Small businesses should no longer be exempt from the Privacy Act, says the federal government, which has used its response to a major report from Attorney-General Mark Dreyfuss to advocate for tighter regulation around the use of data and personal information.
Months after the Attorney-General’s department called to end the small business exemption and recommended a suite of reforms to the cornerstone privacy legislation, the federal government has agreed to 38 of 116 potential areas of reform.
Its response to the report, released Thursday, could have major implications for the 2.3 million small businesses currently exempt from the Act.
Here is what your business needs to know about the proposed changes.
1. The small business exemption will end
Small businesses with annual turnover of $3 million or less are currently exempt from the Privacy Act, and many of the penalties levelled against bigger businesses when they mishandle sensitive data.
That is set to change.
The government believes small businesses are now capable of handling sensitive data at a scale previously achieved by bigger businesses.
This means even the smallest enterprises are capable of harming customers, clients, and employees by misusing or exposing their personal information.
“At the time the Privacy Act was extended to the private sector, it was considered that most small businesses posed a low risk to privacy and that compliance costs would disproportionately and unreasonably burden small businesses,” the government said in its response.
“However, feedback provided to the review is very clear – the community expects that if they provide their personal information to a small business it will be kept safe and not used in harmful ways.”
2. Small businesses will be given time and guidance to adjust
The government says it won’t throw small businesses into new Privacy Act compliance measures without giving them time and support to adjust.
“The government agrees in-principle that the small business exemption should be removed in light of the privacy risks applicable in the digital environment,” the report says.
“However, this should not occur until further consultation has been undertaken with small businesses and their representatives on the impact that removing the small business exemption would have.”
That consultation will examine the gaps between small businesses and compliance with the Privacy Act, and kick start the creation of educational materials designed to get all businesses on the same page.
“The removal of the small business exemption should also be subject to an appropriate transition period to ensure small businesses are in a position to comply with new obligations,” the report adds.
3. High-risk small businesses will need to fast-track their compliance
However, not every small business faces the same data risk profile.
Recognising that early-stage startups may already collect vast tracts of user data, the government says some small businesses will face coverage under the Privacy Act sooner than others.
This includes small businesses and startups that collect and use biometric data, like those involved with facial recognition technology.
Businesses that actively trade in personal information should also face Privacy Act coverage sooner than ‘low risk’ enterprises, says the government.
The Tech Council of Australia, a peak industry body, has welcomed the government’s report — but argues businesses facing those compliance rules for the first time also deserve help to adjust.
“Good data practice is vital from both a privacy and cybersecurity perspective,” the organisation said.
“However, those reforms, including those affecting ‘high-risk’ enterprises, must be “designed in consultation with small businesses and should include support measures for them”.
4. New rules to cover employee data
The changes don’t just mean small businesses will be exposed to the Privacy Act – the legislation itself is likely to face significant reform.
One key change for small businesses exposed to the Privacy Act will be new rules around current and former employee data, which is currently excluded from the rulebook.
“The original rationale for this exemption was that employee privacy was better regulated through workplace relations laws,” the report says.
“The government agrees in-principle that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections for private sector employees may be implemented in legislation.”
That change should take note of how privacy rules overlap with existing workplace relations laws, the report adds.
Like the other moves exposing small businesses to major changes, that tweak will come after consultation with employers.
5. In-house data security leaders
Organisational accountability is a key element of the government’s report.
One significant recommendation is that businesses should nominate a senior employee as “having specific responsibility for privacy within the organisation”.
While medium and large businesses with a dedicated technical team may already have de facto data safety officers in place, the requirement could see small business operators take on another responsibility.
6. Establishing data retention periods to avoid a ‘honey pot’ situation
Collecting and using data are both major concerns, but so too is the long-term storage of that information, even after it is no longer needed by a business.
Hoarding data can result in what the report calls a “honey pot” scenario, where bad actors target major stores of pent-up information.
To reduce those risks, the government is considering rules that would force businesses to set minimum and maximum data retention periods.
Those rules should be expressed to users and customers in accessible privacy policies.
The government also agrees the Office of the Australian Information Commissioner should provide additional guidance around how to safely and effectively destroy or de-identify sensitive information.
7. Strengthening ‘informed consent’
The government response makes it clear that set-and-forget consent notices must be improved, in order to give users a clearer understanding of how their data is actually being used.
“An over-reliance on consent can place an unrealistic burden on individuals to understand the risks of information-handling practices and may not result in improved privacy outcomes,” the report notes.
To avoid a kind of consent ‘burnout’, the government says consent notices should be reserved for “high privacy risk situations”.
8. Reforming privacy notices
That doesn’t mean privacy notices, which provide an up-front outline of a how a user’s data will be handled, shouldn’t face extra reinforcement.
As it stands, “complex, lengthy, legalistic and vague” privacy notices leave users unable to understand exactly what they’re signing up for, says the government.
Privacy notices should be “clear, up-to-date, concise and understandable”, the report says.
To help small businesses that might struggle to compile a usable privacy notice on their own, the government also recommends standardised templates should be developed, which could then be tailored to an organisation’s needs.
9. Accelerated reporting requirements
Businesses should quickly and clearly alert their customers, employees, and regulators in the event of a data breach, the report says.
The government says organisations covered by the Privacy Act should be required to:
- Alert the Information Commissioner within 72 hours if an eligible data breach takes place;
- Notify affected individuals as soon as practicable, including the phased release of information if the situation is not immediately clear; and
- Take “reasonable steps” to have systems, procedures, and operating practices in place in response to a data breach.
10. Right to request information
Refreshed privacy rules could also give “greater transparency and control” to individuals through the creation of new user rights.
If enacted, small businesses would need to provide in-depth information to users and stakeholders about how their data is being used, if they are asked.
Some measures under consideration include reinforced rights to:
- Request an explanation of how user information is being held, and what is being done with it, through an “enhanced” right to access process;
- Contest the information handling practices of a business;
- Require an entity covered by the Privacy Act to explain how they are complying with it;
- Request the deletion or de-identification of sensitive data;
- Request corrections in online publications and databases; and
- Force search engines to “de-index” some results, making it simpler for individuals to contest the way internet giants highlight content related to the individual.