Privacy Law changes for Small Business

Sarah Gee

You might remember that in February 2023, the Attorney-General released a report recommending data and personal information in Australia should be more tightly regulated.

Some of the recommendations said small businesses should comply with privacy law. As it stands, many small businesses who turnover less than $3 million are currently exempt from complying with the Privacy Act.

The government says this is no longer aligned with community expectations. It says that the community expects that if they provide their personal information to a small business, it will be kept safe and not used in harmful ways.

Here is what your small business needs to know about the proposed changes.

1. The privacy law hasn’t changed yet for small business

Whilst it would be a good idea for small businesses to start getting ready, the privacy law hasn’t changed yet. The government is also going to give support packages to assist small businesses to become compliant.

The next step is for consultation to happen with small businesses.Then resources will be developed to help small businesses get themselves up to speed before the new privacy laws come into force. Resources are likely to include tailored guidance, e-learning modules and other tools.

Something you can do now to start getting ready is to make sure you understand what data you collect, why you collect it, where you hold it, and how long you hold it for.

Even though the privacy law hasn’t changed yet, Scamwatch says that small businesses with fewer than 20 staff were most likely to be targeted by scammers. Small businesses accounted for more than 75% of reports to the ACCC. Businesses were most likely to be targeted with false billing scams (1819 reports). Investment, hacking and phishing scams also caused significant losses.

Make sure you’re not an easy target and that if you do end up affected, the fallout is limited. You can do this by making sure you don’t collect and hold unnecessary data. What you do hold can be put behind loads of barriers (like multi factor authentication).

Remember that privacy law is not the only source of legal obligations that you might have. If you are a company director, you will have obligations to manage this risk. Even sole traders will have obligations under negligence law to manage reasonably foreseeable risks where harm may be caused as a result of something they do or don’t do.

2. Small businesses customers expect you to be doing more

After 2 years of consultation, there were some clear expectations that emerged:

  • 62% of Australians surveyed see the protection of their personal information as a major concern in their life.
  • 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020).
  • 84% want more control and choice over the collection and use of their personal information.
  • 89% would like the Government to provide more legislation in this area.
  • Only 32% feel in control of their data privacy.

This area is changing quickly but it is clear that your customers are interested in knowing what you are doing to protect their data.

3. Some small businesses will be covered sooner than others

Small businesses who create greater risk will likely be covered by the Privacy Act sooner.

This includes small businesses and startups that buy and sell personal information, or collect and use biometric data, such as that associated with facial recognition technology.

Curium Legal advises on privacy for small business

4. Privacy policies

Privacy policies are set to be reformed with a focus on getting rid of “complex, lengthy, legalistic and vague” privacy notices which leave users unable to understand exactly what they’re signing up for.

To help small businesses that might struggle putting these together, the government has recommended standardised templates be developed. These could then be tailored to an organisation’s needs.

We could also see standardised icons, layouts and phrases to better support individuals to make quick and informed decisions.

5. Consent notices

Presently, businesses can do a lot with data and personal information so long as they provide notice in their privacy policy. This is likely to be changed to require that collection, use and disclosure of personal information is “fair and reasonable in the circumstances.”

The law is likely to be changed to confirm there is a “public interest in protecting privacy” that must be carefully weighed.

And this will apply regardless of whether a business has told someone they’re going to use data or personal information and regardless of whether that person has consented. Individuals will also be entitled to withdraw consent. This will open up a whole host of potential complaints and claims against businesses.

6. Right to be forgotten

90% of respondents in the consultation process said that they wanted the right to ask a business to delete their personal information. Whilst the government is not going that far, they are suggesting new individual rights will be created allowing them to:

  • request an explanation of what personal information is held and what is being done with it through an enhanced right to access
  • challenge the information handling practices of an entity and require the entity to justify how its information-handling practices comply with the Act  
  • require an entity to delete (or de-identify) personal information through a right to erasure  
  • request correction of online publications over which an entity has control
  • require search engines to de-index certain online search results

7. Data breaches

When data breaches do occur, the government is recommending that businesses be required to notify the Information Commissioner ASAP but within 72 hours of a breach occurring. They will also need to notify individuals affected as soon as possible and take reasonable steps to implement practices, procedures and systems to respond to a data breach including steps to reduce adverse impacts.

Whilst the current law focuses on reporting the breach, the changes will focus on what is being done to respond to the breach.

8. What small businesses should do now

Small businesses can start preparing for the anticipated changes in privacy law today.

As above, it is critical that you understand what data you collect, why you collect it, where you hold it, and how long you hold it for.

One helpful recommendation from the government report is for businesses to nominate a senior employee as “having specific responsibility for privacy within the organisation”. When your business is very small, this is just another thing to add to your plate.

If you would like some guidance on how strong your policies and procedures are and what you might do to strengthen them now, in the medium term, and in readiness for the new law, get in touch with us.

You can check how cyber secure your business is using this free assessment tool by business.gov.au

You can find a copy of the government response to the Privacy Report here