On 28 September 2023, the Australian Government released its response to the Privacy Act Review Report (the Report) from February this year. The Australian Government has agreed to 38 of the recommendations outlined in the Report, with a further 68 recommendations from the Report being agreed to in principle.

Some of the key recommendations coming out of the Government’s response addressed the removal of the small business exemption, the increased requirements of businesses to understand the data they hold, and the increased need for clarity for individuals on the information they provide and have provided to businesses.

 

Small Business Exemption Removal

From a small business perspective, one of the key outcomes of the Report was the recommendation for the small business exemption to be removed. Currently, businesses with annual turnovers of less than $3 million dollars are exempt from complying with the Privacy Act. The feedback from the Report was clear that irrespective of size, individuals expect that their personal information is securely stored and not used in harmful ways.

This recommendation is agreed to in principle by the Government in their response, however it was acknowledged that more consultation was required with small businesses before removing this exemption. This could include modifications to the Privacy Act for small business to ease the regulatory burden. From a charity perspective, this impacts at least two-thirds, approximately 40,000, of ACNC-registered charities whose turnover is less than $1m.

Small businesses should remain alert to the updates pertaining to the recommended removal of the exemption and start forward planning for such a scenario.

 

Business Obligations

Some key recommendations for businesses pertained to keeping organisations accountable and the security, retention and destruction of sensitive information.

Businesses will likely need to appoint/designate a senior employee to be responsible for the privacy within an entity. This could be an existing employee where feasible, however, in smaller organisations this will need to be thought out carefully.

Although only agreed to in principle, there was a recommendation of having Business’s determine and record the purpose for which they will collect and use personal information, and this must be established prior to or at the time of collection. In addition, the Government agreed in principle that collecting and using personal information should be fair and reasonable. Businesses should consider what an individual would expect as necessary personal information to provide to a business to assist in the operations and activities of the business.

Further to this, the Government has also agreed in principle to establish maximum and minimum retention periods in relation to the personal information that is stored by businesses. It will further be expected that business’s privacy policies outline their retention periods.

As a result of the above recommendations, it is imperative that businesses understand the personal information they are collecting and understand the implications of collecting such personal information. Businesses will need to ensure their privacy policies are updated and reviewed periodically to ensure all data is being considered and appropriately stored and destroyed.

 

Individuals’ Rights

Some key recommendations for individuals aim to improve individuals understanding of what information is being collected, why it is being collected, and what rights they have pertaining to their personal information.

One of the recommendations agreed to in principle outlined the need for businesses to ensure the privacy notices provided to individuals were clear, concise, up to date and understandable.

Likewise, recommendations pertaining to an individual’s ability to request information that has been collected upon request by an individual were agreed to in principle. A recommendation, agreed to in principle, plans to introduce a data erasure measure for individuals seeking to remove their personal information from a business.

Businesses should consider the above recommendations for individuals, and whether or not updates to their privacy policies, and collection notices are warranted ahead of the establishment of any of the recommendations.

 

Overall, the Government’s response to the Report has been supportive. The Government will now need to start drafting legislation provision and will undertake targeted consultation with entities prior finalisation.

This is a timely reminder for all Charities and Businesses to:

• Consider how the Privacy Act applies to them and how the proposed changes might impact them,
• Review your privacy policies and ensure they are compliant,
• Ensure you are following your privacy policy and procedures in the collection, storage and retention of personal information,
• Review your process around data breach plan and reporting to ensure they are appropriate in the event of a data breach. 

 

If you have any questions, please don’t hesitate to contact us.