Blog

The Future of Privacy and Compliance for Small Businesses

The Future of Privacy and Compliance for Small Businesses

The future of privacy and compliance for small businesses is a growing concern among small business owners.  Complying with the Privacy Act (Cth) as a small business is extremely important to ensure long term success. The Australian government has previously proposed changes to privacy laws which included the removal of the small business exemption from the Privacy Act (Cth). This meant that all businesses would be required to comply with the Australian Privacy Principles (APPs), which provides set standards for handling personal information.


In conjunction with these changes, the government also released a consultation paper which includes proposal 6.1 and proposal 6.2. These proposals relate to the notification of data breaches and aim to include small businesses within these privacy and compliance measures.


These proposals intend to strengthen privacy protections and increase transparency surrounding data breaches. It is important to note that these proposals are still being considered and are subject to change.


Proposal 6.1 in relation to Small Businesses

Proposal 6.1 is a proposed amendment to the Privacy Act 1988. This proposal aims to make Privacy Impact Assessments (PIAs) mandatory for high-risk projects that include personal information. PIAs assess the potential privacy impacts of a project to identify ways to mitigate those impacts.


Small businesses with an annual turnover of $3 million or less are currently exempt from certain privacy obligations under the Privacy Act (Cth) which includes the requirement to conducts PIAs. However, under this new proposed amendment, small businesses would also be required to conduct PIAs if engaging is high risk projects involving personal information.


Businesses would be required to conduct a PIA before commencing certain activities that involve personal information. This includes:


  • The collection or use of sensitive information such as health or biometric information and information on racial or ethnic origin
  • Conducting data matching or data linking activities – involving the combination of personal information from different sources
  • Developing new technologies or systems that involve personal information such as facial recognition or artificial intelligence algorithms
 

This process would involve a systematic assessment of the privacy risks associated with the project to determine steps that can be taken to mitigate the risks. If a business determines that the privacy risks associated with the project are high, they would be required to consult the Office of the Australian Information Commissioner (OAIC) before proceeding.


The proposed amendment aims to improve privacy protections for individuals and ensures that businesses take a proactive approach to privacy. However, for small businesses, there are concerns surrounding the cost and burden of PIAs. Small businesses need to be aware of their privacy obligations to take appropriate steps to protect their privacy information regardless of certain exemptions under the Privacy Act (Cth).


Future of Privacy and Compliance

 

Proposal 6.2 in relation to Small Business

Proposal 6.2 aims to give individuals more transparency and control over their personal information held by businesses. It would require businesses to provide individuals with the ability to delete their personal information. Additionally, the proposal would require businesses to provide information on their use of individual’s information and who it is shared with. It provides the individuals control over their information and holds businesses accountable for upholding privacy practices.

Small businesses are again exempt from certain privacy and compliance obligations. However, under this proposed amendment, they would be required to comply with certain Australian Privacy Principles (APPs) that relate to transparency and control over personal information. This includes:


  1. Providing individuals access to their personal information upon request and allowing them to correct inaccuracies in their personal information
  2. Providing information about how their personal information is used and shared and additionally outlining a privacy policy that details how personal information is collected, stored and disclosed
  3. Providing individuals the ability to delete their personal information upon request
 

Regardless of current exemptions, small businesses would be required to comply with these changes. Small businesses should ensure they have processes in place to comply with these requirements to ensure they meet privacy standards.


What does this mean for Small Businesses?

While these proposals are not yet implemented within the current Privacy Act (Cth), small businesses are encouraged to take necessary steps to protect the privacy of personal information they handle. Small businesses should be aware of their privacy and compliance obligations even if they are currently exempt from certain obligations. Some easily implemented measures that small businesses could include:


  1. Developing a privacy policy which outlines the collection use, storage and disclosure of information
  2. Ensuring secure storage of personal information
  3. Providing easy access to personal information upon request from the individual
  4. Obtaining express and informed consent prior to collection of personal information
  5. Reporting data breaches if they may occur
 

Compliance with privacy regulations will help build trust with customers and will protect the reputation of the business. It is beneficial to all businesses to be proactive when it comes to privacy to ensure long term success.


It is important to note that the removal of the small business exemption will occur after a period of consultation and guidance. The employee records exemptions to be diluted (though not removed entirely), will see new requirements relating to transparency. It will inform employees on how their information is handled, security, destruction, and data breach reporting.

Share:
More Blog Posts