Changes to Small Business Privacy Obligations Are Coming

Changes to Small Business Privacy Obligations Are Coming

Gianluca Pecora WebsiteMegan Adams WebsiteAuthors: Gianluca Pecora & Megan Adams, Progressive Legal

changes to small business privacy obligations

Until now, and with few exceptions, small businesses with aggregated turnovers of less than $3 million have not been covered by the Privacy Act 1998 (the Act) – meaning that Privacy Policies are optional in most cases. In 2024, all business may need a Privacy Policy and to adhere to the other requirements of the Act. Read on to future proof your business. 

The federal government just revealed that the Act will be receiving big changes in 2024 to bring Australia into “the digital age”. Many of these changes affect small businesses – especially the 2.3 million who have been unaffected by privacy laws until now. 

Privacy Act Changes

The reforms are based off the Attorney-General’s Department’s Privacy Act Review Report. The report made 116 suggest reforms – 38 of which, the government have agreed to implement. A further 68 have been agreed to in principle by the government.  

For the full list of reforms accepted by the government, read the Government Response to the Privacy Act Review Report.

Small Business Exemption

The most significant reform that was an in-principle agreement by the government to the removal of the small business exemption. 

If implemented, all small businesses would need to adhere to the Privacy Act, which would include treating customer information securely, notifying of any breaches and having a privacy policy per Australian Privacy Principle 1.  

Other obligations created by the Privacy Act are covered by complying to the other Australian Privacy Principles. 

Small businesses will have to comply with the Australian Privacy Principles.

Plan Ahead

Before implementing this proposal, the government will conduct impact analysis to better understand the extent to which small business will need to change their privacy practices to adhere to privacy law. This, along with consulting small businesses, will inform what support will be needed to elevate small business into a position where they can comply with any new privacy obligations. 

Although resistance has been received by the shadow attorney-general – and can be anticipated from the Australian Chamber of Commerce and Industry and lobby groups – small businesses should prepare for the likely outcome that they will need a privacy policy.

Consider getting in early before the influx of businesses scrambling to adhere to privacy reform in 2024. Progressive Legal’s Privacy Lawyers have significant experience at tailoring privacy policies to specific small business needs. Contact us on 1800 820 083 or request our advice below.

Transition Period 

There will be an appropriate transition period for small businesses to comply with new Privacy Act obligations. However, this transition period will be decided by how at risk each business is for a data breach of sensitive information. 

Warning for Startups

Early-stage startups often collect vast amounts of individual data – including biometric (facial recognition) data. Businesses that are actively trading in personal information will be classified as “high-risk” and be given less time to transition to Privacy Act adherence.

Other Changes That May Affect Small Businesses

Aside from removing the small business exemption, the Privacy Act may undergo other reform that could affect small businesses.

Employee Data

Up until now, the Privacy Act has refrained from regulating employee data protection. This is likely to change. The government has agreed in-principle that employer and employee representatives should be consulted on how enhanced privacy protections for private sector employees may be implemented in privacy legislation.  

Small businesses should take note of any reform in this area.

Small Business Privacy Leader

Small businesses may need to appoint a senior employee to become the responsible person for privacy within the organisation. Duties would revolve around ensuring the business’s compliance to the Privacy Act and Australian Privacy Principles.

Greater Privacy Rights for Customers 

Many recommendations for Privacy Act reform revolved around “greater transparency and control” for individuals. Small businesses should expect customers to receive new privacy rights. The following measures are being considered by the government: 

  • Improvement to information access processes by enabling customers to request explanations of how personal information is being held and how it is being used. 
  • Enabling customers to contest a business’s information handling practices. 
  • Enabling customers to request that their sensitive information be deleted or de-identified. 
  • Requirements that businesses explain how they are adhering to the Privacy Act. 
  • Enabling customers to request correction of personal information in online publications and databases. 

Data Breach

To minimise the harm of data breaches, the government is considering setting minimum and maximum data retention periods.  

The reporting requirements for data breaches may also be tightened. The government is considering the following reform: 

  • Requirements for businesses to alert the Information Commissioner within 72 hours of an eligible data breach. 
  • Requirements for businesses to take reasonable steps – in the form of systems, procedures and operating practices – to mitigate likelihood and damage of data breaches. 
  • Requirements to notify individuals affected by any data breach as soon as practicable. When details of a data breach are not immediately clear, businesses may need to segment release of information about the data breach to adhere to this obligation.

Key Takeaways

It is likely that small businesses will need to adhere to the Privacy Act and supporting Australian Privacy Principles in 2024 – in this case, small businesses will need dedicated privacy policies. 

Although there will be a transition period for small businesses adopting the Privacy Act, small businesses collecting large amounts of data will need to transition at a faster rate. This will likely affect startups. 

Other changes to privacy law that may affect small businesses include greater privacy rights to employees and customers, requirements for a privacy leader appointed within small businesses and stricter regulation on data breeches.

Significant privacy reform is happening. The impact on small businesses will likely be immense, so to future proof your business, consider implementing a privacy policy.

At Progressive Legal, our privacy lawyers offer forward thinking guidance and tailored privacy policies to ensure your business achieves privacy compliance and protection – which can be difficult during privacy reform. Our services start from $550 + GST for a fully customised privacy policy. Contact us today on 1800 820 083 or request our expert advice below. 

*NB// The contents of this article are information only and should not be relied on as legal advice. Please seek specialist legal advice in relation to your particular situation.

(c) Progressive Legal Pty Ltd – All legal rights reserved (2023)

Popular Privacy Links

Contact Us

  • By submitting this form, your information will be dealt with in accordance with our Privacy Policy. You agree to receive emails from us, however you can unsubscribe at any stage.
  • This field is for validation purposes and should be left unchanged.

Tailor Made Legal Documents

We can provide you with tailored Legal Documents in a number of areas including: Intellectual Property Law, Commercial Law, Privacy Law, Workplace Law, Corporate Law, and Litigation / Dispute Resolution.

Click here to request a fixed-price Legal Document and have a look at the range of different documents we can help you with.