Does the Privacy Act 1988 (Cth) apply to your business?

The Privacy Act applies to businesses with an annual turnover of more than $3 million, as well as some other specified businesses. Your annual turnover includes all income from all sources, such as the sale of goods and/or services, lease or hiring income, rental income, interest and other operating income.

Even if your business has an annual turnover of $3 million or less, your business may still need to comply with the Privacy Act if you are a: 

• health service provider, including gyms, weight loss clinics, and child care centres;
• trade in personal information;
• contractor providing services under a contract with the Commonwealth;
• credit reporting body;
• operator of a residential tenancy database;
• business that conducts Protection Action Ballots;
• business that has opted in to be covered by the Act

Obligations under the Privacy Act

If the Privacy Act applies to your business, you must comply with the Australian Privacy Principles (‘APP’) on how to handle, use and manage personal information. ‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether or not the opinion is true, and regardless of whether the information or opinion is recorded.  

The Bill does not propose to make any changes to the APP, however, your business should ensure it complies with these principles. We have discussed some below. 

Privacy policy

Under the APP, your business must have a clear and up-to-date privacy policy. This policy should explain how your business handles personal information and should include things such as a name and contact details, what personal information is collected and stored, and where and how the personal information is stored. This policy must be updated and publicised whenever information handling practices change in your business.  

Security of personal information

Under the APP, your business must take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification, or disclosure. What is considered ‘reasonable steps’ depends on the circumstances, such as the nature of your entity, the amount and sensitivity of the personal information held, and the potential consequences for an individual if the data was breached.   

Changes to the Notifiable Data Breaches scheme

If the Privacy Act applies to your business, you must comply with the Notifiable Data Breaches scheme (‘NDB scheme’), which deals with notification requirements in the event of data breaches. A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure.  

Under the NDB scheme, when a data breach is likely to result in serious harm to the affected individuals, your business must take reasonable steps to notify affected individuals and the  

Changes to the kind of information to be reported

Under the current NDB scheme, you must prepare a statement for the Office of the Australian Information Commissioner (‘OAIC’) out the ‘kind or kinds of information concerned’ in the data breach. The Bill proposes to amend the content of the statement to include the ‘particular kind or kinds or kinds of information concerned’. This means that instead of reporting that ‘contact information’ was involved in a data breach, you would specify the kind of contact information involved, such as the phone number of email address. 

Conclusion 

We advise businesses to determine if the Privacy Act applies to their business. If applicable, you should review and confirm that your privacy policy is up to date and ensure that your business is meeting their obligations under the APP, NDB scheme and Privacy Act generally. 

The CCIWA Commercial Law Team can advise you on how to meet your obligations under the privacy laws or how the Bill may impact your business. Please contact the CCIWA Commercial Law Team at [email protected] or call (08) 9365 7560 to discuss further.