New Privacy Obligations are Coming – What You Need to Know
As most small businesses are not currently subject to the Privacy Act, it is important that retailers understand and start preparing for these key changes.
End of Small Business Exemption
Previously, businesses with an annual turnover of less than $3 million were exempt from the Privacy Act. The government believes this exemption should be removed because there is now a community expectation that their personal information will be kept safe, even when it is provided to small businesses. This would bring approximately 95 per cent of actively trading Australian businesses into the scope of the Privacy Act, requiring them to meet compliance obligations. The government acknowledges that small businesses will face challenges in adapting to these new compliance measures. It is proposing a transition period and further consultation with the small business sector on the likely impact of removing the small business exemption.
Employee Data to be Covered
There are also proposed reforms to the act, which would impact small businesses. One of the main ones is the inclusion of current and former employee data under the Privacy Act, which is currently excluded.
Enforced Data Retention Periods
There was concern about the storage of personal information by businesses for periods that extend beyond what is justifiable for business purposes. The government sees this unnecessary data retention as creating a “honey pot” for cybercriminals. It is considering rules that would force businesses to have set minimum and maximum data retention periods that would have to be stated in their privacy policies.
Strengthening Informed Consent
The government aims to give individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information.
Reforming Privacy Notices
The government criticised the current use of “complex, lengthy, legalistic and vague” privacy notices. It is recommending that privacy notices should be “clear, up-to-date, concise, and understandable.”
New Rights of the Individual
A range of new rights are proposed, allowing individuals greater control over how their data is being used.