Small business exemption from the Privacy Act will end

Person not wishing to be identified.

Use this guide to understand how privacy law reforms will affect your small business

We’re hearing a lot more about incidents of cyber attacks and there’s a good chance your small business will suffer a privacy breach in the future. Why? Social and technological developments are posing threats to data protection and major data breaches are exposing millions of Australians to identity fraud and scams. And cyber attackers are focusing their attention on smaller firms as easier targets. In 2021‑22, small businesses suffered an average cost of $39,000 per cybercrime report.[1]

People are becoming increasingly concerned about the handling of their personal information. A 2023 survey conducted by the Office of the Australian Information Commissioner (OAIC) found:

  • Three in five Australians see the protection of their personal information as a major concern in their life;
  • 84% want more control and choice over the collection and use of their personal information;
  • 89% would like the Government to provide more legislation in this area.

And so the Government Response to a Privacy Act Review Report reveals major reforms to the Privacy Act 1988 (Cth) (Privacy Act) are coming in 2024.

Small business compliance with the Privacy Act

Currently, the majority of small businesses with an annual turnover of $3M or less are not required to comply with the Privacy Act[2]. That will change.

The Government has agreed in principle to bring small businesses within the scope of the Privacy Act, which means that approximately 95% of actively trading small businesses in Australia will be required to comply with the Privacy Act.

The 13 Australian Privacy Principles (APPs) under the Privacy Act largely regulate:

  • the collection, use and disclosure of personal information;
  • an organisation’s governance and accountability;
  • integrity and correction of personal information;
  • the rights of individuals to access their personal information.

Government will consult with small businesses on the impact of Privacy Act compliance. Some obligations may need to be modified to ease the regulatory burden for small businesses.

But be warned. Start now, because your business will need to get ready for these changes and it will take some time and effort.

If you want to get ready for Privacy Act compliance, conduct an audit. Ask yourself:

  • What personal information does our business hold?
  • Where and how it is stored?
  • Is it secure?
  • Who has access to that information and what are the associated risks?
  • Do our employees or subcontractors have access to customers’ personal information? Are they aware of their obligations regarding the protection of that personal information? How will that be managed?

Then establish and maintain a register. It will give you clarity on what steps to take to mitigate the risk of personal information security breaches.

And it's very important to nominate a senior person within your business to take responsibility for privacy.

First cab off the rank - small businesses conducting high privacy risk activities

If your small business conducts activities with high privacy risks, for example your business:

  • collects and uses biometric data for automated verification or identification such as facial recognition technology;
  • actively trades in personal information (for example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for commercial gain);

you will need to comply with the Privacy Act sooner than other smaller firms.

Other high privacy risk activities include the collection, use or disclosure of sensitive information or children’s personal information on a large scale, in which case, you may also be required to comply sooner than other firms.

You will be required to conduct a privacy impact assessment (PIA) and publish it on a register. A PIA will analyse your current systems, the kind of privacy information it stores, analyse the impact your project activities might have on the privacy of individuals and the actions required to manage, minimise or eliminate the risk of a privacy breach. Check out the OAIC guide on how to conduct a PIA.

Your privacy collection notice will need to specify if personal information is collected, used or disclosed for high privacy risk activities.

Collection, storage and security of personal information

The Privacy Act already requires that business must only collect what is reasonably necessary and to destroy information when it is no longer required. However, it's often the case that businesses hold personal information for longer than is necessary. These ‘honey pots’ of valuable data increase the risk of the entity’s information systems being compromised. A greater number of individuals will be impacted in the event of a data breach.

To reduce the risk of a data breach, your business will be required to prescribe minimum and maximum retention periods for the storage of personal information. You will need to conduct periodic reviews of these retention periods. Your privacy policy will be required to specify these retention periods.

When determining retention periods, you will need to take into account the type, sensitivity and purpose of the information being retained and understand your  business needs and obligations under other legal frameworks.

Additional rights of individuals in relation to personal information

The Australian Government proposes to introduce new rights into the Privacy Act. An individual will be able to:

  • request an explanation of what personal information is held and what is being done with it;
  • challenge the information-handling practices of a business and require the business to justify how its information handling practices comply with the Privacy Act;
  • require a business to delete, or de-identify, personal information (the right to be forgotten);
  • request correction of online publications over which a business has control, and
  • require search engines to de-index certain online search results.

These rights will be subject to a public interest or legal exception, or where it may be technically impossible or unreasonable to comply with such a request.

Automated decisions using personal information

The Government agreed to more transparency for automated decisions that use personal information and have a legal or similarly significant effect on individuals.

Your privacy policy will need to set out the types of personal information collected and how it will be used in substantially automated decisions which affect an individual’s rights.

Examples include:

  • A person makes an online application for a loan and the business website uses pre-programmed algorithms and automated credit searching to provide an immediate yes/no decision.
  • A person applies for a job. The online application includes an online aptitude or personality test with the recruiting business using pre-programmed algorithms and criteria to make an immediate yes/no decision on whether the person gets an interview.

Individuals will be able to request meaningful information about how substantially automated decisions are made.

Customer personal information processed by an overseas entity

Many small businesses use overseas entities, for example PayPal, Stripe, eWay to process customer payments. There is a concern about how these overseas entities handle this personal information.

The Government agreed in principle with the recommendation of Privacy Act Review Report:

Pending removal of the small business exemption, an [overseas] entity that processes information on behalf of a [small business] controller would be brought into the scope of the Act in relation to its handling of personal information for the [small business] controller.

Let me give you an example. If your small business (the controller) is using an online payment platform, for example, Stripe (the processor) to process your customers’ personal data in the United States of America, Stripe will be brought within the scope of the Privacy Act.

The Government has agreed to introduce a mechanism that would prescribe those overseas countries’ laws and binding schemes to provide similar protection to the APPs. The OAIC will also develop standard contractual clauses for inclusion in any contract with an overseas party for the transfer of personal information overseas.

Privacy Policy and Collection Notice

Feedback from the Privacy Act review noted privacy policies and collection notices are often “complex, lengthy, legalistic and vague.”

As a result, the law reforms will place greater emphasis on an up-to-date, easy to understand, privacy policy and collection notice and it must be accessible.

Currently under the Privacy Act:

  • APP1 mandates open and transparent management of personal information by way of a privacy policy. The privacy policy must be available in an appropriate form (usually on the website);
  • APP5 mandates that business are required to take reasonable steps to notify the individual about certain matters (ie a privacy collection notice):

In addition to the privacy collection notice notifying individuals regarding the circumstances and purpose of collection and disclosures you might make including disclosures to any overseas recipients (see APP5 for more information), your small business privacy policy and collection notice will also need to:

  • identify the types and use of personal information in substantially automated decisions which have a legal or similarly significant effect on an individual’s rights;
  • specify personal information minimum and maximum retention periods;
  • if your business collects, uses or discloses personal information for a high privacy risk activity, the circumstances of that collection, use and/or disclosure;
  • include details about an individual’s rights and how to obtain further information on their rights including how to exercise them;
  • identify the types of personal information that may be disclosed to overseas recipients.

Key takeaways

In 2024, small businesses will be brought within the scope and application of the Privacy Act, so start getting ready now.

Privacy Act reforms:

  • mandatory for businesses engaging in high privacy risk activities to conduct a PIA and publish that PIA on a register;
  • minimum and maximum retention periods for personal information;
  • additional rights for individuals so they get a better understanding of how their personal information is held and what is being done with it (including the right to be forgotten);
  • Privacy privacy and collection notice must be up to date, easy to understand and easily accessible. It must include additional information:
    • retention periods;
    • identify personal information that will be used in automated decisions;
    • identify personal information to be collected, used and/or disclosed to a third party for high privacy risk activities;
    • inform individuals about their rights and how they can be exercised; and
    • identify the types of personal information disclosed to any overseas recipients.

[1] Australian Cyber Security Centre, Annual Cyber Threat Report July 2021 to June 2022 (Report, November 2022) 24. Note this figure is not limited to cyber incidents where personal information is exposed.

[2] Regardless of turnover, some small businesses must still comply with the Privacy Act. They include a business that holds health information, provides a health service, trades in personal information, a contractor that provides services under a Commonwealth contract, an operator of a residential tenancy database, a credit reporting body. For a full list of small businesses that must comply with the Privacy Act, see the OAIC small business guide.

DISCLAIMER: This article is general information only. It is not legal advice. You must seek independent legal advice for your particular circumstances.