Currently, most small businesses (with some exceptions) are not covered by the Privacy Act – with the threshold shaping a small business being an annual turnover of $3 million or less. However the Attorney General’s Department recognises that Australians want their privacy protected and that small businesses shouldn’t be excepted from this.
In the long term, proposal 6.1 seeks to remove the small business exemption but only after:
- an impact analysis has been undertaken
- appropriate support is developed
- in consultation with small businesses, the most appropriate way for small business to meet their obligations is determined (propionate to the risk) – e.g. through a code, and
- small businesses are in a position to comply with these obligations.
Proposal 6.2, in the shorter term, seeks to ensure that small businesses comply with the Privacy Act in relation to the collection of biometric information and remove the exemption from the Privacy Act for small businesses that obtain consent to trade in personal information (trading in personal information will mean the Privacy Act applies).
What does this mean for my organisation?
Small businesses will need to understand the idea of the Privacy Act and how to implement this into their business activities and processes, including through privacy policies and collection statements. Although much of this proposal is for the long term, it’s never too early to start getting your organisation ready with simple measures such as reviewing your information holdings and embedding a privacy culture throughout your organisation.
Where to next?
For proposal 6.1, it is expected that further extensive consultation will need to occur with small business to determine the best way for small businesses to meet their obligations under the Act, proportionate to the privacy risks they typically face. However, proposal 6.2, if passed could come into force a lot sooner.