Small business clients in Privacy Act crosshairs

This article was current at the time of publication.

Amendments to the Privacy Act mean Australia is poised to have one of the world’s most robust data breach penalty regimes. That means it’s never been more important for all companies and accountants to abide by the Australian Privacy Principles laid out by the Tax Practitioners Board.

Registered tax practitioners have obligations to maintain the confidentiality of client information under the Code of Professional Conduct in the Tax Agent Services Act 2009. 

Notably, the new privacy law amendments strengthen the powers of the Office of the Australian Information Commissioner (OAIC) by making it easier to find out more about an entity’s practices to comply with the Act and in particular the Notifiable Data Breaches scheme.

This combines with greater information-sharing powers for the OAIC and the Australian Communications and Media Authority (ACMA) while enhancing the powers of the OAIC to investigate and resolve privacy breaches by directing an entity on what it must do to satisfy its compliance obligations.

According to Australian Information Commissioner and Privacy Commissioner Angelene Falk: “This is an important milestone as we move toward further reform of Australia’s privacy framework.”

Fewer overseas businesses will be able to evade regulatory scrutiny as the requirement that organisations have to collect or hold personal information in Australia for the Act to apply has been removed.

It means that if they carry on business in Australia but from outside Australia – with no Australian subsidiary – they will be captured under the Act. 

A real reckoning is coming

If even some of the tabled proposals are enacted under law, leading law firm Hall & Wilcox warns they will have substantial impacts on all Australian businesses. 

One of the changes that could impact millions of Australian businesses, according to Hall & Wilcox Partner and Head of Cyber, Eden Winokur, is the removal of the small business operator rule in the Act. 

“The small business operator rule has the effect that companies with a turnover of less than A$3 million are generally not caught by the Privacy Act,” Winokur explains.

“Importantly, that rule does not apply to tax file numbers [TFNs], so accountants who are small business operators will have obligations in relation to the collection and use of TFNs in the course of their business.

“The removal of the small business operator rule could have a significant impact on accounting practices and their clients – there will likely be additional compliance costs and regulatory risks, including responding to notifiable data breaches.”

Winokur emphasises that while the proposed amendments are being considered, there are many things that businesses can be proactively doing now.

“Businesses should be carefully assessing their data retention policies,” he says. 

“It is critical for businesses to understand that generally there is an obligation to delete or de-identify personal information when it is no longer needed for the reason it is collected and used, so long as there is no legal obligation to retain it. 

“There is a lot of work that needs to be done when it comes to data retention.

TFNs and data breach notification

TFNs are given special treatment under the Privacy Act. Accountants who suffer data breaches involving TFNs will most likely be required to notify the affected individuals and the OAIC. 

At present, an organisation that suspects it has suffered a reportable data breach is required to conduct a reasonable and expeditious assessment about whether the breach is notifiable. That assessment must be completed within 30 days.

Under the proposed changes, that timeframe could be reduced to 72 hours. 

Winokur says that “the Privacy Commissioner expects organisations to notify breaches in a timely manner so that individuals can take steps to reduce the risk of harm”.

Right to privacy

“Currently, there is no direct right to privacy under Australian law, so what that means is that if there’s a data breach it can be difficult to sue someone for a breach of privacy,” Winokur continues.

“There is a proposal that would create a way for companies to be sued directly for breach of privacy, so accountants – given the information they hold about their clients – that suffer a breach, may be at a higher risk of being sued by their clients. 

“There is also the potential of introducing low-tier and medium-tier monetary penalties that the Privacy Commissioner can seek to impose.”

Given the potentially sweeping changes, practitioners should forewarn their clients that any new regime will not go unnoticed by cyber insurers. For small-to-medium enterprises, the consequences could be far reaching, although as Winokur notes, the cost of cyber insurance is beginning to settle.

“Cyber insurance is a helpful risk mitigation tool and one that I recommend all companies consider and discuss with their insurance brokers,” he says.

“More generally, accountants should make their smaller business clients aware that there are potentially substantial changes coming from a privacy perspective and that businesses familiarise themselves with what those changes might be.

“Perhaps, most importantly, accountants should be helping their clients [to fully] understand the personal information they hold and whether there’s a reasonable obligation to hold all of that information.”

What’s changed?

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 received Royal Assent in December 2022 and amends the long-standing foundational Privacy Act 1988 (Cth), although a tranche of substantive reforms is likely.

The most significant change so far is that companies face penalties for serious or repeated interference with privacy equal to A$50 million, three times the benefit obtained or 30 per cent of adjusted turnover in the relevant period if the benefit cannot be calculated.

For a person other than a body corporate, the Act increases the civil penalty for serious or repeated interference with privacy to $2.5 million.