BUSINESSES turning over less than $3 million a year will be drawn into the Privacy Act from December 21. The businesses affected are those trading in personal information that are related to a larger business or contract to Commonwealth agencies.
However, other small businesses not covered by the Privacy Act can elect to opt into the legislation.
Indeed, The Office of the Federal Privacy Commissioner’s website recommends that small businesses should opt in.
Businesses that turn over more than $3 million or businesses operating as health services providers have been required to comply with the Privacy Act since December 21 last year.
Privacy loomed as a huge problem for larger businesses and resulted in a Y2K-like scramble as they tried to get their systems in order to cope with it.
Jackson McDonald partner Stephen Doyle said the legislation had been drafted with the idea that entities drawn into it would have a ‘sunrise’ clause, with time to get their systems in place.
“However, there is a risk some will get caught short because it could be a big job for them to get their systems in place by December 21,” he said.
“The last time around a lot of people left it until the last minute.”
To comply with the Privacy Act small businesses will need to conduct an audit of their information handling procedures. That includes a review of the personal information the firm handles, how that information is collected and how the information is used or disclosed.
Any information handling practices that do not comply with the National Privacy Principles enshrined in the act will need to be modified or abandoned.
Businesses will also need to establish a privacy policy and procedure and set up a privacy compliance program.
This program should include training for all staff that handle personal information.
A complaints system will also need to be developed and implemented.
Under the act, people who are affected by a breach of privacy need to first complain to the organisation responsible for that breach. If the matter cannot be solved at that level it is then referred to the Federal Privacy Commissioner.
Mr Doyle said he was unaware of any businesses that had been prosecuted for Privacy Act breaches.
“The commissioner has been more focused on compliance with the act than prosecutions. Generally, when new legislation comes in, there is a bit of a lag time before people start getting prosecuted,” he said.
Small Business Development Corporation managing director George Etrelezis said small business operators should not just consider privacy as a compliance issue but also as a way of enhancing good relationships with their clients and customers.
