10 Oct Changes to Small Business Privacy Obligations Are Coming
Authors: Gianluca Pecora & Megan Adams, Progressive Legal
Until now, and with few exceptions, small businesses with aggregated turnovers of less than $3 million have not been covered by the Privacy Act 1998 (the Act) – meaning that Privacy Policies are optional in most cases. In 2024, all business may need a Privacy Policy and to adhere to the other requirements of the Act. Read on to future proof your business.
The federal government just revealed that the Act will be receiving big changes in 2024 to bring Australia into “the digital age”. Many of these changes affect small businesses – especially the 2.3 million who have been unaffected by privacy laws until now.
Privacy Act Changes
The reforms are based off the Attorney-General’s Department’s Privacy Act Review Report. The report made 116 suggest reforms – 38 of which, the government have agreed to implement. A further 68 have been agreed to in principle by the government.
For the full list of reforms accepted by the government, read the Government Response to the Privacy Act Review Report.
Small Business Exemption
The most significant reform that was an in-principle agreement by the government to the removal of the small business exemption.
If implemented, all small businesses would need to adhere to the Privacy Act, which would include treating customer information securely, notifying of any breaches and having a privacy policy per Australian Privacy Principle 1.
Other obligations created by the Privacy Act are covered by complying to the other Australian Privacy Principles.
Small businesses will have to comply with the Australian Privacy Principles.
Plan Ahead
Before implementing this proposal, the government will conduct impact analysis to better understand the extent to which small business will need to change their privacy practices to adhere to privacy law. This, along with consulting small businesses, will inform what support will be needed to elevate small business into a position where they can comply with any new privacy obligations.
Although resistance has been received by the shadow attorney-general – and can be anticipated from the Australian Chamber of Commerce and Industry and lobby groups – small businesses should prepare for the likely outcome that they will need a privacy policy.
Consider getting in early before the influx of businesses scrambling to adhere to privacy reform in 2024. Progressive Legal’s Privacy Lawyers have significant experience at tailoring privacy policies to specific small business needs. Contact us on 1800 820 083 or request our advice below.
Transition Period
There will be an appropriate transition period for small businesses to comply with new Privacy Act obligations. However, this transition period will be decided by how at risk each business is for a data breach of sensitive information.
Warning for Startups
Early-stage startups often collect vast amounts of individual data – including biometric (facial recognition) data. Businesses that are actively trading in personal information will be classified as “high-risk” and be given less time to transition to Privacy Act adherence.
Other Changes That May Affect Small Businesses
Aside from removing the small business exemption, the Privacy Act may undergo other reform that could affect small businesses.
Employee Data
Up until now, the Privacy Act has refrained from regulating employee data protection. This is likely to change. The government has agreed in-principle that employer and employee representatives should be consulted on how enhanced privacy protections for private sector employees may be implemented in privacy legislation.
Small businesses should take note of any reform in this area.
Small Business Privacy Leader
Small businesses may need to appoint a senior employee to become the responsible person for privacy within the organisation. Duties would revolve around ensuring the business’s compliance to the Privacy Act and Australian Privacy Principles.
Greater Privacy Rights for Customers
Many recommendations for Privacy Act reform revolved around “greater transparency and control” for individuals. Small businesses should expect customers to receive new privacy rights. The following measures are being considered by the government:
- Improvement to information access processes by enabling customers to request explanations of how personal information is being held and how it is being used.
- Enabling customers to contest a business’s information handling practices.
- Enabling customers to request that their sensitive information be deleted or de-identified.
- Requirements that businesses explain how they are adhering to the Privacy Act.
- Enabling customers to request correction of personal information in online publications and databases.
Data Breach
To minimise the harm of data breaches, the government is considering setting minimum and maximum data retention periods.
The reporting requirements for data breaches may also be tightened. The government is considering the following reform:
- Requirements for businesses to alert the Information Commissioner within 72 hours of an eligible data breach.
- Requirements for businesses to take reasonable steps – in the form of systems, procedures and operating practices – to mitigate likelihood and damage of data breaches.
- Requirements to notify individuals affected by any data breach as soon as practicable. When details of a data breach are not immediately clear, businesses may need to segment release of information about the data breach to adhere to this obligation.
Key Takeaways
It is likely that small businesses will need to adhere to the Privacy Act and supporting Australian Privacy Principles in 2024 – in this case, small businesses will need dedicated privacy policies.
Although there will be a transition period for small businesses adopting the Privacy Act, small businesses collecting large amounts of data will need to transition at a faster rate. This will likely affect startups.
Other changes to privacy law that may affect small businesses include greater privacy rights to employees and customers, requirements for a privacy leader appointed within small businesses and stricter regulation on data breeches.
Significant privacy reform is happening. The impact on small businesses will likely be immense, so to future proof your business, consider implementing a privacy policy.
At Progressive Legal, our privacy lawyers offer forward thinking guidance and tailored privacy policies to ensure your business achieves privacy compliance and protection – which can be difficult during privacy reform. Our services start from $550 + GST for a fully customised privacy policy. Contact us today on 1800 820 083 or request our expert advice below.
Tailor Made Legal Documents
We can provide you with tailored Legal Documents in a number of areas including: Intellectual Property Law, Commercial Law, Privacy Law, Workplace Law, Corporate Law, and Litigation / Dispute Resolution.
Click here to request a fixed-price Legal Document and have a look at the range of different documents we can help you with.
10 October, 2023
14 December, 2020
Ian Aldridge is the Founder and Principal Lawyer Director at Progressive Legal. He has over 15 years experience in advising businesses in Australia and the UK. After practising in commercial litigation for 12 years in major Australian and International Law Firms, he decided to set up a NewLaw law firm in Australia and assist growing Australian businesses. Since then, he has advised over 2,500 small businesses over the past 6 years alone in relation to Intellectual Property Law, Commercial, Dispute Resolution, Workplace and Privacy Law. He has strived to build a law firm that takes a different approach to providing legal services. A truly client-focused law firm, Ian has built Progressive Legal that strives to deliver on predictable costs, excellent communication and care for his clients. As a legal pioneer, Ian has truly changed the way legal services are being provided in Australia, by building Legal Shield™, a legal subscription to obtain tailored legal documents and advice in a front-loaded retainer package, a world-first. He has a double degree in Law (Hons) and Economics (with a marketing major). He was admitted to the Supreme Court of NSW in 2005.
