Privacy regulations prioritise the protection of personal information. If you run a business, you'll be collecting personal information from your current and potential clients—and their information is your responsibility. Over the last few months, we've seen the grave implications a security breach can have on customers. This is why it's crucial to understand the life cycle of the data you collect and what you can do to protect it.
What is personal information?
In legal terms, the phrase "personal information" is broad and vague. However, when it comes to data privacy and security, personal information refers to any piece of data that can potentially help identify a person. This could include basic details (like name, email, and address) or information generated by more complex situations, such as a list of addresses that the government intends to buy back due to flood damage. In this example, publishing the name of the suburb or street is permissible, but publishing specific door numbers on a named street is a disclosure of personal information.
All that said, any personal data you collect should be protected, even if it is incorrect information. This means that if you have a contact form on your website and a visitor provides a fake phone number, you're still liable to protect that information. The exception to this regulation is when you're dealing with people who've died. The Privacy Act concerns only the personal information of a "natural person," which excludes deceased people, robotic assistants, and pets—except when such information may be used to identify a living person.
Privacy Act and the Australian Privacy Principles (APPs)
The Privacy Act (1988) outlines 13 principles for businesses and organisations that collect and process personal information. Collectively referred to as the Australian Privacy Principles (APPs), these form the foundations of privacy regulation for Australian businesses. Organisations bound by the Privacy Act and the APPs are called APP entities. These can be either individual businesses or agencies. Have a look at our summary of the APPs to learn what each principle covers.
Should all businesses comply with the Privacy Act?
All organisations that have an annual turnover of more than $3 million, including government agencies, have to abide by the Privacy Act and follow the APPs.
However, there are various exceptions, as outlined by the Office of the Australian Information Commissioner (OAIC). Organisations that meet the following conditions don't have any responsibility under the Privacy Act.
• Sole traders, individual unregistered sellers, small businesses, and non-profits that generate less than $3 million in annual revenue.
• Most public schools and universities (The Act applies to the ANU).
• Registered political parties and representatives.
• State and territory government agencies.
• Most media organisations, when conducting daily journalistic activities.
• Most public hospitals and health care facilities covered under state and territory legislation (The Act still applies to matters of My Health Records and private health care providers).
• Some organisations, specifically when handling records of current and previous employees.
Opting in to the Privacy Act
Benefits of opting in to the Privacy Act
Choosing to comply with the Act makes you accountable for every piece of personal information you collect. That's a lot to manage, especially for a small business. This is why the small business exemption has been helpful. However, as more and more people become digitally dependant, sharing, storing, and processing data is becoming an inevitable part of business operations. As a result, many of us are putting our personal information into the hands of businesses that may not be prepared to battle cyber threats. Although complying with the Act is challenging, blocking ransomware attacks against poorly-kept records is impossible. This is why small businesses should consider opting in to the Privacy Act—not just for their sake, but also for the sake of their customers, and the sake of the business' continued existence.
According to the Australian Cyber Security Centre's (ACSC) third annual security threat report released in November 2022, the cost of a cyber security breach for a small business has jumped to $40,000. Cumulatively, Australian businesses lost almost $100 million in the last financial year due to security breaches. To protect your business in the long term, it's important to do all that you can to strengthen the backend systems you trust to store and process your customers' data. Start by ensuring that you only collect data that's necessary for business operations. Then, choose a software vendor who's proven to uphold privacy and security standards. And perhaps, consider opting in to the Privacy Act yourself. The stronger our small businesses' defences are, the less likely Australians are to lose.