Secure data collection, storage and management is not just for large corporations – it’s essential for all businesses. 

Here’s a summary of key privacy and data security considerations, along with practical actions you can take to protect your business, your employees and your customers’ data.

Your obligations under the Privacy Act

Keeping personal information secure is always important but only some small businesses are covered by the Privacy Act 1988. If your business is not required to comply, you can still opt in to be covered by the Privacy Act, which could show your customers just how seriously you take their privacy.

Depending on your business, industry and structure, you may also need to comply with:

Action to take

Check if your business needs to comply with the Privacy Act. Use the Office of the Australian Information Commissioner (OAIC) Privacy Checklist for Small Business or check with a legal adviser.

Know what information you can and can’t collect

It’s important to only collect personal information that you actually need for your business.

The data you collect could include personal information such as your customer and staff members’ names and contact details. Depending on your business, you might need to collect other details which fall under the category of ‘sensitive information’. According to the OAIC, sensitive information is a specific set of details that might relate to ‘an individual’s racial or ethnic origin, religious beliefs or affiliations and sexual orientation or practices. It also includes information about health, genetics and biometrics’.

These details might be necessary for your business, for example if you run a healthcare practice. You can only collect sensitive information with someone’s consent.

Read more data management tips from the OAIC.

How to store and use data safely

Data leaks and privacy breaches can be extremely stressful – so it’s important to do what you can to store your data as securely as possible.

If you collect and store personal information from your customers, you must proactively protect that information from unauthorised access, modification or disclosure. You also need to protect that data against misuse, interference and loss.

Once you no longer need personal information for the purpose for which is was collected (as per the Privacy Act), and unless you are required to keep it by law, you must take reasonable steps to destroy or de-identify that information.

Learn about storing data securely in the OAIC Guide to securing personal information.

Common data breaches and how to avoid them

  • Don’t use the ‘To’ or ‘CC’ fields when emailing multiple customers, as this can expose their email addresses to others and constitutes a type of data breach.
  • Double check that you’re sending emails and attachments to the correct person, particularly if personal details are in the email or attachment. Sharing someone’s personal information with someone else is another type of data breach.
  • Be careful with email chains. Sometimes you might send a series of emails back and forth with a client, staff member or supplier. If this kind of email contains personal information that is shared, copied or forwarded to someone else, this could be a data breach.

How to protect your data and systems

Keep your devices and software up to date. This is a simple but crucial step in keeping data secure, including information you might store using cloud-based systems.

Where you can, choose automatic updates for your mobile, laptop and computers. You’ll also need to check in regularly to make sure these updates are being performed correctly.

Follow these tips from the Australian Cyber Security Centre to help keep your systems and devices secure.

Tip: Consider MFA for your business

If your customers or staff need to log into your website, booking portal or other systems, it could be worth considering multi factor authentication (MFA) for your business. More secure than logging in with just a username and password, MFA requires your customers or staff to confirm their identity in more than one way. For example, as part of your log in process, you might introduce an MFA system where your system sends a single use code to their mobile phone. They would then use that code to log in to their account. Learn more about MFA.

Emergency planning: In the event of a data breach

Just as you should have an emergency evacuation plan for your business, it’s important to plan ahead for a digital emergency.

Under the Notifiable Data Breaches scheme, to comply with Australian privacy law, you have to notify your customers or staff if you experience a data breach related to their data.

The faster you act in the event of a cybercrime against your business, the more protection you, your staff or the customer involved could have.

Tip: Have a digital emergency plan

Learn how to help prevent a data breach then use the OAIC’s Data breach preparation and response guide to help you to prepare your own data breach response plan.

Stay informed

The Australian Cyber Security Centre and the OAIC provide a lot of valuable information and tools to help you manage data and privacy risks in your business.

Learn more about protecting your business online and explore the OAIC’s range of training resources which could help you and your staff members manage your privacy obligations within your business.

More information

Action to take

Download and complete our data collection and privacy self assessment checklist to help you identify potential areas for improvement in your business.

Other helpful resources
Photo of a smartphone with an alert to turn on security displaying on the screen.
Business information
Cyber security
Photo of a woman preparing food in a kitchen.
Business information
Risk management
Photo of a smartphone showing an incoming call from an unknown caller.
SBDC Blog
Protect your business from scammers
Photo of a woman sitting at a desk while using a laptop. She is holding a credit card while she completes an online payment.
SBDC Blog
Beware of business email compromise scams