The Privacy Act 1988 (Cth) (Act) regulates the way personal information of individuals is handled. As an initial threshold, the Act applies only to organisations (being corporations, partnerships, individuals undertaking business, unincorporated associations, trusts) which are not small business operators (there are certain other exceptions) as well as government agencies. Exceptionally, some small businesses (e.g. those which provide health services or sell or purchase personal information) are bound by the Privacy Act, but leaving those aside, if a business has an annual turnover of $3 million or less it is generally not required to comply with the Act’s requirements, including the Australian Privacy Principles (APPs) it prescribes and any mandatory code which may apply under the Act.
However, the Act in section 6EA includes a mechanism to allow organisations that are otherwise not within the scope of the Act, to voluntarily elect to be bound by the Act and its requirements. The rationale for this is to allow such businesses to make a public commitment to good privacy practices, and generate potential reputational benefits (such as trust) and increased consumer confidence in the activities of the business.
To voluntarily opt-in to the Act and its requirements, an application form and a copy of the applicant’s privacy policy need to be filed with the Office of the Australian Information Commissioner (OAIC). If no privacy policy is provided, the application will be declined. This reflects the fact that APP1 requires entities that are bound by the Act to have a current, clearly expressed privacy policy describing how it handles personal information which is easily available (most commonly, placed on its website).
When an otherwise-exempt small business opts into the Act of its own volition, it will be subject to the Act as a whole, including being the subject of complaints to the OAIC, the OAIC’s investigative powers and sanctions in the event of a breach of the Act. It will also be listed on the public Opt-In Register that is available for viewing on the OAIC’s website, which is a requirement of the Act. There are currently almost 650 organisations listed on the Opt-In Register.
Once it has opted into the Act regime, a small business can opt-out at any time by notifying the OAIC in writing, and its details will be removed from the public Register. So long as its annual turnover remains below the threshold of $3 million, it will no longer be subject to the Act. However, any acts or practices that occurred while the business was listed on the Opt-In Register can continue to be the subject of an OAIC complaint even once the business has opted out. The OAIC will provide details of businesses who have listed and then been removed from the Opt-In Register if requested.
Operating a business in compliance with the APPs (including having in place an appropriate privacy policy) is recommended for all small businesses, regardless of whether or not the Act applies to them. For those entities that are not strictly bound by the Act, whether or not to formally opt-in is a strategic commercial decision. When a small business is confident that it is fully compliant with the Act and APPs, it may form the view that formalising its voluntary commitment to adhere to the Act’s requirements will act as a public statement regarding its good corporate citizenship, lead to benefits for the business, and enhance its reputation. Not-for-profit organisations in particular may consider that a voluntary opt-in is consistent with its general public benefit aims and objects.
Our privacy practitioners are experienced in assisting businesses with their privacy requirements. Please do not hesitate to contact a member of our team if we can assist your business with preparing a new privacy policy, reviewing an existing policy, or advising on the merits of voluntarily opting in to the Act if you are a small business.
This article was written by Luke Dale, Partner and Niomi Abeywardena, Special Counsel.
