Privacy

September 7, 2015 / Winter Report 2015

A Reminder for Small Business

The Office of the Australian Information Commissioner (OAIC) has recently issued its Privacy Business Resource 10: Does my small business need to comply with the Privacy Act?[1] This is a reminder that a business which is a small business with an annual turnover of $3 million or less may nevertheless be bound by the requirements of the Privacy Act[2].

If a small business is caught by the provisions of the Privacy Act then it must, among other things:

• comply with the Australian Privacy Principles (APPs);
• have a Privacy Policy;
• have internal policies, procedures and resources to ensure compliance with the Privacy Act and the APPs.

The requirements of the Privacy Act and the APPs relate to personal information which is:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not;
• whether the information or opinion is recorded in material form or not.

What Small Businesses are APP Entities?

A small business will be an APP entity, and subject to the requirements of the Privacy Act and the APPs if the business:

• provides a health service or holds any health information, except employee records (this is a very wide field – see below);
• discloses personal information about individuals for a benefit, service or advantage (an example given by OAIC is a small business that sells its customer list to a marketing company or gives its own list in return for another list);
• is a related body corporate to an entity that is an APP entity;
• is a service provider to a Commonwealth entity;
• operates a residential tenancy database;
• carries on a credit reporting business.

These are only a summary of some of the main activities that can lead to a small business becoming an APP entity.  It would be wise for all small businesses that handle personal information to review the checklist on the OAIC Website to ascertain whether or not the business is an APP entity.

Health Services

The definition of health services in the Privacy Act is very wide and reads:

health service means:

• an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
• to assess, record, maintain or improve the individual’s health; or
• to diagnosis the individual’s illness or disability; or
• to treat the individual’s illness or disability or suspected illness or disability; or
• the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

Obvious examples of businesses which provide health services include health care providers such as doctors, specialists, clinics, private hospitals and day surgeries.  The definition also includes other forms of health providers such as physiotherapists, chiropractors and naturopaths.  More widely, it can in circumstances include other businesses such as schools, child care centres, weight loss clinics, gyms and fitness services.  These are only a few examples.

Information held by a business providing a health service will most likely include health information, which will be personal information if the individual concerned is identifiable, and this will be sensitive information.  Sensitive information is subject to higher standards of care and control in accordance with the APPs.

Credit Reporting

The provisions of the Privacy Act which apply to credit reporting are separate from the requirements relating to personal information.  The requirements in relation to credit reporting are stricter than provisions relating to personal information.

A small business can be a credit provider.  This will be the case even if the business does not make loans or extend credit in a manner similar to a bank or financial institution.

A small business (or other business) will be a credit provider if:

• a substantial part of the business is the provision of credit;
• it carries on a retail business and issues credit cards;
• it allows credit for the sale of goods or supply of services or hiring, leasing or renting of goods, for at least 7 days (it will be a credit provider only in relation to the credit that is provided).

As well as other specific requirements for management of credit information, a credit provider must have a policy about the management and credit information and credit eligibility information.

Warning to Small Businesses

The issue by the OAIC of its Privacy Business Resource team may be a wake‑up call to small businesses and an indication that the Privacy Commissioner will look more closely at the operations of small businesses and the application of the Privacy Act.

Small businesses should consider their activities and if necessary get advice, to determine whether they are either an APP entity that is required to comply with the APPs in relation to personal information, or the provisions of the Privacy Act in relation to credit reporting, or both.  If the business is required to comply, it should put in place the necessary policies and procedures.

[1] See http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-10

[2] Privacy Act 1988 (Commonwealth)

For more information, please contact:

Sandy Donaldson
Director
p.  +61 8 8124 1954
e.  Email me

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.