We live in a digital age. Now more than ever, it’s easy for businesses to capture individual’s personal information in digital form. This collected information can then be stored and accessed quickly, easily and cheaply. Collection of personal information for marketing purposes in Australia is now protected pursuant to the Privacy Act 1988(Cth).


Personal information is any information about an individual, which will lead to that person being identified by the public. This could include the person’s name, their address, employment information (such as tax file or earning information) and potentially even an email address.


Current privacy legislation in Australia applies to all business organisations that are not termed ‘small businesses’ under the Act.

A ‘small business’ is defined under the Privacy Act 1988 (Cth) as a business with an annual turnover of less than $3 million that does not deal in the collection, use and disclosure of personal information for business purposes.

Therefore, even if a business has an annual turnover of less than $3 million per annum, it will be necessary to have a privacy policy where the business:

  • discloses personal information for a benefit, service or advantage (such as marketing); or
  • provides a benefit, service or advantage to collect personal information.

In cases where a drafted privacy policy is already in place, it’s important to conduct regular reviews to ensure that it is accurate, up-to-date and reflective of the business’s privacy practices.


In order to be deemed compliant, a privacy policy must address each of the Australian Privacy Principles. For example, the policy must address the kind of personal information the business collects and holds and the security measures it has implemented to protect that information.

A privacy policy should be easily accessible to the public (usually available from the front page of a business’s website) and written in plain English. 


A well-worded privacy policy conveys to the public that a business engages in good information management practices and is interested in protecting their customers.  

A compliant privacy policy also affords the business protection from prosecution by the Office of the Australian Information Commissioner.

Under the Act, an interested party can lodge a complaint against a business with the Office of the Australian Information Commissioner for breaches of the Australian Privacy Principles. The Commissioner can then conduct an investigation into those allegations.

The matter will often then proceed to a compulsory conference and if it is not capable of resolution, the interested party can request a hearing. The Commissioner can make a determination at this hearing requiring the business to remedy a complaint, provide access to information or even pay a fine.

The Privacy Act allows, in the most serious cases, monetary fines of up to $340,000.00 for individuals and up to $1.7 million for corporations for repeated and extremely detrimental privacy practices.

In addition to these fines, it’s also worthwhile considering the possible adverse consequences for customers when their personal information is not adequately secured. Unsecured personal information can lead to identity theft or fraud.

An example of the legislation in action can be found in the case of Ben Grubb v Telstra Corporation Limited [2015] AICmr 35. In this case, Fairfax Journalist Ben Grubb requested a copy of all the metadata information Telstra had stored regarding his mobile phone service.

In response, Telstra advised Mr Grubb that he could access outbound mobile call details and length of data usage sessions via online billing. Telstra then stated that it would be unable to provide information regarding locations and details of numbers that had called / sent messages to his mobile due to the current privacy laws.

Mr Grubb subsequent lodged a complaint with the Office of the Australian Information Commissioner.

The Commissioner had to consider whether Mr Grubb’s metadata as held by Telstra constituted ‘personal information’ within the meaning of the Act and if so, whether it had been improperly withheld from him in breach of the National Privacy Principle 6.1 (as it then existed).

The Commissioner held that the information held by Telstra was in fact personal information that had been withheld in breach of the Privacy Principles.

Mr Grubb did not request compensation and therefore the Commissioner declined to make a declaration for compensation.

Telstra was ordered to

  • within 30 business days after the making of this declaration, provide the complainant with access to his personal information held by Telstra in accordance with his request dated 15 June 2013, save that Telstra is not obliged to provide access to inbound call numbers; and
  • provide the complainant with access to the above information free of charge.

In short, the current privacy principles should be strictly adhered when dealing with customers’ personal information. The Australian Privacy Principles, if properly utilised, serve to provide protection to both businesses and their greatest asset, customers.