Does the Australia Privacy Act of 1988 apply to small businesses?

The Australia Privacy Act 1988 is unique in that it only applies to Australian organizations with an annual turnover of more than AUD $3,000,000. However, this article will explain the various exceptions that require certain small businesses to comply with the Australia Privacy Act as well as the opt-in provision that allows small businesses to subject themselves to the Australian Privacy Principles (APPs) enumerated in the Privacy Act. This means certain businesses that make AUD $3,000,000 or less will need to have a Privacy Policy on their website that makes very specific disclosures on how the business collects, uses, and shares personal information. 

Small businesses that are covered under the Australia Privacy Act

To reiterate, a small business under the Australia Privacy Act 1988 is one with an annual turnover of $3 million or less. However, there are exceptions to this general rule. The Privacy Act covers certain small business operators including: 

  • A private sector health service provider- an organization that provides a health service includes: 
    • A traditional health service provider, such as a private hospital, a day surgery, a medical practitioner, a pharmacist and an allied health professional
    • A complementary therapist, such as a naturopath and a chiropractor
    • A gym or weight loss clinic
    • A childcare center, a private school and a private tertiary educational institution
  • A business that sells or purchases personal information
  • A credit reporting body
  • A contracted service provider for an Australian Government contract
  • An employee association registered or recognized under the Fair Work (Registered Organizations) Act 2009
  • A business that has opted-in to the Privacy Act
  • A business that is related to a business that is covered by the Privacy Act
  • A business that collects, maintains, uses or discloses personal information for the purpose of either establishing, maintaining, or storing that information on a residential tenancy database as prescribed by the Privacy Regulation 2013 

Opting in to the Privacy Act

Small businesses and not-for-profit organizations that would otherwise not be covered by the Privacy Act have the choice to be treated as an organization for the purposes of the Privacy Act. Small businesses and not-for-profit companies that choose to opt in are thus subject to the Australian Privacy Principles (AAPs) and are thus making a public commitment to good privacy practice. This, in turn, will foster more trust for consumers who can count on such businesses to protect their privacy and be transparent about how they use individual information. Companies that choose to opt-in to being subjected to the Australia Privacy Act will yield a competitive advantage when it comes to their reputation and leveraging consumer trust. 

In order to opt-in, a small business or a not-for-profit organization must complete an Opt-in application. The OAIC will decline an application if it does not have a Privacy Policy. The first Australian Privacy Principle (APP) requires all entities to have a clearly expressed and up-to-date APP Privacy Policy that describes how it manages personal information. Without such a Privacy Policy, it would be impossible for entities to meet the requirement that they manage personal information in an open and transparent way under APP 1.1. The OAIC provides guidance on the requirements for an APP Privacy Policy which are in: 

  • APP 1.4, which sets out the topics an APP Privacy Policy must cover
  • APP 1.5, which requires an APP entity to take reasonable steps to make the Privacy Policy available free of charge and in an appropriate format, and 
  • APP 1.6, which requires an APP entity to take reasonable steps to give its Privacy Policy to an individual in the form the individuals asks for, and 
  • The Privacy Policy should be informative and manageable. 

It is important for entities that want to opt-in to the Privacy Act take time to look at the resources the OAIC provides, including the APP Privacy Policy checklist they have on their website which explains how to incorporate all of the APPs into a comprehensive Privacy Policy. 

Acts and practices that may subject a business to the Privacy Act

The Australia Privacy Act also specifies three acts or activities of some small businesses that are covered by the Act. First, as stated earlier, a business that collects, maintains, uses or discloses personal information for the purpose of either establishing, maintaining, or storing that information on a residential tenancy database as prescribed by the Privacy Regulation 2013 is subject to the Privacy Act. A residential tenancy database holds personal information about an individual’s defaults or alleged defaults on any tenancy agreement, including damage or failure to pay rent. A real estate agency can access a residential tenancy database operator to check this information when accessing a tenant’s application. The Privacy Act covers any organization that runs a residential tenancy database, regardless of the annual turnover they earn. 

Second, activities of a reporting entity or authorized agent relating to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and its applicable regulations are subject to the Privacy Act. 

And third, activities related to the conduct of a protected action ballot are covered by the Privacy Act. Under the provisions of the Fair Work Act 2009, a bargaining representative for an enterprise agreement can make an application to the Fair Work Commission seeking a ballot order for the conduct of a protected action ballet. This allows employees, by way of a fair and democratic secret ballot, to choose whether to support the taking of industrial action by organizations of employees or by employees. The ballot agent or independent adviser to the protected action ballot has a duty to not disclose information that would identify an employee as a member or non-member of a union under the Privacy Act. 

The Privacy Act also covers specified individual’s handing another individuals: 

  • Consumer credit reporting information, including a credit reporting body, a credit provider, and certain other third parties
  • Tax file numbers under the Tax File Number Guidelines
  • Personal information contained on the Personal Property Securities Register
  • Old conviction information under the Commonwealth Spent Convictions Scheme 
  • My health information under the My Health Records Act 2012 and individual healthcare identifiers under the Healthcare Identifiers Act 2010. 

Complying with the Privacy Act

If any of the above acts or activities applies to your business, than your business needs to comply with the Australian Privacy Principles outlined in the Australia Privacy Act. Your business is responsible for protecting your customers’ personal information from theft, misuse, interference, loss, unauthorized access, modification, and disclosure. 

Once your business has determined if it is subject to the Privacy Act, you must determine what information is personal. Personal information is any information where you can identify or reasonably identify the person. It can include the name, signature, address, email, telephone number ,date of birth, medical records, bank account details, place of work, photos, videos, and information about the person’s opinions. 

Then, you need to determine how your business will protect that personal information. This necessitates the creation of a clear and up-to-date Privacy Policy that outlines the information your business collects, what you use it for, and how you protect it. It must be readily available on your website. Termageddon is a Privacy Policy generator that you can easily use to craft a Privacy Policy that complies with the Privacy Act.