It has been over a year since the amendments to the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) were first introduced. Many large entities caught by the operation of the Privacy Act and the APPs – including government agencies, major international and national companies and prominent non-for-profit organisations – have taken steps to implement appropriate internal systems and policies to ensure they comply with the requirements of the Privacy Act and the APPs.
Although most of the news headlines about privacy breaches concern large scale entities behaving badly, such as Avid Life Media and the Ashley Madison data breach scandal, those entities which are taking the longest to catch up with their privacy obligations are local mum and dad style operators and small businesses. It is important for you to understand whether your small business is caught by the operation of the Privacy Act and if it is, to take steps to get your business Privacy Act - compliant.
Does my small business need to comply with the Privacy Act?
The Privacy Act defines a small business as a business which does not have an annual turnover greater than $3 million. Although many small businesses will be exempt from the operation of the Privacy Act and the APPs, some small businesses which handle personal information will not be.
In short, whether your particular small business is captured by the Privacy Act will turn on a number of factors. If you can answer “yes” to any of the questions below, your small business may be subject to the operation of the Privacy Act.
Has your small business had an annual turnover of more than $3 million in any financial year since 2002? If your business has not operated for a full financial year yet, in order to determine if it has an annual turnover of more than $3 million you will need to estimate your business’s likely full year annual turnover based on the income earned by it to date.
What happens if my small business breaches the APPs?
If you operate a small business which is captured by the Privacy Act and a member of the public lodges a complaint about the management of their personal information by your business with the Office of the Australian Information Commissioner (OAIC), the OAIC may investigate the complaint, seek to conciliate between the parties, make a determination about the complaint and, in extreme circumstances, may issue your business with a penalty up to $1.7 million. The OAIC can also elect to investigate a matter of its own volition.
My small business isn’t caught by the Privacy Act and the APPs – do I still need to worry about privacy issues?
Although your small business will not be at risk of being investigated or penalised by the OAIC if it fails to comply with the Privacy Act or the APPs, that does not mean that it can simply forget about privacy related matters.
Small business owners need to bear in mind that if their small business mismanages an individual’s personal information, their small business may face other commercial consequences such as poor reviews (online or in person), unwanted media attention and/or legal action depending on the given circumstances.
Lavan Legal comment
A year on from the original amendments to the Privacy Act, there are no longer any excuses for entities failing to ensure that they are operating in a privacy compliant manner. If you think that your small business may be covered by the Privacy Act and you need assistance in making your small business privacy compliant or if you are having difficulty determining whether you or your small business is covered by the Privacy Act, please contact Iain Freeman or Mathea McCubbing.