Businesses under $3m will need to protect customer data, under proposed changes to Privacy Act
Small businesses with an annual turnover of $3 million or less, which are currently exempt from having to protect personal information may have to comply with the Privacy Act if proposed changes tot he Privacy Act are implemented.
A review of the Privacy Act by the Attorney-General’s Department, which began in 2020, has proposed scrapping the exemption, which was introduced prior to businesses’ take-up of online platforms.
Australian Information and Privacy Commissioner Angelene Falk said the risk of small businesses falling victim to cybercrime was growing.
“While small businesses might be using their best efforts to protect personal information, there is no legal requirement to do so and therefore no recourse for individuals if their personal information is compromised,” Ms Falk said.
“If they were to be brought into the act then they would need to tell their customers how they’re handling personal information.
HotlineIT CEO, Jason LeGuier summarises the review.
An overhaul of the Privacy Act, which was written in 1988, has been a political football at various times over the past 10 years. There have been a number of amendments to it, but it is 45 year old legislation. (For context, Microsoft release MS-Dos 4.0 in July of that year. Windows 3.0, the very early white screen some of us recall, wasn’t even released until 1990). A review was commenced in 2020 and in February this year, the Attorney General released the Privacy Act Review Report to the public.
In responding to the Optus and Medibank breaches, legislation was introduced in Dec 2022 to significantly increase penalties, which we’ve talked about before.
So what does all this mean for members?
- Small businesses of less than $3m turnover, will probably have to comply with the Privacy Act in the future.
- Minimum standards are likely to be introduced to clarify “reasonable steps” in order to keep information safe. Many industry groups (including us at Hotline) are strongly advocating for clear standards around data collection and protection. There are currently some vague guidelines, but this is not backed up at all with any legislation.
- Members will have to consider the impact cyber security is having on the supply chain. Larger businesses, financial institutions, investors and the like, are beginning to require all partners meet minimum standards of cyber security, if they are to do business with them. A de facto way of assessing risks and standards is to simply ask “do you have cyber insurance?”. There has been a dramatic shift in risk assessment for cyber security as insurance companies are seen as risk assessors. What used to be a simple process to obtain cyber insurance is now a lengthy and detailed assessment. These will be the near-term impacts on business:
- Getting/keeping finance will require cyber insurance
- Becoming an approved supplier to larger corporations, construction companies, councils and government agencies will require cyber insurance and/or compliance with ACSC Essential 8 Maturity Model (at least level 1).
- Obtaining cyber insurance will require minimum standards including training, access control, patching, documented policies, multi factor and data breach response plans.
- Tenders will explicitly exclude responses that don’t meet cyber security expectations
- Boards, Directors, Investors are all going to become much more concerned about cyber risk and require businesses to adopt minimum standards and demonstrate how they are managing risk.
With the market already adapting, and revised legislation coming, members would do well to get assessed and improve their compliance with the Privacy Act and ensure they meet minimum standards for cyber security. This way they can do it in a manageable way both in terms of cost and disruption.
History of the Privacy Act:
Review of the Privacy Act (AG’s Office page):