Is your business ready for a new era of privacy regulation: Removing the Small Business Exemption (Part 2) – Data Protection

To print this article, all you need is to be registered or login on

To read part 1 of our “Is your business ready for a new
era of privacy regulation” article series, click here.

If you are a small business (if you have an annual turnover of
$3 million) then you should be proactive in preparing your business
for a new era of privacy regulation.

Review of the Small Business Exemption in the Privacy Act

Small businesses, with an annual turnover of $3 million or less,
are mostly exempt from complying with the Privacy Act 1988
(Cth) (the Act). According to the Australian Small
Business and Family Enterprise Ombudsman, this accounts for about
92% of total Australian Businesses, which works out to be about 2.3
million businesses 1.

The Government agrees in principle with the proposal to remove
the small business exemption from the Act. This means that the
Government is looking to conduct further review and consultation
with focus groups to understand the needs and implications of
amending or removing the small business exemption.

Be proactive in understanding how your business handles
personal information

Whilst the proposed reforms are presently unknown, it
doesn’t stop you from proactively addressing privacy concerns
and take a privacy by design approach to your business.

The first step is to understand what personal information is
held by your business. This could be your customer relationship
management database or a pile of unfiled documents or the meta data
that your system has collected through its operations. Personal
information is everywhere. For example, if you have an email for
enquiries, you could be receiving personal information through the
emails, especially if the email is that user’s full name or if
the email contains an email signature.

Throughout this process, you should consider your purpose for
collecting the personal information, whether or not you can achieve
the same purpose in a way that promotes privacy and consider the
consequences if the personal information was not collected.

Another proactive step that you can take is to conduct a privacy
impact assessment before you launch a new project that involves
personal information. By doing this at the beginning of the
project, will help to embed positive privacy practices to avoid
risks and traps in the future.

Illustrative Example

Let’s take a large restaurant as an example. This restaurant
takes customer reservations in a physical book. Its employees would
ask the customer for their full name and their mobile number to
confirm the booking. The reservation book is kept at the counter
next to the telephone. The restaurant have been using the book for
3 years now. The restaurant also uses a paper queuing system that
is stuck on the window next to the entrance. Their customers write
down their name and mobile number to reserve a spot. The restaurant
is considering a digital solution to allow for online booking and
digital queuing to replace their current system.

This restaurant can start to proactively review their privacy
practices by reviewing, what personal information they need, and
how to take a data minimisation approach by removing or
de-identifying data that they no longer need to have, and how to
protect the data.

Starting with the three year old customer reservation book, the
restaurant should consider whether they need to retain all the
information or whether they can securely destroy information that
they don’t need. Going forward, rather than asking for the full
name, perhaps just the first name or the initials may be enough
with the mobile number to secure a reservation. In relation to the
paper queuing system, rather than asking the patrons to write down
their name and mobile number, the customer should be able to just
write down their initials and mobile number, which is optional.
Further, that paper queuing system may be better protected by an
employee holding onto the paper form rather than it being exposed
to the public. Additionally, the paper form should be shredded
after usage. Finally, when it comes to reviewing a digital
solution, the restaurant can go through a privacy impact assessment
to embed privacy protections from the beginning of the project.

Time to take stock

Privacy reform is coming. While the exact change and impact on
small businesses are yet to be revealed, it is unlikely for the
status quo to remain. It may be worthwhile to be on the front foot
to future proof your business.


1 Australian Small Business and Family Enterprise
Ombudsman – Number of small businesses in

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Australia

#business #ready #era #privacy #regulation #Removing #Small #Business #Exemption #Part #Data #Protection

Leave a Reply

Your email address will not be published. Required fields are marked *