Australia: Is your business ready for a new era of privacy regulation: Removing the Small Business Exemption (Part 2)

To read part 1 of our "Is your business ready for a new era of privacy regulation" article series, click here.

If you are a small business (if you have an annual turnover of $3 million) then you should be proactive in preparing your business for a new era of privacy regulation.

Review of the Small Business Exemption in the Privacy Act

Small businesses, with an annual turnover of $3 million or less, are mostly exempt from complying with the Privacy Act 1988 (Cth) (the Act). According to the Australian Small Business and Family Enterprise Ombudsman, this accounts for about 92% of total Australian Businesses, which works out to be about 2.3 million businesses ¹.

The Government agrees in principle with the proposal to remove the small business exemption from the Act. This means that the Government is looking to conduct further review and consultation with focus groups to understand the needs and implications of amending or removing the small business exemption.

Be proactive in understanding how your business handles personal information

Whilst the proposed reforms are presently unknown, it doesn't stop you from proactively addressing privacy concerns and take a privacy by design approach to your business.

The first step is to understand what personal information is held by your business. This could be your customer relationship management database or a pile of unfiled documents or the meta data that your system has collected through its operations. Personal information is everywhere. For example, if you have an email for enquiries, you could be receiving personal information through the emails, especially if the email is that user's full name or if the email contains an email signature.

Throughout this process, you should consider your purpose for collecting the personal information, whether or not you can achieve the same purpose in a way that promotes privacy and consider the consequences if the personal information was not collected.

Another proactive step that you can take is to conduct a privacy impact assessment before you launch a new project that involves personal information. By doing this at the beginning of the project, will help to embed positive privacy practices to avoid risks and traps in the future.

Illustrative Example

Let's take a large restaurant as an example. This restaurant takes customer reservations in a physical book. Its employees would ask the customer for their full name and their mobile number to confirm the booking. The reservation book is kept at the counter next to the telephone. The restaurant have been using the book for 3 years now. The restaurant also uses a paper queuing system that is stuck on the window next to the entrance. Their customers write down their name and mobile number to reserve a spot. The restaurant is considering a digital solution to allow for online booking and digital queuing to replace their current system.

This restaurant can start to proactively review their privacy practices by reviewing, what personal information they need, and how to take a data minimisation approach by removing or de-identifying data that they no longer need to have, and how to protect the data.

Starting with the three year old customer reservation book, the restaurant should consider whether they need to retain all the information or whether they can securely destroy information that they don't need. Going forward, rather than asking for the full name, perhaps just the first name or the initials may be enough with the mobile number to secure a reservation. In relation to the paper queuing system, rather than asking the patrons to write down their name and mobile number, the customer should be able to just write down their initials and mobile number, which is optional. Further, that paper queuing system may be better protected by an employee holding onto the paper form rather than it being exposed to the public. Additionally, the paper form should be shredded after usage. Finally, when it comes to reviewing a digital solution, the restaurant can go through a privacy impact assessment to embed privacy protections from the beginning of the project.

Time to take stock

Privacy reform is coming. While the exact change and impact on small businesses are yet to be revealed, it is unlikely for the status quo to remain. It may be worthwhile to be on the front foot to future proof your business.

^Footnote

¹ Australian Small Business and Family Enterprise Ombudsman – Number of small businesses in Australia

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.