The Federal Attorney-General has released its Privacy Act Review Report (Report) which proposes major changes to the Privacy Act 1988 (Cth) which governs the privacy practices of businesses and organisations.
The Office of the Australian Information Commissioner (OAIC) is the regulator that enforces the Privacy Act.
We have put together some of the key proposed changes and what they will mean for your business.
Broader definition of ‘personal information’
The definition of personal information will be broadened from information ‘about’ an individual to information that ‘relates to’ an individual.
This provides more flexibility for the OAIC to apply the Privacy Act to situations where there is some connection between a person and the information, even if it is not ‘about’ that person.
This could mean that businesses that collect certain information may be required to comply with the Privacy Act, when they weren’t previously covered.
Removal of the ‘small business’ exemption
A ‘small business’ under the Privacy Act is one with an annual turnover of $3 million or less. The Report proposes to remove the small business exemption after further analysis, but in the short term, they propose to remove it for those businesses collecting biometric information for facial recognition technology.
Broader reaching civil penalties under the Privacy Act
Currently, the Privacy Act allows for penalties of $2,500,000 for individuals or more than $50,000,000 for companies for ‘serious or repeated’ interference with privacy.
The Report proposes to introduce new mid-tier penalties which cover privacy interferences without a ‘serious’ element and a low-tier penalties covering specific administrative breaches.
Focus on privacy for businesses working with or targeted to children
If your business works with or is targeted to children, such as schools, tutors, educational content, videos and games, there is a strong focus on more stringent privacy obligations for children in the Report, including introduction of a Children’s Online Privacy Code, clearer language and formatting for policies addressed to children.
What you should do next
The Report recommends thirty proposals for changes to the Privacy Act. We suggest having a read of the full report here.
Even if you are a small business, it is worth updating your privacy practices, having a compliant privacy policy in place, or your existing privacy policy reviewed.
✅ If you collect information from customers or leads, it’s important to have a compliant privacy policy. Especially if you are collecting information for marketing purposes, not just to fulfil orders!
✅ There are specific terms that need to be covered in a privacy policy under Australian Privacy Principles. There are SO many non-compliant templates floating around that don’t meet these requirements.
✅ Privacy Policies are not a cut and paste job. They need to be completed properly, depending on what your business does and what your privacy practices are.
A compliant privacy policy doesn’t have to be expensive. We offer reasonable fixed fees for tailored privacy policies so that compliance is accessible for all businesses. Get legal advice so that it is drafted properly – don’t put your hard work at risk of penalties or complaints!