Potential privacy reforms may significantly shift how Australian small businesses handle and manage personal information
Following a comprehensive review in September 2023, the Australian Government announced its commitment to Australian Privacy Act reforms that may dramatically change the legal obligations imposed on small businesses. Find out what to expect and how to prepare.
Why was it necessary to review the Privacy Act?
The Privacy Act has regulated the collection and handling of personal information since major reforms came into force in 2000. These reforms mainly applied to large private sector organisations. Later, the reforms of 2014 created the Australian Privacy Principles (APPs).
But despite these changes, the Privacy Act hasn’t kept pace with other social and technological developments. For example, vast amounts of personal information are collected, analysed, aggregated, shared and traded in the digital economy. New technologies pose threats to data protection. Hacks and scams are common. And recent high-profile data breaches are reminders of the need for robust legislation to provide adequate protection.
In 2020, the Federal Government initiated a review of the Privacy Act. After more than two years of consultation and consideration of the issues, the findings were published in early 2023. It recommended significant reforms.
Then, in late September 2023, the Government published its response. It agreed, or agreed in principle, to most of the 116 proposed reforms. The Government considered the issues in the context of five focus areas:
- Updating the Privacy Act for the digital age.
- Improving protections such as information security, cyber safety and data destruction.
- Improving clarity and simplicity for protecting and handling personal information.
- Improving control and transparency with better notice and consent practices.
- Improving enforcement powers.
Some of the proposed reforms will specifically affect Australian small businesses.
Removing the Small Business Exemption
The Privacy Act defines small businesses as having an annual turnover of $3 million or less. Because small businesses have never been subject to the Act’s personal information requirements, they fall under an exemption known as the small business exemption.
In 2000, the exemption was implemented as part of the private sector reforms because, at the time:
- Small businesses weren’t considered a risk to privacy, and
- The costs of complying with the new laws were considered an unreasonable burden for most small businesses.
However, community expectations have changed due to technological developments, high-profile data breaches and increased scamming activity. There was a clear need to modernise the Privacy Act.
The Government has agreed in principle to remove the exemption. Potentially, small businesses will be subject to the same personal information requirements as larger organisations. The Government hasn’t fully committed to this reform because it wishes to consult with the small business sector. It will also consider whether any privacy obligations should be modified and what support will be needed to help small businesses make the change, for example:
- tailored guidance
- e-learning modules
- resources and tools
- a transition period.
Activities that pose a greater privacy risk
The Government has also acknowledged that the activities of some small businesses pose a greater risk to personal privacy, for example:
- use of facial recognition technology
- collection of other biometric information
- trading in personal information.
It has agreed in principle that such businesses should be prevented from relying on the small business exemption in the shorter term. However, the Government hasn’t defined shorter term. Nor does it identify how the in principle agreement would become a firm commitment (for example, through consultation with the small business community). However, the language may indicate that the Government will prioritise this change, even without stakeholder consultation.
What do the Australian Privacy Act reforms mean for my small business?
Removing the exemption will create new legal obligations for small businesses.
As a small business operator, you’ll be required to comply with the APPs, which:
are the cornerstone of the privacy protection framework in the Privacy Act. … They apply to any organisation or agency the Privacy Act covers.
The APPs cover various areas, including:
- Notifying customers or clients about the collection of their personal information.
- Getting consent for collecting sensitive information.
- Restricting use and disclosure of personal information.
- Ensuring appropriate storage and security of personal information.
- Allowing customers or clients to access and correct their information.
Since 2018, the European General Data Protection Regulations (GDPR) have been in force. Many Australian small businesses with international markets have already implemented privacy and data protection measures to comply with the GDPR. So, the prospect of Australian Privacy Act reforms may not be a significant concern for these businesses.
However, other small businesses are yet to adopt privacy measures, so the Government’s planned consultation and transition period may be critical for many, especially micro businesses.
What should I know about the definition of personal information?
The Privacy Act’s current definition of personal information is:
… information or an opinion about an identified individual, or an individual who is reasonably identifiable…
The central theme is identification. However, modern technologies can use technical and digital metadata to recognise an individual without needing direct identifying information such as the person’s name. It means the personal information definition needs to change to cover these developments.
Accordingly, the Government has agreed in principle to expand the personal information definition to include technical data such as:
- IP addresses
- location data
- device identifiers.
This amendment would align Australia’s privacy laws with the GDPR and other international standards.
What should I do to prepare my business?
Assessing your business’s data collection activities is a good idea, even though we don’t know whether the proposed reforms will become law. The more you can understand these activities, the easier it will be to comply (if the time comes).
For example, your data collection activities may include:
- Using cookies to track website browsing.
- Using mobile apps to collect location data.
- Using your website contact form to collect personal details such as name, phone number and date of birth.
- Using surveys and social media posts to collect information about gender, interests and hobbies.
- Collecting information from vulnerable people.
We recommend you consider every aspect of your business, from hard copy collection to your website and social media activities. And consider the lifecycle of the information in your business. In particular:
Review data handling practices
Audit how your business collects, stores, uses, discloses and destroys personal information. Identify any gaps between current practices and the proposed changes.
Update privacy policies
Check your privacy policies and decide whether you’ll need to make changes if the proposed Australian Privacy Act reforms become law.
Consider whether you need to refresh customer or client consents for collecting and handling their personal information.
Restrict data access
Consider limiting employee access to personal information on a need-to-know basis.
Secure your systems
Consider whether you have adequate cybersecurity protections for any personal data systems. Protections may include encryption, multi-factor authentication or perimeter defences.
Destroy unnecessary data
Delete any personal information that’s no longer required.
Consider the impact and risks
Assess the privacy impacts and risks before launching new products or services.
Train your staff
Educate your staff about the potential new privacy laws and that protecting customer or client data is critical to your business.
If the laws come into effect, monitor compliance, respond to complaints and fix any privacy risks.
If you’re unsure about any of these activities, note your concerns so you can discuss them with your lawyer if you later seek advice.
What happens next?
Because the Government has only agreed in principle to the proposed reforms, there is not yet a firm commitment. It plans to consult with affected sectors, including the small business sector.
Depending on the feedback and progress of the consultations, the Government may introduce a bill to amend the Privacy Act, which will then go through the parliamentary process. It has indicated its commitment to progress these reforms in 2024, but the likelihood is that it will be at least 2025 before any reforms become law.
This lead time provides an excellent opportunity to consider your business’s privacy practices, identify issues, and implement changes. Even if the proposed reforms never become law, plenty of goodwill will be gained (and retained) in improving and strengthening your data protection practices to benefit your customers or clients.