The Impact of the Australian Privacy Act Review on Small and Medium-Sized Enterprises

ByChris Pistilli

In today’s digital age, data privacy is a growing concern for individuals and businesses alike. Recognising the importance of protecting individuals’ personal information, the Australian government is undertaking a review of the Privacy Act 1988 to modernise it and ensure it meets today’s needs. However, the potential impact of this review on small and medium-sized enterprises (SMEs) is a cause for concern.

In this blog post we consider the Privacy Act Review and its impact on SMEs, including a brief example case study to better understand the possible implications on a small business.

We expect the coming changes to the Privacy Act will catch many SMEs off-guard – our hope is that this post helps you consider how your business may be impacted and what you can do to prepare.

What is the Australian Privacy Act Review?

The Australian government commenced a comprehensive review of the Privacy Act in 2019 to ensure that the data protection regime is effective in empowering consumers, protecting their data, and serving the Australian economy. The review involved several rounds of public consultation, and the publication of an issues paper in October 2020 and a discussion paper in October 2021.

More recently, in February 2023, the Privacy Act Review Report was released detailing 116 proposals at a principles level. These proposals steer the Privacy Act towards individual protections similar to the General Data Protection Regulation (GDPR) in Europe.

Although the report does not include an exposure draft of any reform legislation, it is becoming clearer that upcoming Privacy Act reforms will drive significant change to the way businesses interact with individuals and handle personal information.

Proposed change to consent and definition of personal information

The Privacy Act Review Report contains several proposals that could significantly impact how a business handles and uses personal information.

One of the key proposals is in relation to consent – to ensure that the collection, use, and disclosure of personal information is conducted fairly and reasonably, irrespective of consent.

The report also recommends amending the definition of consent, which must be voluntary, informed, current, specific, and unambiguous.

Combined with a broader definition of personal information to capture a more extensive range of data, these proposed changes will substantially impact how a business collects and treats data.

Direct right of action to remedy loss or damage

The Privacy Act Review Report also proposes a direct right of action for individuals who have suffered loss or damage due to interference with their privacy, and tighter timeframes for Notifiable Data Breaches. Furthermore, certain obligations will be extended to private sector employees, including transparency of collection and use of employee information, protection against unauthorised access or interference, and eligible data breach reporting.

Impact on Small and Medium-Sized Enterprises

Small and medium-sized enterprises (SMEs) may be particularly affected by the proposed Privacy Act reforms.

The current Privacy Act does not apply to businesses with an annual turnover of up to $3m, except for some specific cases such as health service providers or credit reporting bodies. The proposed changes would require small businesses to have a privacy policy, ensure that they keep personal information secure, and delete or de-identify it when no longer required.

Some small business groups are concerned about the cost of compliance, which may impact up to 2.5 million small businesses that have already had a difficult recent run during the pandemic.

Why such a focus on Small and Medium-Sized Enterprises?

There is no doubting the importance of SMEs improving their privacy and data protection practices.

Recent evidence suggests that small businesses are increasingly at risk of falling victim to cyber crime. The Australian Cyber Security Centre found that, in 2021-2022, small businesses faced an average cost of $39,000 per cybercrime reported, and medium businesses faced an average cost of $88,000. Recent evidence points to a shift of cyber attacks being pointed towards mid-sized firms (see Figure 2) which are exposed as easier targets, and generally have lower risk of repercussions for the cyber criminals.

Example to illustrate the potential impact of Privacy Act changes on a Small Business:

Let’s consider a fictional small business We Are Health, a healthcare company that operates multiple medical clinics and collects sensitive patient data through channels including online forms, phone calls, and in-person consultations. With an annual turnover of AUD 2.8 million, the company has never been required to comply with the Privacy Act due to its size.

However, due to a review of the Australian Privacy Act, We Are Health must comply with privacy regulations for the first time, impacting its business operations:

  1. We Are Health will need to create or review its privacy policy to align with the new definition of consent, ensuring transparency and lawfulness. They must outline how the company collects, uses, and discloses personal information, making it easily accessible to patients on request, and managing the information effectively. The business must then align its operations and training to this policy.
  2. We Are Health must implement data protection measures to secure the personal information it collects. This includes de-identifying data, ensuring secure storage, access controls, data backups, a disaster recovery plan, and staff training. Additionally, We Are Health must conduct a privacy impact assessment to identify areas of non-compliance and create a privacy management plan to ensure that all data handling practices align with the proposed reforms. This will minimise the risk of data breaches and protect patient data.
  3. The proposed changes to the Notifiable Data Breaches scheme will require We Are Health to report data breaches within a tighter timeframe. The company must establish clear procedures for detecting, assessing, and reporting data breaches and ensure that all staff are aware of their obligations and responsibilities. This will enable the company to respond quickly and effectively to any data breaches, minimising the impact on patients and the business.

Overall, the Privacy Act Review proposals will create a substantial amount of change for We Are Health, including additional overheads, to ensure compliance and a reputation for data privacy and security.

What are the next steps for the Privacy Act Review?

With the community consultation having completed in March 2023, the government will now seek to amend the scope and application of the Privacy Act with a range of recommendations that may include:

  • Developing a framework of privacy practices for personal data.
  • Establishing a private right of action for individuals harmed by an organisation’s data practices.
  • Updating the notifiable data breach scheme.
  • Updating enforcement powers in consideration of how the privacy regulatory scheme aligns with other regulatory frameworks.
  • Imposing an independent certification scheme for privacy compliance.
  • Establishing a statutory tort for serious invasions of privacy.

Experts predict that this phase will be completed in the first half of 2023.

With the benefit of having observed the implementation of GDPRs in Europe, we could assume a similar process – in this case, businesses may have a limited window (for example, 12 or 24 months) to be fully compliant with the new policy before being fined for non-compliance.

Those SMEs who start preparations now will be in a much stronger position than those who do not.

Final Thoughts

Synergy Compliance understands that navigating data privacy, individual protections and information security is complex and daunting.

We have built a team of specialists who advise our SME clients on these topics, and bring tools and resources to support our clients on their journey to achieving and maintaining compliance.

Synergy Compliance offers a range of compliance and governance services including:

  • Privacy gap assessments to identify areas of risk and vulnerability
  • Privacy policies, including policy management to ensure your policy set is always up to date
  • GDPR alignment and implementation
  • Awareness training that covers a breadth of privacy and cyber security topics
  • Certification implementation and support

Reach out to us to discuss how we can support your privacy, cyber security, compliance and governance needs.

Similar Posts

Australian Privacy Act Reform: Impacts on Small Business

Australian Privacy Act Reform: Impacts on Small Business

ByChris Pistilli Hours

Australia’s Privacy Act 1988 is undergoing significant reform, with over a hundred concrete proposals to strengthen…