Get unlimited access. Save 70% when you subscribe today.

SmartCompany
Icon

Search

Create a free account, or log in

Business Advice

Technology

The Privacy Act exemption for small businesses will end: 10 ways your business could be affected

The federal government says the small business exemption to the Privacy Act, covering some 2.3 million enterprises, should end.
David Adams
David Adams
Icon

Share

data-quality data breach penalty
Source: Unsplash

Small businesses should no longer be exempt from the Privacy Act, says the federal government, which has used its response to a major report from Attorney-General Mark Dreyfuss to advocate for tighter regulation around the use of data and personal information.

Months after the Attorney-Generalโ€™s department called to end the small business exemption and recommended a suite of reforms to the cornerstone privacy legislation, the federal government has agreed to 38 of 116 potential areas of reform.

Its response to the report, released Thursday, could have major implications for the 2.3 million small businesses currently exempt from the Act.

Here is what your business needs to know about the proposed changes.

1. The small business exemption will end

Small businesses with annual turnover of $3 million or less are currently exempt from the Privacy Act, and many of the penalties levelled against bigger businesses when they mishandle sensitive data.

That is set to change.

The government believes small businesses are now capable of handling sensitive data at a scale previously achieved by bigger businesses.

This means even the smallest enterprises are capable of harming customers, clients, and employees by misusing or exposing their personal information.

โ€œAt the time the Privacy Act was extended to the private sector, it was considered that most small businesses posed a low risk to privacy and that compliance costs would disproportionately and unreasonably burden small businesses,โ€ the government said in its response.

โ€œHowever, feedback provided to the review is very clear โ€“ the community expects that if they provide their personal information to a small business it will be kept safe and not used in harmful ways.โ€

2. Small businesses will be given time and guidance to adjust

The government says it wonโ€™t throw small businesses into new Privacy Act compliance measures without giving them time and support to adjust.

โ€œThe government agrees in-principle that the small business exemption should be removed in light of the privacy risks applicable in the digital environment,โ€ the report says.

โ€œHowever, this should not occur until further consultation has been undertaken with small businesses and their representatives on the impact that removing the small business exemption would have.โ€

That consultation will examine the gaps between small businesses and compliance with the Privacy Act, and kick start the creation of educational materials designed to get all businesses on the same page.

โ€œThe removal of the small business exemption should also be subject to an appropriate transition period to ensure small businesses are in a position to comply with new obligations,โ€ the report adds.

3. High-risk small businesses will need to fast-track their compliance

However, not every small business faces the same data risk profile.

Recognising that early-stage startups may already collect vast tracts of user data, the government says some small businesses will face coverage under the Privacy Act sooner than others.

This includes small businesses and startups that collect and use biometric data, like those involved with facial recognition technology.

Businesses that actively trade in personal information should also face Privacy Act coverage sooner than โ€˜low riskโ€™ enterprises, says the government.

The Tech Council of Australia, a peak industry body, has welcomed the governmentโ€™s report โ€” but argues businesses facing those compliance rules for the first time also deserve help to adjust.

โ€œGood data practice is vital from both a privacy and cybersecurity perspective,โ€ the organisation said.

โ€œHowever, those reforms, including those affecting โ€˜high-riskโ€™ enterprises, must be โ€œdesigned in consultation with small businesses and should include support measures for themโ€.

4. New rules to cover employee data

The changes donโ€™t just mean small businesses will be exposed to the Privacy Act โ€“ the legislation itself is likely to face significant reform.

One key change for small businesses exposed to the Privacy Act will be new rules around current and former employee data, which is currently excluded from the rulebook.

โ€œThe original rationale for this exemption was that employee privacy was better regulated through workplace relations laws,โ€ the report says.

โ€œThe government agrees in-principle that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections for private sector employees may be implemented in legislation.โ€

That change should take note of how privacy rules overlap with existing workplace relations laws, the report adds.

Like the other moves exposing small businesses to major changes, that tweak will come after consultation with employers.

5. In-house data security leaders

Organisational accountability is a key element of the governmentโ€™s report.

One significant recommendation is that businesses should nominate a senior employee as โ€œhaving specific responsibility for privacy within the organisationโ€.

While medium and large businesses with a dedicated technical team may already have de facto data safety officers in place, the requirement could see small business operators take on another responsibility.

6. Establishing data retention periods to avoid a โ€˜honey potโ€™ situation

Collecting and using data are both major concerns, but so too is the long-term storage of that information, even after it is no longer needed by a business.

Hoarding data can result in what the report calls a โ€œhoney potโ€ scenario, where bad actors target major stores of pent-up information.

To reduce those risks, the government is considering rules that would force businesses to set minimum and maximum data retention periods.

Those rules should be expressed to users and customers in accessible privacy policies.

The government also agrees the Office of the Australian Information Commissioner should provide additional guidance around how to safely and effectively destroy or de-identify sensitive information.

7. Strengthening โ€˜informed consentโ€™

The government response makes it clear that set-and-forget consent notices must be improved, in order to give users a clearer understanding of how their data is actually being used.

โ€œAn over-reliance on consent can place an unrealistic burden on individuals to understand the risks of information-handling practices and may not result in improved privacy outcomes,โ€ the report notes.

To avoid a kind of consent โ€˜burnoutโ€™, the government says consent notices should be reserved for โ€œhigh privacy risk situationsโ€.

8. Reforming privacy notices

That doesnโ€™t mean privacy notices, which provide an up-front outline of a how a userโ€™s data will be handled, shouldnโ€™t face extra reinforcement.

As it stands, โ€œcomplex, lengthy, legalistic and vagueโ€ privacy notices leave users unable to understand exactly what theyโ€™re signing up for, says the government.

Privacy notices should be โ€œclear, up-to-date, concise and understandableโ€, the report says.

To help small businesses that might struggle to compile a usable privacy notice on their own, the government also recommends standardised templates should be developed, which could then be tailored to an organisationโ€™s needs.

9. Accelerated reporting requirements

Businesses should quickly and clearly alert their customers, employees, and regulators in the event of a data breach, the report says.

The government says organisations covered by the Privacy Act should be required to:

  • Alert the Information Commissioner within 72 hours if an eligible data breach takes place;
  • Notify affected individuals as soon as practicable, including the phased release of information if the situation is not immediately clear; and
  • Take โ€œreasonable stepsโ€ to have systems, procedures, and operating practices in place in response to a data breach.

10. Right to request information

Refreshed privacy rules could also give โ€œgreater transparency and controlโ€ to individuals through the creation of new user rights.

If enacted, small businesses would need to provide in-depth information to users and stakeholders about how their data is being used, if they are asked.

Some measures under consideration include reinforced rights to:

  • Request an explanation of how user information is being held, and what is being done with it, through an โ€œenhancedโ€ right to access process;
  • Contest the information handling practices of a business;
  • Require an entity covered by the Privacy Act to explain how they are complying with it;
  • Request the deletion or de-identification of sensitive data;
  • Request corrections in online publications and databases; and
  • Force search engines to โ€œde-indexโ€ some results, making it simpler for individuals to contest the way internet giants highlight content related to the individual.

About the author

David Adams

David Adams

Senior Business Journalist

Focused on the small business sector, Davidโ€™s work covers the political, regulatory, and economic issues facing Australian entrepreneurs. Prior to joining SmartCompany, he was a reporter for Business Insider Australia. You can follow him on LinkedIn.

Similar topics

attorney-general
consent
consultation
data
exemption
privacy
privacy act
privacy policy
report
review
small business

Recommended for you