The Office of the Australian Information Commissioner (OAIC) has recently issued its Privacy Business Resource 10: Does my small business need to comply with the Privacy Act?[1] This is a reminder that a business which is a small business with an annual turnover of $3 million or less may nevertheless be bound by the requirements of the Privacy Act[2].
If a small business is caught by the provisions of the Privacy Act then it must, among other things:
The requirements of the Privacy Act and the APPs relate to personal information which is:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
A small business will be an APP entity, and subject to the requirements of the Privacy Act and the APPs if the business:
These are only a summary of some of the main activities that can lead to a small business becoming an APP entity. It would be wise for all small businesses that handle personal information to review the checklist on the OAIC Website to ascertain whether or not the business is an APP entity.
The definition of health services in the Privacy Act is very wide and reads:
health service means:
Obvious examples of businesses which provide health services include health care providers such as doctors, specialists, clinics, private hospitals and day surgeries. The definition also includes other forms of health providers such as physiotherapists, chiropractors and naturopaths. More widely, it can in circumstances include other businesses such as schools, child care centres, weight loss clinics, gyms and fitness services. These are only a few examples.
Information held by a business providing a health service will most likely include health information, which will be personal information if the individual concerned is identifiable, and this will be sensitive information. Sensitive information is subject to higher standards of care and control in accordance with the APPs.
The provisions of the Privacy Act which apply to credit reporting are separate from the requirements relating to personal information. The requirements in relation to credit reporting are stricter than provisions relating to personal information.
A small business can be a credit provider. This will be the case even if the business does not make loans or extend credit in a manner similar to a bank or financial institution.
A small business (or other business) will be a credit provider if:
As well as other specific requirements for management of credit information, a credit provider must have a policy about the management and credit information and credit eligibility information.
The issue by the OAIC of its Privacy Business Resource team may be a wake‑up call to small businesses and an indication that the Privacy Commissioner will look more closely at the operations of small businesses and the application of the Privacy Act.
Small businesses should consider their activities and if necessary get advice, to determine whether they are either an APP entity that is required to comply with the APPs in relation to personal information, or the provisions of the Privacy Act in relation to credit reporting, or both. If the business is required to comply, it should put in place the necessary policies and procedures.
[1] See http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-10
[2] Privacy Act 1988 (Commonwealth)
Sandy Donaldson
Consultant
p. +61 8 8124 1954
e. Email me
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.