In the digital world we live in, managing people’s personal information and data has never been more important. Almost half of all cyber-attacks target small-to-medium sized businesses, and half of all data breaches result from cyber-security incidents, so knowing what your legal obligations as a small business are is critical. With the Privacy Legislation Amendment Bill 2022 passed late last year, maximum penalties that can be applied for non-compliance, serious, or repeated breaches of the Privacy Act have increased. The Bill also provides the Office of Australian Information Commissioner (OAIC) with enhanced enforcement powers and strengthens the Australian Notifiable Data Breaches scheme.
Do Privacy Act obligations affect your small business?
While most small businesses are not covered by the Privacy Act 1988, some are.
A small business is one with an annual turnover of $3 million or less. Annual turnover for the purpose of the Privacy Act includes all income from all sources – it does not included assets held, capital gains or proceeds of capital sales.
However, regardless of turnover, the Privacy Act covers any business that is:
- A health service provider
- Trading in personal information
- A contractor that provides services under a Commonwealth contract
- An operator of a residential tenancy database
- A credit reporting body
- A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act
- Employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009
- A business that conducts protection action ballots
- A business accredited under the Consumer Data Right system
- Businesses related to a business the Privacy Act covers
- A business prescribed by the Privacy Regulation 2013
- A business that has opted in to be covered by the Privacy Act
If the Privacy Act covers your small business, you will have to comply with the Australian Privacy Principles (APPs). As well as the APPs, the Privacy Act includes specific matters that some small businesses may be required to comply with.
Ten tips for protecting customers’ personal information
- Familiarise yourself with internal privacy policies, processes and procedures
- Know who is responsible for privacy
- Consider privacy during project planning
- Only collect the personal information you need
- Use and disclosure – think about it!
- Overseas disclosure – prepare for it!
- Take care when handling sensitive information
- Access personal information on a need-to-know basis
- Keep personal information secure
- Familiarise yourself with your data breach response plan – you should have one
Need more help?
Still unsure whether the Privacy Act applies to your small business, or need help ensuring you have appropriate systems and processes in place to comply?
A Synectic adviser can review your needs and provide advice on what you need to do to meet your obligations.
About the author
Claire is a senior executive and accountant with almost 20 years’ experience across the private and public sectors. She is an Associate Member of the Institute of Internal Auditors, an Internal Quality Auditor, and an independent member of the Department of Treasury and Finance Audit & Risk Management Committee. Claire is passionate about business performance and has an extensive background in risk management. Contact us today and ask to speak with Claire.