16.52 The APPs under the Privacy Act regulate the handling of personal information by APP entities: government agencies and organisations. Notably, small businesses with an annual turnover of less than $3 million are exempt from the definition of ‘organisation’ and hence from the ambit of the APPs unless, for instance:
the small business trades in personal information;
the small business handles health information; or
the small business operator notifies the OAIC in writing of its desire to be treated as an organisation.
16.53 In its 2008 report, For Your Information, the ALRC recommended that the small business exemption be removed from the Privacy Act. Several stakeholders, in submissions to the ALRC’s current Inquiry, noted that the exemption remains in the Privacy Act, and that the removal of the exemption would have substantial benefits for the protection of privacy.
16.54 Ensuring that small businesses handle personal information in an appropriate way may be particularly important in the digital era. A small business in the digital era can readily collect personal information through, for example, software on mobile phones or websites.
16.55 The ALRC considers that the small business exemption should be given further consideration, particularly given the growth of digital communications and the digital economy since 2008. The ALRC acknowledges that simply removing the small business exemption would increase compliance costs for small businesses. However, options other than simply removing the exemption are available.
16.56 The Productivity Commission may be well-placed to investigate the likely impacts on small businesses if the small business exemption were removed, or if other options for protecting personal information held by small businesses were introduced. Such an investigation could give detailed consideration to the application of data protection laws to small businesses in other jurisdictions as well as other options for improving the protection of personal information held by small business. These options might include, for example, the introduction of an accreditation scheme to encourage small businesses to opt in to the Privacy Act in order to demonstrate a commitment to good privacy practices, or a limitation of the small business exemption so that small businesses handling sensitive information or financial information would not be exempt from the Act.
Privacy Act 1988 (Cth) s 6(1) (definition of ‘APP entity’).
Ibid ss 6C, 6D.
Ibid ss 6D, 6E, 6EA.
Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report 108 (2008) Rec 39–1.
‘Mobile Apps’ (Occasional paper 1, Australian Communications and Media Authority, May 2013); ‘The Cloud—services, Computing and Digital Data’ (Occasional paper 3, Australian Communications and Media Authority, June 2013); ‘Mobile Privacy: A Better Practice Guide for Mobile App Developers’ (Office of the Australian Information Commissioner, September 2013).
For example, small business are bound by the Data Protection Act 1998 (UK).
Small businesses may elect to be treated as organisations under s 6EA of the Privacy Act 1988 (Cth).
Sensitive information includes personal information about an individual’s racial or ethnic origin, political opinions, membership of political associations, religious beliefs or affiliations, philosophical beliefs, professional or union membership, sexual orientation or practices or criminal record, as well as health information, genetic information, and certain types of biometric information: Ibid s 6(1) (definition of ‘sensitive information’).