The Commonwealth Privacy Act only applies to companies that have a turnover of more than $3 million, and all these data breaches we’re seeing in the news involve the likes of Facebook or Uber. So, my small businesses or start-up doesn’t really need to care about privacy or data security, right?
Well, maybe not. There are several exceptions to that small business exemption, which I will discuss below. But even if you’re not caught by one of the exemptions, good privacy and data security practices are worthwhile because they can add value to your brand and lower your risk profile.
So why should you care about privacy?
The simple answer is that customers care about privacy. In the Office of the Australian Information Commissioner’s (OAIC) community attitudes survey, 69% of respondents said they were more concerned about privacy now than five years ago and 58% said they had decided not to deal with a business because of privacy concerns.
In 2017-18, OAIC answered 14 928 calls related to privacy and responded to 4452 written privacy enquiries, along with an increase of privacy complaints by 18%. There was also a 24% increase in media enquiries, from mainstream, business and digital publications.
Significant reputational and commercial benefits flow from good privacy practice. If your clients or customers trust how you handle their personal information, they are more likely to trust your business or start-up. Good cyber hygiene also shows investors that you’re serious and will assure them that they’re not buying into latent legal liabilities.
It’s also important to remember that the Privacy Act is not necessarily your only source of liability. Privacy breaches can also constitute breaches of contract and if the information is valuable enough, you might find yourself in court. And we’re starting to see some serious class actions being bought in the US and Europe for data breaches.
Exceptions to the Small Business Exemption
Are you a health service provider?
This doesn’t just mean doctors and hospitals. The term ‘health services’ is broadly defined – if you undertake any of the following activities, your business will not be exempt from the Privacy Act.
Does your business:
- Assess, maintain, improve or manage anyone’s physical or psychological health?
- Diagnose or treat an illness, disability or injury?
- Record a person’s physical or psychological health?
- Dispense a prescription drug or medicinal preparation by a pharmacist?
The OAIC includes in this allied health professionals, gyms, weight loss services and even child care centres. If any of these activities are undertaken by your business, even if you’re below the threshold, you still need to comply with the Privacy Act.
Do you trade in personal information?
The Privacy Act is all about protecting personal information, and so unsurprisingly it applies to transactions that involve this kind of data. If you collect data from your customers to sell, or even just plan to buy or sell a mailing list, then you will need to comply with the Privacy Act.
However, if you are doing your own data analysis which you will then sell, then this exception won’t apply – provided that the analysis you sell does not include anything that could identify individual customers.
Are you a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)?
As defined by the AML/CTF Act, a reporting entity means “a person who provides a designated service,” in other words financial services (including virtual currency exchanges), bullion-related activities, or gambling activities.
And it’s important to remember that even if your business is a reporting entity AML/CTF Act but you’re later exempted from reporting obligations due to rules issued by AUSTRAC under the AML/CTF Act, your business is still a reporting entity within the meaning of the Privacy Act.
If your business or start-up falls under this category, you need to comply with the APPs in respect to their personal information handling activities in relation to the ALM/CTF Act, regulations or the rules. Other obligations in relation to providing individuals with access to information collected for AML/CTF purposes include providing individuals with access to their information as required by the Privacy Act.
Are you a credit reporting body?
Your business will have privacy obligations in relation to consumer credit reporting if you are a credit reporting body or a credit provider under the Privacy Act. You will also have obligations if your business involves handling individuals’ credit reports (for example: because you process applications for credit on behalf of a credit provider)
How do you know if you are a credit reporting body (CRB)?
A credit reporting body is an organisation whose business involves handling personal information in order to provide another entity with information about the creditworthiness of an individual – it doesn’t matter whether or not the entity provides the information for a profit, reward or for the purpose of assessing an application for credit.
If you want to provide services to the Commonwealth, you’ll need to comply with the Privacy Act. Also, most state governments make compliance with state privacy laws a requirement of their contracts.
Planning for the future – “Privacy by Design”
Even if you’re under the threshold and not caught by an exception, it’s still wise to think about privacy and data security now. Most companies plan to one day surpass $3 million turnover. By adopting good privacy and data security practices early, when you’re developing and architecting your systems you won’t have to retrofit your business in order to comply. This doesn’t mean taking on the full requirements of the Act but thinking now about how you can design your business so that as it grows you don’t find yourself playing catch-up later.
“Privacy by Design” is the idea of embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. This refers to building in privacy up front, into the design specifications and architecture of new systems and processes.
Practising Privacy by Design is the best way to “future proof” yourself from additional costs and redevelopment work that will be necessary once your business attracts these legal obligations. So that the business can build privacy in, and in order to understand the privacy impacts, privacy impact assessments (PIAs) can be conducted – a systematic assessment of a project identifying the impact the project might have on the privacy of individuals.