If the suggested 116 proposed changes or even just the agreed and already committed to 38 proposals for reform go through as updates to the current Privacy Act, every Australian business, no matter its size, will be impacted by these changes.
As the landscape of Privacy Law undergoes significant changes, it’s crucial for businesses to stay ahead of the curve. With impending reforms likely impacting small businesses, including the potential removal of the small business threshold exemption and mandatory reporting obligations, proactive compliance is paramount.
Now is the time to think about the impact of the predicted changes
Whilst there are several proposed changes that will require industry engagement, small to medium businesses should prioritise understanding and staying informed about these updates and the mandatory reporting rules.
A good starting point is the Privacy Checklist for Small Business offered by the Office of the Australian Information Commissioner (OAIC) to see if your business needs to comply with the Privacy Act.
Here are five key areas for SMB’s to consider
- Removal of Small Business Threshold Exemption
One significant change on the horizon is the potential removal of the small business threshold exemption. Currently, businesses with an annual turnover of less than $3 million are exempt from certain Privacy Act obligations.
If this recommendation of threshold exemption proceeds it will require all small businesses to implement policies, controls and processes to comply with the Privacy Act.
For example, a business maintaining a rewards program and customer database would likely need to implement a Privacy Policy, train staff, and ensure that the personal information they collect, use and store is handled in a secure manner.
- Consent Changes
Potential consent changes may require organisations to review how people have consented to the use of their information and whether that consent is appropriate for the way in which the organisation wants to further use the information.
For example, if a marketing business has obtained consent to provide a particular service, and subsequently introduces a new product or service, it may need to obtain a new customer consent to allow for the individuals information to be used in a different way.
The changes propose that the quality of privacy collection notices and consents obtained from individuals should be improved, and this may include amending the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous.
The OAIC have indicated they may develop guidance on how online services should design consent requests. This may address how particular layouts, wording or icons could be used when obtaining consent, and how the elements of valid consent should be interpreted in the online context.
- 72-Hour Mandatory Reporting
Reporting of breaches within the 72 hours will likely require organisations to move at an accelerated pace.
For example, a small business who has previously been exempt from the Privacy Act under the “Threshold Exemption”, will likely require development of a Data Breach Response Plan. This would ensure appropriate processes for detection, containment, eradication, and recovery from incidents that includes when and who needs to be notified.
Failure to report within this timeframe may result in penalties. IBM recently released a report offering insights into the potential high cost of a breach.
“The average cost of a data breach in Australia has grown 32% in the last 5 years, reaching AUD $4.03 million” – IBM, Cost of Data Breach Report 2023
The OAIC offers guidance on their website, on reporting data breaches and expects the statement to contain enough information for affected individuals to assess the potential consequences and take protective measures.
- Expanded Information Types
Broadly, the potential changes are seeking to extend the definition of what is considered personal information. This means that other types of information may be considered personal about an individual that currently are not.
For example, many small businesses hold a range of information about people beyond Names, Dates of Birth and Contact details.
The proposed changes address information that is not just directly “about” the individual but also includes information “related” to an individual, which can culminate to identify them. Such as IP addresses, IP identifiers and location data and any other online identifiers which can be used to identify an individual.
It is recommended organisations undertake a Privacy Impact Assessment (PIA) to determine what information they hold so that they may decide what controls may be required (e.g., Policy, Process, Technical requirements) to ensure information protection.
- Privacy Impact Assessment (PIA)
The inclusion of a PIA as part of the Privacy Act will require organisations to perform an assessment of the risks associated with individuals’ privacy where a high-risk activity is being undertaken.
For example, the launch of a new product or service offered where personal information is used or changed or where migration of an IT system relating to personal information would likely trigger a PIA to be conducted.
“A guide to undertaking privacy impact assessments (PIA Guide) has been prepared by the Office of the Australian Information Commissioner (OAIC) to describe a process for undertaking a privacy impact assessment (PIA). The PIA Guide is intended to provide guidance to all Australian Privacy Principle (APP) entities. – OAIC
Start preparing for the potential changes now
As SMBs brace and adapt for the potential regulatory changes, proactive compliance measures and a commitment to data privacy are paramount for maintaining trust with stakeholders and avoiding potential legal consequences.
Stay informed, implement best practices, and leverage available resources to safeguard your business in the evolving data privacy landscape.
Here are three areas businesses can explore to stay informed:
- Follow the OAIC and other Government websites,
- Consider seeking legal counsel for privacy guidance,
- Undertake a Privacy Impact Assessment.