'in connection with the provision of a service or product' to you — the individual whose data was mishandled. If your business collected your name, contact details, payment info, health data, or other personal information while delivering goods or services, the exemption does not apply.

Additionally, the exemption does not apply if the business is a 'credit reporting body', handles tax file numbers, is a contracted service provider for a Commonwealth contract, or is related to a larger organisation that *is* covered by the Act.

Statutory Text

A small business operator is not an organisation for the purposes of this Act.

Privacy Act 1988 (Cth), s. 6C(1) — Small business operators
Statutory Text

This subsection does not apply to a small business operator if: (a) the small business operator collects or holds personal information in connection with the provision of a service or product to the individual.

Privacy Act 1988 (Cth), s. 6C(4)(a) — Exceptions to small business exemption

What to Do

1

Check whether your business collected or held your personal information while providing you with a service or product — if yes, the Privacy Act applies.

2

Review the 13 Australian Privacy Principles (APPs) — especially APP 1 (open and transparent management), APP 5 (notification of collection), and APP 11 (security of personal information).

3

If a breach occurred, the business must assess whether it is an 'eligible data breach' under Part IIIC and notify you and the OAIC if required.

4

You can make a privacy complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

5

Keep records of what personal information was handled, how it was mishandled, and any communications with the business.

Sources

statutePrivacy Act 1988 (Cth), s. 6C(1) — Small business operatorsstatutePrivacy Act 1988 (Cth), s. 6C(4)(a) — Exceptions to small business exemptionstatuteAustralian Privacy Principles (APPs)

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.