The Privacy Act 1988 (Cth) (Act) regulates the way personal information of individuals is handled. As an initial threshold, the Act applies only to organisations (being corporations, partnerships, individuals undertaking business, unincorporated associations, trusts) which are not small business operators (there are certain other exceptions) as well as government agencies. Exceptionally, some small businesses (e.g. those which provide health services or sell or purchase personal information) are bound by the Privacy Act, but leaving those aside, if a business has an annual turnover of $3 million or less it is generally not required to comply with the Act’s requirements, including the Australian Privacy Principles (APPs) it prescribes and any mandatory code which may apply under the Act.
However, the Act in section 6EA includes a mechanism to allow organisations that are otherwise not within the scope of the Act, to voluntarily elect to be bound by the Act and its requirements. The rationale for this is to allow such businesses to make a public commitment to good privacy practices, and generate potential reputational benefits (such as trust) and increased consumer confidence in the activities of the business.
When an otherwise-exempt small business opts into the Act of its own volition, it will be subject to the Act as a whole, including being the subject of complaints to the OAIC, the OAIC’s investigative powers and sanctions in the event of a breach of the Act. It will also be listed on the public Opt-In Register that is available for viewing on the OAIC’s website, which is a requirement of the Act. There are currently almost 650 organisations listed on the Opt-In Register.
Once it has opted into the Act regime, a small business can opt-out at any time by notifying the OAIC in writing, and its details will be removed from the public Register. So long as its annual turnover remains below the threshold of $3 million, it will no longer be subject to the Act. However, any acts or practices that occurred while the business was listed on the Opt-In Register can continue to be the subject of an OAIC complaint even once the business has opted out. The OAIC will provide details of businesses who have listed and then been removed from the Opt-In Register if requested.
This article was written by Luke Dale, Partner and Niomi Abeywardena, Special Counsel.