On the 12th of March 2014, changes to the Australian Privacy Act 1988 commenced. This was part of the privacy law reform process that began in 2004 and has led to many small Australian Businesses considering how the change to the privacy laws will affect small businesses.
A small business is defined as a business with an annual turnover of $3 million or less. The recent changes will not affect most small businesses as they are not required to comply with the Privacy Act 1988. However, there are a small number of businesses that must comply with the Act. These include:
- a health service provider; or
- a business that trades in personal information; or
- a contractor that provides services under a Commonwealth contract; or
- a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act); or
- an operator of a residential tenancy database; or
- a credit reporting body
While most of this is obvious, a business trading in personal information needs to be explained in more detail. According to the Australian Government “Trading in personal information generally means buying, selling or bartering personal information. For example, buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain.
A business is not trading in personal information if it gives or receives personal information for a benefit, service or advantage and it:
- has the consent of all the individuals concerned; or
- only does so when authorised or required by law
If your are unsure if your business may be affected, the Australian Government has released a helpful checklist for small businesses
Should your business meet one of the criteria above, it must comply with the Privacy Act 1988. Therefore, the recent changes must be followed. The changes include a set of 13 privacy principles that manage how personal information is handled. These principles are known as the Australian Privacy Principles (APPs).
One principle that can affect businesses is principle number 8. Businesses, or other entities, can only disclose personal information overseas or move personal information offshore if the destinations jurisdiction adheres to similar privacy principles as Australia. Alternatively, an entity may receive consent to move personal information offshore from the individual. Therefore, if a business wants to store or move personal information offshore, it is crucial that the business receives the consent allowing them to do so. Otherwise the business will be in breach of the changes to the privacy laws.
With relation to cloud computing or hosting business applications in the cloud this Privacy Principle may have implications on your company. This means if you collect client information in Australia and then store that information on internal servers outside of Australia you must have terms and conditions for customer consent to the transfer of data.
In general if you store your data in Australia it is bound to the Australian jurisdiction, data stored elsewhere is bound to the jurisdiction of the respective country.
If your business should be affected the Australian Government provides a guide to privacy for small businesses.
Share this Post