Small business exemption

71.74 The Privacy Act generally does not apply to businesses with an annual turnover of $3 million or less.[83] Telecommunications service providers in this category, however, are obliged to comply with Part 13 of the Telecommunications Act. As discussed above, Part 13 only regulates the use and disclosure of information. It does not regulate other aspects of the information-handling cycle, such as the collection and storage of personal information.[84]

71.75 In addition, some organisations that are closely associated with the telecommunications industry may not fall under Part 13 of the Telecommunications Act or the Privacy Act. For example, directory assistance providers that are not carriage service providers, and some voice over internet protocol service providers may not be subject to Part 13 of the Telecommunications Act, an industry code, or the Privacy Act.

71.76 In DP 72, the ALRC noted that the development of communications technologies and e-commerce has resulted in more businesses, particularly small to medium businesses, handling large amounts of personal information.[85]A number of stakeholders submitted that, given the high proportion of small businesses in the telecommunications industry, it was not appropriate to treat them differently from medium and large businesses.[86]

71.77 The OPC submitted that there are certain activities that should be regulated because of the nature of the activity, rather than the size of the organisation. The OPC suggested that carriage service providers and internet service providers (ISPs) fall into this category because of the amount of personal information they hold, and the potential adverse impact on individuals if that information is not protected appropriately.[87]

71.78 Communications Alliance recommended, however, that education and awareness raising and incentives to industry for voluntary adoption of the NPPs would solve the problem. The organisation did not support additional codes which would increase the regulatory burden on small businesses.[88]

71.79 In DP 72, the ALRC proposed that before the removal of the small business exemption from the Privacy Act comes into effect, the Australian Government should make regulations under s 6E of the Privacy Act to ensure that the Act applies to all small businesses in the telecommunications industry, including internet service providers and public number directory producers.[89] A number of stakeholders supported this proposal.[90]

ALRC’s view

71.80 The risks to privacy posed by small businesses are determined by the amount and nature of personal information held, the nature of the business and the way personal information is handled by the business, rather than by their size alone. The ALRC notes that the telecommunications industry is increasingly handling large amounts of personal information. It is appropriate that the handling of personal information by these organisations is regulated by the Privacy Act.

71.81 In Chapter 39, the ALRC recommends the removal of the small business exemption.[91] The implementation of this recommendation would solve the problem of some small businesses in the telecommunications industry not being subject to any privacy rules. It is therefore unnecessary for the Australian Government to make regulations under s 6E of the Privacy Act to ensure that the Act applies to all small businesses in the telecommunications industry. The recommended review, however, should consider whether these organisations should be regulated under telecommunications-specific laws, such as Part 13 of the Telecommunications Act or the Privacy Act.

71.82 Education has an important role to play in securing compliance with privacy standards. The ALRC acknowledges concerns about the additional compliance burden for small business if they are required to comply with the Privacy Act. In Chapter 39, the ALRC discusses ways to reduce the compliance burden on small businesses, including: the establishment of a national helpline for small businesses; the development and publication of guidelines and other educational material by the OPC to assist small businesses; and the provision of templates for Privacy Policies free of charge.

[83]Privacy Act 1988 (Cth) ss 6C, 6D. Businesses with an annual turnover of $3 million or less, however, are bound by the NPPs in certain circumstances such as when the business discloses personal information about another individual for a benefit, service or advantage: see Privacy Act 1988 (Cth) s 6D(4).

[84] Many of these providers were formerly subject to obligations similar to those imposed by the NPPs under the Australian Communications Industry Forum, Industry Code—Protection of Personal Information of Customers of Telecommunications Providers, ACIF C523 (1999). However, this code was repealed when the private sector provisions of the Privacy Act commenced in December 2001: see Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 56.

[85] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [63.151].

[86] Australian Government Department of Communications‚ Information Technology and the Arts, Submission PR 264, 22 March 2007; Law Society of New South Wales, Submission PR 146, 29 January 2007; Confidential, Submission PR 31, 3 June 2006.

[87]Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[88] Communications Alliance Ltd, Submission PR 198, 16 February 2007.

[89]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 63–10.

[90]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Optus, Submission PR 532, 21 December 2007; Australian Communications and Media Authority, Submission PR 522, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; I Graham, Submission PR 427, 9 December 2007; Australian Digital Alliance, Submission PR 422, 7 December 2007; P Youngman, Submission PR 394, 7 December 2007; S Hawkins, Submission PR 382, 6 December 2007.

[91] Rec 39–1.