Small businesses that are covered under the Australia Privacy Act
To reiterate, a small business under the Australia Privacy Act 1988 is one with an annual turnover of $3 million or less. However, there are exceptions to this general rule. The Privacy Act covers certain small business operators including:
- A private sector health service provider- an organization that provides a health service includes:
- A traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
- A complementary therapist, such as a naturopath and a chiropractor
- A gym or weight loss clinic
- A childcare center, a private school and a private tertiary educational institution
- A business that sells or purchases personal information
- A credit reporting body
- A contracted service provider for an Australian Government contract
- An employee association registered or recognized under the Fair Work (Registered Organizations) Act 2009
- A business that has opted-in to the Privacy Act
- A business that is related to a business that is covered by the Privacy Act
- A business that collects, maintains, uses or discloses personal information for the purpose of either establishing, maintaining, or storing that information on a residential tenancy database as prescribed by the Privacy Regulation 2013
Opting in to the Privacy Act
Small businesses and not-for-profit organizations that would otherwise not be covered by the Privacy Act have the choice to be treated as an organization for the purposes of the Privacy Act. Small businesses and not-for-profit companies that choose to opt in are thus subject to the Australian Privacy Principles (AAPs) and are thus making a public commitment to good privacy practice. This, in turn, will foster more trust for consumers who can count on such businesses to protect their privacy and be transparent about how they use individual information. Companies that choose to opt-in to being subjected to the Australia Privacy Act will yield a competitive advantage when it comes to their reputation and leveraging consumer trust.
Acts and practices that may subject a business to the Privacy Act
The Australia Privacy Act also specifies three acts or activities of some small businesses that are covered by the Act. First, as stated earlier, a business that collects, maintains, uses or discloses personal information for the purpose of either establishing, maintaining, or storing that information on a residential tenancy database as prescribed by the Privacy Regulation 2013 is subject to the Privacy Act. A residential tenancy database holds personal information about an individual’s defaults or alleged defaults on any tenancy agreement, including damage or failure to pay rent. A real estate agency can access a residential tenancy database operator to check this information when accessing a tenant’s application. The Privacy Act covers any organization that runs a residential tenancy database, regardless of the annual turnover they earn.
Second, activities of a reporting entity or authorized agent relating to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its applicable regulations are subject to the Privacy Act.
And third, activities related to the conduct of a protected action ballot are covered by the Privacy Act. Under the provisions of the Fair Work Act 2009, a bargaining representative for an enterprise agreement can make an application to the Fair Work Commission seeking a ballot order for the conduct of a protected action ballet. This allows employees, by way of a fair and democratic secret ballot, to choose whether to support the taking of industrial action by organizations of employees or by employees. The ballot agent or independent adviser to the protected action ballot has a duty to not disclose information that would identify an employee as a member or non-member of a union under the Privacy Act.
The Privacy Act also covers specified individual’s handing another individuals:
- Consumer credit reporting information, including a credit reporting body, a credit provider, and certain other third parties
- Tax file numbers under the Tax File Number Guidelines
- Personal information contained on the Personal Property Securities Register
- Old conviction information under the Commonwealth Spent Convictions Scheme
- My health information under the My Health Records Act 2012 and individual healthcare identifiers under the Healthcare Identifiers Act 2010.
Complying with the Privacy Act
If any of the above acts or activities applies to your business, than your business needs to comply with the Australian Privacy Principles outlined in the Australia Privacy Act. Your business is responsible for protecting your customers’ personal information from theft, misuse, interference, loss, unauthorized access, modification, and disclosure.
Once your business has determined if it is subject to the Privacy Act, you must determine what information is personal. Personal information is any information where you can identify or reasonably identify the person. It can include the name, signature, address, email, telephone number ,date of birth, medical records, bank account details, place of work, photos, videos, and information about the person’s opinions.
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.