The small business exemption is up for the axe and that means previously exempt health and medical practices could face huge penalties if not properly prepared.
Upcoming reforms to the Privacy Act will have repercussions for small health and medical businesses, including non-corporate general practices, with the prospect of huge penalties for non-compliance.
The current Privacy Act 1988 underwent two years of consultation and review after the ACCC recommended it in a 2019 report.
Following the release of an issues paper, and then a discussion paper in 2021, the review’s final report was released by the Attorney-General’s Department in February of 2023.
The small businesses exemption to the Act means the Act does not apply to businesses with an annual turnover of $3 million or less, unless that small business trades in personal information. However, section 6D allows small businesses that trade in personal information to be exempt from the Act if they obtain the consent of individuals to collect or disclose their personal information.
Submitters to the review, the final report said, noted that “increased risks posed by small businesses relating to personal information, even by those businesses not engaging in complex information handling, stem from the increasing prevalence of businesses receiving orders via the internet, having a web presence and using cloud computing services”.
“Submitters noted that the exemption does not reflect community expectations that Australians’ privacy should be protected irrespective of the size of an entity,” said the report.
“Submissions also highlighted that annual turnover is not an accurate proxy for potential impact on privacy, or the seriousness of a potential breach.”
Clare Mould from Corrs Chambers Westgarth told HSD that not only will the prospective changes to the Act effect small healthcare businesses, but proposed new penalties would be prohibitive.
“The proposed changes are quite significant,” said Ms Mould.
“They are going to touch every aspect of the way organisations collect, use and handle personal information.
“Organisations will first of all need to understand the regulatory landscape that they operate in, because it’s not just the Privacy Act that organisations in the health industry will need to comply with.
“Certain organisations, hospitals particularly, need to comply with the Security of Critical Infrastructure Act (2018). That legislation also places obligations on organisations to deal with information in a particular way and protect against unauthorised use and disclosure.
“The reforms [to the Privacy Act] will likely see the removal of the small business exemption that currently exists. It means that GPs will need to comply with the Privacy Act, and the reforms will also likely impact the current employee records exemption that exists.”
The new penalties for breaches of the Privacy Act are already in force, coming in after the Optus breach in September 2022. They are:
- a serious or repeated interference with privacy (s 13G) with maximum penalties including $2,500,000 for a person other than a body corporate, and for a body corporate, an amount not exceeding the greater of:
- $50,000,000; or
- three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate, that is reasonably attributable to the conduct constituting the contravention; or
- if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention.
If the small business exemption is removed when the reforms are enacted, healthcare businesses will qualify for higher levels of penalties than they have ever been liable for.
Related
The reforms to the Privacy Act were due to be made public this month but speculation is that the Attorney-General’s Department has delayed them because of the need to consult with small business advocates about how best to prepare and protect them.
A spokesperson for the AG’s office said “there has been no change from this answer [AG Mark Dreyfus] gave at the Press Club earlier [on Tuesday 9 July]:
“On privacy … I’m looking forward to bringing that to the Parliament as soon as I can,” said Mr Dreyfus.
“We announced a response to the review of the Privacy Act, which I accelerated at the start of this year and I’m very hopeful that we will bring that to the Parliament later this year.”