The impact of changes to Australian Privacy Law on Small Businesses

Change is on the way

The Australian Law Reform Commission (ALRC) is reviewing Australia's privacy laws to see whether they are sufficient and relevant in today's world.

They are due to release their report at the end of March 2008, but their preliminary draft report gives us a good idea of the types of changes to expect. One of the major changes anticipated is that the Privacy Act may soon apply to previously exempt small businesses. This paper discusses who will be affected by the change and some of the changes these businesses would need to make to comply with the new law.

Who will the changes apply to?

Under the current Privacy Law, businesses with an annual turnover of $3 million or less are exempt from complying with large parts of the Privacy Act.

If the ALRC's recommendations are implemented, this exemption will be removed.

What changes will small businesses have to make?

Create a privacy policy

An effective way to meet many of the requirements of the privacy law is to create a privacy policy. This should be available for reading to anyone you may collect personal information from; many organisations make them available to the general public.

Only collect personal information that you need

Businesses can not collect personal information from someone if there is no good reason to do so. For example, the existing practice of some video stores of taking a photocopy of new customers driving licenses as a form of ID checking will not be allowed. This is because the driving license contains more information than the store needs to verify the purchaser's ID. Instead, the store might choose to simply note down the driving license number, or even just note that it has been sighted.

Tell people about their rights

When you collect someone's personal information, there are a few things that you will need to tell them, such as:

your company name, and how to contact you
the fact that they can gain access to the information, and how to do so
the reason you are collecting the information, including whether it is mandated under law
the name of any other organisations you may pass the information on to, and
what the consequences are to them if they don't provide the information.

Your privacy policy is a good place to address these requirements.

For example, I recently bought a CD from a music store, and they had an in-store competition going where you could win a music DVD. I filled in an entry form with my name, phone number and email address, and they put my entry into the draw. Once the new law is in place, the music store would have to tell me my rights at the time I filled in the entry form. They might achieve this by making a printed copy of their privacy policy available to read at the counter.

Only use information for the purpose you collected it

If you collect personal information for one purpose, and then decide to use it for a different purpose - you will need to get the person's permission.

Taking the above example of the music store competition entry, the music store should only use the details I provided for the purpose of selecting and contacting a competition winner. They can not then add my email address to their mailing list, or start calling me on my mobile to tell me about promotions they have coming up - unless they ask me first. They may, in some circumstance, be able to use my details for marketing purposes directly related to the competition, but this should be communicated to me at the time I fill in the entry form.

Keep information accurate

If you collect personal information about someone, you should take care to keep it accurate, complete and up-to-date. You will also need to provide the person with access to the information you hold about them, and to make corrections if any data is wrong.

For example, if a gymnasium records the date of birth of their members, the members should be able to find out what date of birth the gym has recorded for them, and the gym should have a process in place to correct it, in the event that the member tells them it is wrong.

Note that this is all 'within reason' - if a person sends you 30 requests a day for a copy of the information they hold about you, you wouldn't be expected to respond to them all!

One way of achieving this is to nominate a contact officer to deal with requests for access to personal information. Alternatively, you could allow people to access and change their details directly through your website.

Don't adopt government-assigned ID's as your own

You will not be able to use as your own identifier, an identifier that has been assigned by a government agency.

For example, you can not use a person's driving licence number as your customer number for that person (you can, however, use their driving licence number as a means of identifying them).

Allow people to remain anonymous

Where possible, you should allow people to transact with your organisation without identifying themselves.

For example, a clothing store has no need to identify a customer paying for a pair of trousers in cash, so they must not ask that customer for ID.

Be especially careful with sensitive information

The privacy law is stricter with what you can and cannot do with sensitive information, so you need to be especially careful and diligent when dealing with this type of data.

Sensitive information includes (this list is not exhaustive):

health information
genetic information, and
information about a person's race, ethnicity, political opinions, religious beliefs, sexual practices, and criminal record.

Where do you start?

Achieving compliance with the Privacy Act can seem a daunting task. Following these steps will help you to get there:

Step 1: Review your existing business processes to identify what personal information you deal with.

Step 2: For each piece of information, consider whether you really need to collect it. If so, do you really need to store it, or would just sighting it be sufficient?

Step 3: Create and publish a privacy policy detailing what information you will collect and store, in what circumstances, what you will do with it, and what people can do regarding the information they provide.

Step 4: Define (and test) processes to deal with collection of, access to, and corrections of, personal information.

Summary

If the Australian government implements an ALRC recommendation that the existing small business exemption be removed from the Privacy Act, this will have a substantial impact on small businesses.

Small businesses will need to review the personal information they deal with, and may need to make some changes to the way they collect, store & use personal information to ensure that they are compliant with the new law.

To download a PDF version of this report click here.

About the author

Debi Brennan is a Principal Security Consultant for Castelain Pty Limited. Castelain provides specialist IT security consulting services in the Asia-Pacific region, particularly transaction security, identity management and risk management services. Castelain's customers include a number of major banks and Government organisations both in Australia and abroad. Castelain is not aligned with any vendor, does not accept commissions, and does not sell products. Their advice is purely in the interests of their clients.

More information on Castelain, including the services they can provide and previous experience, is available from: