Changes to the Privacy Act and the impact on SMB organisations

Changes to the Privacy Act and the impact on SMB organisations

If the suggested 116 proposed changes or even just the agreed and already committed to 38 proposals for reform go through as updates to the current Privacy Act, every Australian business, no matter its size, will be impacted by these changes.

As the landscape of Privacy Law undergoes significant changes, it’s crucial for businesses to stay ahead of the curve. With impending reforms likely impacting small businesses, including the potential removal of the small business threshold exemption and mandatory reporting obligations, proactive compliance is paramount.

Now is the time to think about the impact of the predicted changes

Whilst there are several proposed changes that will require industry engagement, small to medium businesses should prioritise understanding and staying informed about these updates and the mandatory reporting rules.

A good starting point is the Privacy Checklist for Small Business offered by the Office of the Australian Information Commissioner (OAIC) to see if your business needs to comply with the Privacy Act.

Here are five key areas for SMB’s to consider 
  1. Removal of Small Business Threshold Exemption

One significant change on the horizon is the potential removal of the small business threshold exemption. Currently, businesses with an annual turnover of less than $3 million are exempt from certain Privacy Act obligations. 

If this recommendation of threshold exemption proceeds it will require all small businesses to implement policies, controls and processes to comply with the Privacy Act.

For example, a business maintaining a rewards program and customer database would likely need to implement a Privacy Policy, train staff, and ensure that the personal information they collect, use and store is handled in a secure manner.

  1. Consent Changes

Potential consent changes may require organisations to review how people have consented to the use of their information and whether that consent is appropriate for the way in which the organisation wants to further use the information. 

For example, if a marketing business has obtained consent to provide a particular service, and subsequently introduces a new product or service, it may need to obtain a new customer consent to allow for the individuals information to be used in a different way.

The changes propose that the quality of privacy collection notices and consents obtained from individuals should be improved, and this may include amending the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous. 

The OAIC have indicated they may develop guidance on how online services should design consent requests. This may address how particular layouts, wording or icons could be used when obtaining consent, and how the elements of valid consent should be interpreted in the online context.

  1. 72-Hour Mandatory Reporting

Reporting of breaches within the 72 hours will likely require organisations to move at an accelerated pace.  

For example, a small business who has previously been exempt from the Privacy Act under the “Threshold Exemption”, will likely require development of a Data Breach Response Plan. This would ensure appropriate processes for detection, containment, eradication, and recovery from incidents that includes when and who needs to be notified.

Failure to report within this timeframe may result in penalties. IBM recently released a report offering insights into the potential high cost of a breach.

“The average cost of a data breach in Australia has grown 32% in the last 5 years, reaching AUD $4.03 million” – IBM, Cost of Data Breach Report 2023  

The OAIC offers guidance on their website, on reporting data breaches and expects the statement to contain enough information for affected individuals to assess the potential consequences and take protective measures.

  1. Expanded Information Types

Broadly, the potential changes are seeking to extend the definition of what is considered personal information. This means that other types of information may be considered personal about an individual that currently are not. 

For example, many small businesses hold a range of information about people beyond Names, Dates of Birth and Contact details.

The proposed changes address information that is not just directly “about” the individual but also includes information “related” to an individual, which can culminate to identify them. Such as IP addresses, IP identifiers and location data and any other online identifiers which can be used to identify an individual.

It is recommended organisations undertake a Privacy Impact Assessment (PIA) to determine what information they hold so that they may decide what controls may be required (e.g., Policy, Process, Technical requirements) to ensure information protection.

  1. Privacy Impact Assessment (PIA)

The inclusion of a PIA as part of the Privacy Act will require organisations to perform an assessment of the risks associated with individuals’ privacy where a high-risk activity is being undertaken. 

For example, the launch of a new product or service offered where personal information is used or changed or where migration of an IT system relating to personal information would likely trigger a PIA to be conducted. 

“A guide to undertaking privacy impact assessments (PIA Guide) has been prepared by the Office of the Australian Information Commissioner (OAIC) to describe a process for undertaking a privacy impact assessment (PIA). The PIA Guide is intended to provide guidance to all Australian Privacy Principle (APP) entities. – OAIC

Start preparing for the potential changes now

As SMBs brace and adapt for the potential regulatory changes, proactive compliance measures and a commitment to data privacy are paramount for maintaining trust with stakeholders and avoiding potential legal consequences. 

Stay informed, implement best practices, and leverage available resources to safeguard your business in the evolving data privacy landscape. 

Here are three areas businesses can explore to stay informed: 

  • Follow the OAIC and other Government websites, 
  • Consider seeking legal counsel for privacy guidance, 
  • Undertake a Privacy Impact Assessment.

Diamond IT

Diamond IT is a leading technology provider supporting businesses to run smoothly, reliably and productively. Its diverse range of offerings includes managed IT services, infrastructure solutions, software development, telecommunications and technology consultancy.

Trending Articles

Advertise with us

Affordable and engaging advertising to a business community

Submit an article

Tell your story to the Hunter business community

Does your legal business need a little help with its marketing?

Marketing strategies

This website uses cookies
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.