New obligations to be brought in for small-business owners

Currently, small businesses with an annual turnover of $3 million or less do not have to meet the bill’s requirements when it comes to the collection and storage of information.

However, a recent review of the Privacy Act recommended that this be removed to ensure personal information is protected across all business sizes, which was agreed to in principle by the government on Thursday (28 September).

This would bring approximately 95 per cent of actively trading Australian businesses into the scope of the Privacy Act, requiring them to meet compliance obligations.

In its response to the review, the government stated that the exemption should be removed as “the community expects that if they provide their personal information to a small business it will be kept safe and not used in harmful ways”.

This morning (28 September), Attorney-General Mark Dreyfus MP said the government agrees, or agrees in principle, with the majority of the Privacy Act review’s proposals, including:

• Giving individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information.
• Making entities accountable for handling individuals’ information and enhancing requirements to keep information secure, including destroying data when it is no longer needed.
• Providing entities with greater clarity on how to protect individuals’ privacy and simplifying their obligations when handling personal information on behalf of another entity.
• Establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code.

However, despite agreeing in principle, the government has said that the exemption removal “should not occur until further consultation has been undertaken with small businesses and their representatives on the impact that removing the small-business exemption would have.”

While the government agreed further consultation is needed before the exemption for small businesses is removed, the review excluded one group; small businesses that engage in activities that “pose a significant privacy risk” (such as those that collect biometric information to be used for the purposes of automated biometric verification or biometric identification).

These businesses should “no longer be able to rely on the small business exemption”, according to the government.

Mr Dreyfus commented: “The government will also work with the small-business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses.

“These next steps build on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.”

He also stated that the Attorney-General’s Department would conduct an impact analysis and work with the community, businesses, media organisations, and government agencies to inform the development of legislation and guidance material in this term of Parliament.

Mr Dreyfus added: “Australians increasingly rely on digital technologies for work, education, healthcare and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data they rightly expect it will be protected.”

What does the exemption removal mean?

Businesses that are covered by the Privacy Act are required to comply with the Australian Privacy Principles (APPs).

There are 13 APPs that govern standards, rights and obligations regarding the collection, use and disclosure of personal information, an organisation or agency's governance and accountability, integrity and correction of personal information, and the rights of individuals to access their personal information, they are:

• Open and transparent management of personal information
• Anonymity and pseudonymity
• Collection of solicited personal information
• Dealing with unsolicited personal information
• Notification of the collection of personal information
• Use or disclosure of personal information
• Direct marketing
• Cross-border disclosure of personal information
• Adoption, use or disclosure of government-related identifiers
• Quality of personal information
• Security of personal information
• Access to personal information
• Correction of personal information.

Speaking to The Adviser following the announcement, the director at cyber security provider DotSec, Tim Redhead, said now was the time for businesses to prepare for the legislation to be implemented upon small businesses.

Mr Redhead stated: “The gate is closing, but there’s still time to make plans on your own terms. As the Privacy Act Review Report notes, nearly nine out of 10 respondents would like the government to provide more legislation to help protect their personal information.”

He suggested that small businesses should prepare for the changes by:

• Understanding the APPs (Australian Privacy Principles) and plan for how their business may comply with the APPs. "Consider things like how and when you collect personal and private information, how and why you store that information and for how long, and how your organisation securely destroys that information when it is not longer required," he said.
• Considering how the organisation would detect and respond to a notifiable data breach (NDB). "Consider things like how your organisation monitors its computing systems, how it detects and responds to threatening and anomalous events, and the concept of NDBs and NDB reporting," Dr Redhead said.
• Starting to consider how their business will contend with a legislative shift from the current emphasis (where individuals are primarily responsible for self-managing their privacy onto entities) to an emphasis on organisational accountability. "The government will consult with small business interest groups and will probably request submissions before coming up with the final changes to the legislation, but changes are almost certain to occur and those changes are likely to result an increase in business responsibility and accountability, so now is the time to start understanding fundamentals such as those outlined above," he added."

You can fnd out more about security obligations and data protections in the October edition of The Adviser magazine.

[Related: Consultation opens on new Digital ID Bill]