Does the Privacy Act Apply to My Tutoring Business? (2026 Guide)
Most tutoring businesses are currently exempt from the Privacy Act 1988 — but that's changing. Here's what the $3M turnover threshold means for tutors, and what you need to do now.
The Short Answer
Most tutoring businesses are currently exempt from the Privacy Act 1988. The small business exemption applies to businesses with annual turnover under $3 million — and most tutors, coaching services, and tutoring centres are well under that threshold.
But this is changing. The Tranche 2 privacy reforms, expected in 2026-2027, will remove the small business exemption entirely. And there are important carve-outs that catch some tutoring businesses by surprise right now.
This guide answers the question definitively and tells you what to do.
Table of Contents
- The $3M Threshold
- The Carve-Outs — When the Exemption Doesn't Apply
- What Personal Information You're Collecting
- What's Changing — Tranche 2 Reforms
- What to Do Now
The $3M Threshold
Under the Privacy Act 1988, businesses with annual turnover of $3 million or less are generally exempt. You're not legally required to have a privacy policy, follow the 13 Australian Privacy Principles, or notify the OAIC of data breaches.
"Annual turnover" means gross income — not profit. A sole trader earning $80,000 per year, or even a tutoring centre with several staff doing $800K revenue, is well under the threshold.
You're currently exempt if:
- Your annual turnover is $3 million or less
- You don't fall into one of the carve-outs below
- You're not part of a larger company that must comply
The Carve-Outs — When the Exemption Doesn't Apply
Some tutoring businesses are already covered by the Privacy Act regardless of their turnover. These catch people off guard.
1. Health Services — The Most Common Surprise
If your tutoring or coaching business provides health services, you're covered regardless of turnover. "Health services" is broader than most people expect — it includes:
- Disability support — NDIS-related tutoring or support work
- Therapeutic services — counselling, psychology, occupational therapy
- Allied health — speech pathology, educational psychology assessments
If you provide tutoring as part of an NDIS plan, or work alongside health professionals, you may already be covered. The OAIC takes a broad view of this.
2. Commonwealth Government Contracts
If you have a contract with a Commonwealth government entity to provide tutoring or education services — federal agencies, Commonwealth-funded programs, federal universities — you're covered for information handled under that contract.
3. Related to a Larger Business
If your tutoring business is a subsidiary or franchise of a larger education group with turnover over $3 million, you may already be covered even if your own turnover is under the threshold.
What Personal Information You're Collecting
Even if you're currently exempt, understanding what you collect matters — because this is exactly what you'll need to manage when the exemption is removed.
Tutoring businesses typically collect:
- Student details — names, ages, year levels, school
- Parent/guardian contact details
- Payment information
- Academic records — assessments, progress reports, learning goals
- Health and disability information — learning difficulties, ADHD diagnoses, support needs
The important one: Health and disability information is sensitive information under the Privacy Act, which attracts higher levels of protection. Most tutors collect this — and when the exemption is removed, you'll need to be especially careful about how you handle it.
What's Changing — Tranche 2 Reforms (2026-2027)
The Tranche 2 privacy reforms are expected to be legislated in 2026-2027. The key change for tutoring businesses is the removal of the small business exemption.
When this happens, every tutoring business regardless of turnover will need to:
- Have a privacy policy covering all 13 Australian Privacy Principles
- Follow the Notifiable Data Breaches scheme
- Handle access and correction requests from students and parents
- Face the same penalties as large corporations — up to $50 million for serious breaches
A transition period is expected — likely 12-24 months from when legislation passes, meaning the compliance deadline could be as early as 2028.
Two things that have already changed — regardless of your exemption status:
- December 2024: Penalties for Privacy Act breaches increased to up to $50 million. OAIC now has on-the-spot fine powers.
- June 2025: A new statutory tort allows individuals to sue directly for serious privacy invasions without proving financial damage. This civil litigation risk exists outside the Privacy Act framework.
What to Do Now
Step 1 — Check the carve-outs
Work through the carve-outs above. If you provide NDIS services, disability support, or any health-related tutoring, you may already be subject to the Privacy Act — meaning you need a compliant privacy policy now, not when Tranche 2 passes.
Step 2 — Get a privacy policy
Even if you're currently exempt, having a privacy policy builds trust with parents and means you're ahead of the game when Tranche 2 passes. The cost is the same whether you get it now or under deadline pressure in 2027.
The policy needs to cover Australian law specifically — all 13 APPs and the NDB scheme. A US-generated template won't cover these requirements.
Step 3 — Implement basic data security
- Store student records securely (password-protected devices, secure cloud storage)
- Don't share student information in group emails or unsecured messages
- Use strong passwords on all accounts holding student data
- Dispose of physical records securely when no longer needed
Frequently Asked Questions
I'm a sole trader tutor earning $60,000 a year. Do I need a privacy policy right now?
If you don't fall into any of the carve-outs, you're currently exempt. But you'll need one when Tranche 2 passes — and getting one now costs the same as getting one under deadline pressure later.
I tutor students with learning disabilities. Does that affect my obligations?
Potentially. If your services cross into therapeutic or health services territory — NDIS support, working alongside health professionals — you may already be covered. If you're purely providing academic tuition, you're likely still exempt. If you're unsure, get legal advice specific to your situation.
I already have a privacy policy. Is it good enough?
Check whether it mentions the Privacy Act 1988, all 13 Australian Privacy Principles, and the Notifiable Data Breaches scheme. If it doesn't — or if it was generated by a US-based tool — it almost certainly doesn't meet Australian requirements.
Summary
Most tutoring businesses are currently exempt from the Privacy Act 1988 — but Tranche 2 reforms expected in 2026-2027 will change that. Check the carve-outs, understand what personal information you hold, and get a compliant privacy policy in place before the deadline hits.
Last updated: April 26, 2026
This guide provides general information about Australian privacy law as it applies to tutoring businesses. It is not legal advice. For specific advice about your situation — particularly if you provide disability support, NDIS services, or health-related tutoring — consult a qualified privacy lawyer or contact the OAIC on 1300 363 992.
Ready to Get Compliant?
ComplianceKit generates privacy policies built for Australian law — covering all 13 APPs, the NDB scheme, and sensitive information handling relevant to education businesses.
Generate Your Compliant Privacy Policy
ComplianceKit automatically includes all 13 Australian Privacy Principles and the NDB scheme. Generate your policy in 5 minutes.
Get Started →Last updated: 26 April 2026
This guide provides general information about Australian privacy law. It's not legal advice. For specific legal questions about your situation, consult a qualified privacy lawyer.