AU Privacy & Data Protection Program — Small Business

01 — WHAT

What is it?

The Privacy & Data Protection Program — AU Small is a ready-to-implement privacy compliance program designed for Australian small businesses. It gives business owners and privacy officers a structured way to collect, store, use, and disclose personal information lawfully — in full compliance with the Privacy Act 1988 (Cth), all 13 Australian Privacy Principles (APPs), and the significant reforms introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth).
It provides the policies, procedures, registers, forms, and training needed to manage personal information responsibly, meet the Notifiable Data Breaches (NDB) scheme obligations, and prepare for upcoming changes including the removal of the small business exemption.
________________________________________

02 — WHO

Who is it for?

• Business owners and managers responsible for privacy compliance in Australia
• Australian small businesses (1–15 staff) collecting personal information from customers or staff
• Businesses using AI tools, cloud platforms, or overseas third-party services
• Companies rolling out new systems that will store or process personal information
• Any Australian business that wants to manage personal information lawfully — now and when the small business exemption is removed
________________________________________

03 — WHY

Why does it matter?

Australian privacy law has undergone its most significant transformation since 1988. The Privacy and Other Legislation Amendment Act 2024 (Cth), in force since December 2024, introduced substantially higher penalties, new OAIC enforcement powers, and a statutory tort allowing individuals to sue your business directly in court for serious invasions of privacy — in force since 10 June 2025. Even if your business is currently below the $3 million turnover threshold, the exemption is being removed in the next tranche of reforms.

Relevant legislation includes:
• Privacy Act 1988 (Cth) — 13 Australian Privacy Principles (APPs 1–13)
• Privacy and Other Legislation Amendment Act 2024 (Cth) — in force 11 December 2024
• Notifiable Data Breaches scheme (Part IIIC Privacy Act 1988) — 30-day assessment window
• Racial Discrimination Act 1975 (Cth)
• Sex Discrimination Act 1984 (Cth)
• Disability Discrimination Act 1992 (Cth)
• Age Discrimination Act 2004 (Cth)

Without a privacy program, businesses risk:
• OAIC investigation and infringement notices of up to AU$66,000 per contravention
• Civil penalty proceedings for serious or repeated breaches — up to AU$50 million for companies
• Direct court proceedings from individuals under the statutory tort (in force June 2025)
• NDB scheme penalties for failing to assess and notify eligible data breaches within 30 days
• Reputational damage from publicly named OAIC compliance actions
________________________________________

04 — WHEN

When do you need it?

• Before collecting personal information from customers or staff in any new system or process
• When adopting AI tools, cloud platforms, or third-party services that process data on overseas servers
• When a data breach occurs and you need a documented NDB scheme response process
• Before the 10 December 2026 automated decision-making disclosure deadline (APP 1.4)
• Before the small business exemption is removed — expected 2026–2027
• Whenever you want to demonstrate to customers, regulators, and partners that data is managed lawfully
________________________________________

05 — WHERE

Where does it apply?

• Customer data collection — forms, websites, phone intake, and in-person collection
• Staff and contractor records management
• AI tools and cloud platforms — including those with overseas servers (APP 8)
• Third-party service providers who receive or process personal information
• Direct marketing and customer communications (APP 7)
• Notifiable data breach identification, assessment, and OAIC notification
• Individual APP 12 access and APP 13 correction requests
________________________________________

06 — HOW

How does it work?

• Appoint a Privacy Officer and document the appointment
• Map every category of personal information the business collects — including the APP 3 basis and any sensitive information requiring consent
• Customise and approve the Privacy & Data Protection Policy
• Confirm APP 5-compliant collection notices are in place at every collection point
• Assess all third-party relationships for APP 6 and APP 8 compliance — including cloud platforms and AI tools
• Train all staff before they manage personal information
• Establish NDB scheme breach response procedures — including the 30-day assessment and OAIC notification process
• Review annually and update for OAIC guidance and legislative changes
________________________________________

07 — INCLUDED

What is included?

• 1.0 Product Document Index
• 1.1 Welcome Pack
• 1.2 Quick Start Guide
• 1.3 30-Day Implementation Roadmap
• 1.4 Programme Navigation Guide
• 2.1 Executive Summary
• 3.1 Privacy & Data Protection Policy
• 3.2 Privacy Acceptable Use Policy
• 3.3 Privacy Data Handling Procedure
• 3.4 Privacy Risk Management Policy
• 3.5 Privacy Breach Response Policy
• 3.6 Privacy Document Review & Update Policy
• 4.1 Privacy Breach Response Procedure
• 4.2 Third-Party Data Sharing Procedure
• 5.1 Privacy Impact Assessment Template
• 5.2 Staff Privacy Acknowledgement Form
• 5.3 Individual Access Request Form
• 6.1 Privacy Register
• 6.2 Privacy Breach Register
• 6.3 Privacy Action Plan Register
• 6.4 Training Register
• 6.5 Version Control Register
• 6.6 Legislative Update Log
• 7.1 Privacy Monthly Review Checklist
• 7.2 Third-Party Assessment Checklist
• 7.3 Annual Privacy Review Guide
• 8.1 Staff Privacy Training Guide
• 8.2 Manager Privacy Briefing Guide