Changes To The Privacy Act Are Being Considered – What Does It Mean For Small Business?

Small businesses may soon be forced to comply with the Privacy Act, with the Government considering scrapping a 20-year-old exemption for businesses with a turnover of $3 million or less.

With the Optus and Medibank hacking scandals bringing the issue of cyber security to the media once again, the Attorney-General’s Department is undergoing a review of the Privacy Act. One of their focuses is on the small business exemption, which was introduced well before small businesses moved online.

A majority of the submitters to the review support the reform, however the Federal Government has not made a decision on the proposal.

The proposed changes to the Privacy Act could mean that small businesses will be required by law to take steps to protect their customers’ personal information. This information could include anything from names and addresses, to email addresses and phone numbers.

Under the Privacy Act, small businesses would need to create a Privacy Policy to inform customers of how their personal information is collected, used and stored. This information would then need to be deleted or de-identified when it is no longer in use.

Small businesses would also be required to ensure the security of their customers’ personal information. As part of the Privacy Act, businesses can only store data about Australian citizens within Australia. This means if you are using a cloud-based server or platform to store your customers’ information, you would need to ensure the server is physically located within Australia – or move to another provider that is compliant.

If you were to experience a data breach or other security incident that could compromise your customers’ personal information, you would need to notify them as soon as possible. This is known as a data breach notification and is a legal requirement under the Privacy Act. Currently, individuals have no recourse if their personal information is compromised from a hack on a small business. If these new proposed changes come into effect, small businesses would not only need to inform their customers – they also may be liable.

Cyber security is a growing issue for small business owners, with one in five SMEs in Australia having experienced a cyber-attack. Yet many small business owners think it will never happen to them and take no steps to prevent cyber-attacks. It is this sort of thinking that makes small businesses one of the easiest targets for hackers, with 47% of cyber-attacks directed towards SMEs.

Now is a good time to start thinking about how you can protect your customers’ personal information. Business Foundations is running a Cyber Security – Data and Information Classification workshop on Thursday the 30^th of March 2023 to help businesses implement new tools and strategies to secure their business.

Being ahead of the curve in cyber security will not only ensure you comply with the proposed changes, it will also help you gain the trust of your customers, and that’s good for business.