Privacy Exemptions for Small Business
Recent events regarding the abuse of privacy in the UK, namely the News of the World scandal and its subsequent closure, have prompted a wider debate about privacy and privacy legislation in Australia. To date, The Privacy Act exempts businesses with an annual turnover of $3 million or less. Telecommunications service providers, however, do have obligations under the Telecommunications Act, with regards to the use and disclosure of information, but this does not address issues such as collection and storage of personal information. In general, small businesses, are exempt.
The Australian Law Reform Commission, for some time, has called for the regulation information handling by Telecommunications Service providers, stating that:
“The risks to privacy posed by small businesses are determined by the amount and nature of personal information held, the nature of the business and the way personal information is handled by the business, rather than by their size alone. The ALRC notes that the telecommunications industry is increasingly handling large amounts of personal information. It is appropriate that the handling of personal information by these organisations is regulated by the Privacy Act.”
For further information on the ALRC stance, visit http://www.alrc.gov.au/publications
In June 2011, the Joint Select Committee on Cyber-Safety called for an amendment to the Privacy Act 1988, including small businesses under the requirements of the Act. Many other voices have added their weight to this request, to ensure that small businesses who hold substantial amounts of personal information about clients and also often transfer this information offshore are held accountable under The Privacy Act. A government review of small business with significant information holdings was also demanded, with the view to amending current legislation.
As well as concerns about online information and cyber-safety, there are growing concerns with regards to privacy in the public sector.
Current Exemptions for Small Business
Under the Privacy Act 1988 most small businesses are exempt from compliance with a set of 10 standards known as the National Privacy Principles (NPPs). The definition of a small business is a business with an annual turnover of $3m or less. Some categories of business do have obligations, such as, those that provide a health service or hold health information, trade in personal information, trade information for a service or benefit, provide a service in order to gain information, are contracted service providers for the Commonwealth government, or are a reporting identity under the Anti-money Laundering and Counter-terrorism Financing Act 2006.
The Act also contains an Employee Records exemption for information directly related to a current or former employment relationship. These records might contain information on health, engagement, training, resignation, terms of employment, personal and emergency details, performance and conduct, and taxation, banking or superannuation affairs.
Contact your solicitor for up-to-date information of your compliance exemptions and obligations under the Privacy Act 1988.