Review of the small business exemption

16.52 The APPs under the Privacy Act regulate the handling of personal information by APP entities: government agencies and organisations.[69] Notably, small businesses with an annual turnover of less than $3 million[70] are exempt from the definition of ‘organisation’ and hence from the ambit of the APPs unless, for instance:

  • the small business trades in personal information;

  • the small business handles health information; or

  • the small business operator notifies the OAIC in writing of its desire to be treated as an organisation.[71]

16.53 In its 2008 report, For Your Information, the ALRC recommended that the small business exemption be removed from the Privacy Act. Several stakeholders, in submissions to the ALRC’s current Inquiry, noted that the exemption remains in the Privacy Act, and that the removal of the exemption would have substantial benefits for the protection of privacy.[72]

16.54 Ensuring that small businesses handle personal information in an appropriate way may be particularly important in the digital era. A small business in the digital era can readily collect personal information through, for example, software on mobile phones or websites.[73]

16.55 The ALRC considers that the small business exemption should be given further consideration, particularly given the growth of digital communications and the digital economy since 2008. The ALRC acknowledges that simply removing the small business exemption would increase compliance costs for small businesses. However, options other than simply removing the exemption are available.

16.56 The Productivity Commission may be well-placed to investigate the likely impacts on small businesses if the small business exemption were removed, or if other options for protecting personal information held by small businesses were introduced. Such an investigation could give detailed consideration to the application of data protection laws to small businesses in other jurisdictions[74] as well as other options for improving the protection of personal information held by small business. These options might include, for example, the introduction of an accreditation scheme to encourage small businesses to opt in[75] to the Privacy Act in order to demonstrate a commitment to good privacy practices, or a limitation of the small business exemption so that small businesses handling sensitive information[76] or financial information would not be exempt from the Act.