In March last year, the federal Privacy Act 1988 was released with several amendments which enforced much tighter compliance surrounding the collection and use of your clients’ personal information.
Since then, many small businesses have taken the time to review their internal privacy policies to ensure they are compliant however, there are still quite a large number of businesses who are not even sure if they are required to comply under the Privacy Act.
If find you are in the same boat and are unsure if you are required to comply with the Act, it’s now more important than ever to determine your obligations. As the prevalence of cybercrime is increasingly on the rise, your risk of being targeted is high.
Remind Me – What is the Privacy Act?
According to the Office of the Australian Information Commissioner (OAIC), “the Australian Privacy Principles (APPs) in the Privacy Act outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses must handle, use and manage personal information”.
Under the Privacy Act, personal information is considered any information or opinion that “identifies or could reasonably identify an individual”.
That type of information may include:
- Phone number
- Bank account details
- Date of birth
- Medical records/information
The Privacy Act and Small Businesses
Whilst the Privacy Act states that small businesses who turnover less than $3 million are not required to comply with the Privacy Act, there are several instances where even as a small business, you must comply with the Act.
The general rule of thumb is that if you collect and manage the personal information of your clients, you will need to comply with the APPs.
Does My Business Have to Comply?
In order to determine whether your business falls under the Privacy Act, OAIC have developed a ‘small business checklist’.
The checklist is a relatively easy way to determine if your business is required to comply with the Privacy Act by answering a series of ‘yes’ and ‘no’ questions.
As mentioned earlier, if your business handles the personal information of your clients, you will be required to comply with the Privacy Act however there are some other qualifying factors that your business may fall under – without you even realising.
For example, if your business is a holding company or a subsidiary for another body corporate who is required to comply under the Privacy Act, you may also be required to comply by association.
If after working through the checklist you’re still unsure of your obligations, it may be worthwhile consulting with your lawyer or other advisers to determine if you need to comply.
If you determine that you are not required to comply, it is possible to opt in to the Privacy Act anyway. In doing so, you can operate with the confidence that your business has the correct procedures in place to ensure your information is handled diligently.
My Business Is Required to Comply – What Is Our Next Step?
Again, OAIC have a database of very valuable information and resources which will assist you in ensuring your business is compliant under the Privacy Act.
This includes summaries of the APP’s, the Commissioner’s regulatory powers, frameworks to ensure your ongoing compliance under the Act and tips for your staff on how to comply, such as the handling of customers’ personal information.
It is recommended that as a business owner, you take the time to determine whether or not the Act applies to you, and what actions you are required to take if it is confirmed you are required to comply.
Being on the front foot with privacy is now more important than ever as the cost of breaching the Privacy Act could be extremely damaging for a small business.
You can find more information about the small business checklist and further resources here.