All things bright and beautiful, all creatures great and small

It has been over a year since the amendments to the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) were first introduced.  Many large entities caught by the operation of the Privacy Act and the APPs  – including government agencies, major international and national companies and prominent non-for-profit organisations – have taken steps to implement appropriate internal systems and policies to ensure they comply with the requirements of the Privacy Act and the APPs.

Although most of the news headlines about privacy breaches concern large scale entities behaving badly, such as Avid Life Media and the Ashley Madison data breach scandal, those entities which are taking the longest to catch up with their privacy obligations are local mum and dad style operators and small businesses.  It is important for you to understand whether your small business is caught by the operation of the Privacy Act and if it is, to take steps to get your business Privacy Act - compliant. 

Does my small business need to comply with the Privacy Act? 

The Privacy Act defines a small business as a business which does not have an annual turnover greater than $3 million.  Although many small businesses will be exempt from the operation of the Privacy Act and the APPs, some small businesses which handle personal information will not be. 

In short, whether your particular small business is captured by the Privacy Act will turn on a number of factors.  If you can answer “yes” to any of the questions below, your small business may be subject to the operation of the Privacy Act.

Has your small business had an annual turnover of more than $3 million in any financial year since 2002? If your business has not operated for a full financial year yet, in order to determine if it has an annual turnover of more than $3 million you will need to estimate your business’s likely full year annual turnover based on the income earned by it to date.

• Does your small business “trade” in personal information? A small business will be deemed to “trade” in personal information if it provides a benefit, service or advantage to collect personal information or if it discloses personal information for a benefit, service or advantage.  Plainly speaking, a business will “benefit” or have an “advantage” where it receives payment, a discount or some other commercial benefit as a result of sharing or disclosing personal information.
• Does your small business only trade in personal information without the consent of the individual and without being required or authorised by law? 
• Is your small business a health service provider?
• You need to think about whether your business is concerned with providing services relating to physical, psychological, emotional and mental health.  For example, health service providers can include, but are not limited to, private hospitals, day surgeries, your local GP, pharmacists, child care centres, private schools and private tertiary educational institutions.
• Is your small business related to a larger body corporate that is subject to the Privacy Act? 
• Your small business or company may be related to a larger body corporate if it is a holding company or a subsidiary of another body corporate. 
• Is your business a Commonwealth contracted service provider?  Your small business may be captured by this qualifier if it provides services to or on behalf of a Commonwealth Australian government agency under a Commonwealth contract or subcontract. 
• Does your small business operate a residential tenancy database?  This will be likely to concern all of the real estate and property managers out there.  A residential tenancy database is a database which contains personal information about individuals occupying residential premises as tenants and which is accessible by a person other than the operator of the database or a person acting for the operator.
• Does your small business carry on a credit reporting business?
• Is your small business an employee association registered under the Fair Work (Registered Organisations) Act 2009?
• Has your small business opted into the Privacy Act?  Entities such as small business, which are not normally caught by the Privacy Act, have the option to “opt in” to being covered by the Privacy Act. 

What happens if my small business breaches the APPs?

If you operate a small business which is captured by the Privacy Act and a member of the public lodges a complaint about the management of their personal information by your business with the Office of the Australian Information Commissioner (OAIC), the OAIC may investigate the complaint, seek to conciliate between the parties, make a determination about the complaint and, in extreme circumstances, may issue your business with a penalty up to $1.7 million.  The OAIC can also elect to investigate a matter of its own volition.

My small business isn’t caught by the Privacy Act and the APPs – do I still need to worry about privacy issues?

Although your small business will not be at risk of being investigated or penalised by the OAIC if it fails to comply with the Privacy Act or the APPs, that does not mean that it can simply forget about privacy related matters. 

Small business owners need to bear in mind that if their small business mismanages an individual’s personal information, their small business may face other commercial consequences such as poor reviews (online or in person), unwanted media attention and/or legal action depending on the given circumstances. 

Lavan Legal comment

A year on from the original amendments to the Privacy Act, there are no longer any excuses for entities failing to ensure that they are operating in a privacy compliant manner.  If you think that your small business may be covered by the Privacy Act and you need assistance in making your small business privacy compliant or if you are having difficulty determining whether you or your small business is covered by the Privacy Act, please contact Iain Freeman or Mathea McCubbing.