In September 2023, the Australian Government signalled its broad approval of the proposed reforms of the Privacy Act. The reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections are said to support digital innovation and enhance Australia’s reputation as a trusted trading partner.
Although there is no certainty as to the specific changes to be made to the Privacy Act 1988 (Cth), businesses can use this guidance to proactively stay ahead of the anticipated privacy law changes.
What are the key proposed changes that will impact small businesses?
Currently, small businesses with an annual turnover of $3 million or less are exempt from the Privacy Act. The Government agreed in-principle to remove this exemption, but only after an impact analysis and appropriate support is developed in consultation with small businesses.
In relation to privacy policies, the Government agreed in-principle that these policies should be clear, concise and understandable. There are concerns privacy policies are often complex, lengthy, legalistic and vague, therefore, many individuals do not understand how their personal information is handled.
Importantly, it was also agreed in-principle that entities should be required to establish minimum and maximum retention periods for holding personal information, as specified in their privacy policies.
The existing framework relies largely on individuals to self-manage their privacy, assuming individuals read and understand privacy policies and collection notices. There is now a shift towards placing greater responsibility onto the entities, as suggested by the Government’s in-principle agreement to require that the collection, use and disclosure of personal information is fair and reasonable in the circumstances.
Best practice tips
Considering the exemption under the Privacy Act, many small businesses do not have privacy policies. It is prudent for businesses to prepare themselves for the impeding changes as privacy and data concerns grow. Businesses can stay ahead by obtaining a well-written privacy policy that is understandable and concise, and establishing minimum and maximum retention periods for the different types of personal information held by the business. It is important to recognise that certain types of personal information may have different retention periods, depending on factors such as their sensitivity and the use of the information.
Our Commercial Legal team can assist you in preparing for the proposed changes. We have template privacy policies and data retention toolkits available for purchase. Alternatively, we can draft a bespoke privacy policy tailored to your business and advise on retention of personal information. Please contact us on [email protected] or call (08) 9365 7560 to discuss how we can help you.