Privacy reform is coming – this time it’s personal (information)

Privacy reform is on the horizon. After years of consultation, the government has “agreed” or “agreed in-principle” to many of the 116 recommendations in the Privacy Act Review Report. Its response sets Australia on a path toward the gold standard set by the EU’s Global Data Protection Regulations.

A wider net

One big-ticket item is the removal of the “small business exemption”. Currently, only businesses with an annual turnover of over $3 million are subject to the Privacy Act. But the proposed change abolishes this threshold, meaning that all the requirements of the Privacy Act and Australian Privacy Principles will, in time, apply to all entities carrying on business in Australia.

If you’re a small business owner, don’t panic yet. The government has clarified that it will undertake further “impact analysis” and develop appropriate support to ensure small businesses can actually comply with the Privacy Act.

The net isn’t just being cast wider, but deeper too. The government has agreed in-principle to the introduction of a “fair and reasonable test”. This means that businesses will need to ensure that their handling of customers’ personal information is fair and reasonable in the circumstances. This assessment requires you to consider the type, sensitivity and amount of personal information at stake.

Clarifying terms

There is recognition that the Privacy Act should be simpler and more transparent. The Government has agreed in-principle that the following definitions should be included or amended:

A regulator with teeth

Following a string of high-profile corporate privacy scandals, the Office of the Australian Information Commissioner (OAIC) is getting shiny new enforcement powers. If passed, OAIC could take action against “serious” privacy breaches (not just “serious and repeated” breaches). It could also impose new mid-tier civil penalties for interferences with privacy, and hand out low-level fines in the form of infringement notices.

What this means for your business

With legislative changes imminent, it’s time to be proactive about ensuring your business has the correct processes and policies in place. A box-checking exercise won’t satisfy your obligations. Instead, think deeply about the ‘why’ behind your handling of personal information – particularly, whether it’s fair, reasonable and protects your customers’ privacy.

Questions? Give us a call.