After a thorough review of the Privacy Act 1988, the Australian Government has signalled major reforms that will expand privacy obligations for businesses across the country. One of the most significant changes is the proposed removal of the small business exemption, which currently excludes companies with an annual turnover of $3 million or less from certain Privacy Act requirements.
If implemented, this reform will bring millions of Australian SMEs under formal obligations to protect personal information, notify individuals of data breaches, and comply with broader Privacy Act standards. For businesses previously exempt, these changes represent a critical shift in compliance responsibilities and operational risk.
Key Proposals and Reforms
The government’s approval, or tentative agreement, on most of the 116 proposals suggests a significant range of changes are on the horizon. One of the critical alterations is the removal of the Privacy Act exemption for small businesses, impacting approximately 2.3 million SMEs. With this change will come the need for these businesses to revisit their data privacy policies, particularly in how they treat and store personal information.
The government is also contemplating an expanded definition of the term “personal information”. This extension would include IP addresses, cookies, and device identifiers, as well as situations where an individual may be “reasonably identifiable” even if their identity is unknown. The proposed reforms also include the requirement for businesses to seek informed consent, enhanced protections for children, and increased accountability for handling individuals’ information.
Risk considerations for businesses
In light of the imminent reforms to the Privacy Act, businesses face heightened risk considerations and privacy obligations, particularly in ensuring the secure storage of personal data. With the proposed removal of the Privacy Act exemption, there is a pressing need for entities to re-evaluate their data management practices. The safe storage of personal information is essential to comply with these potential future obligations, but first and foremost, it’s essential to safeguard sensitive data against unauthorised access. As cyber-attacks become more sophisticated and relentless, the risk of data breaches is very real.
In this context, the significance of cyber insurance cannot be overstated. With the removal of the Privacy Act exemption, businesses must recognise the critical role of cyber insurance in mitigating damages associated with data breaches. With the proposed update requiring businesses to notify all affected parties of a data breach, the potential ramifications for the business are significant. Cyber insurance provides a safety net, covering aspects such as business interruption and reputation or brand damage in the event of a security incident — depending on the severity of the data breach, a business may be left dealing with an extended period of interruption, mandatory notification of impacted parties, and significant brand damage to repair.
Act Now: Strengthen Your Privacy Obligations
Regardless of the government’s endorsement of reforms and the proposed removal of the Privacy Act exemption, businesses should take action to review and strengthen their privacy obligations. Conducting a comprehensive reassessment of data privacy policies and practices is essential, both to comply with potential legal requirements and to manage risk in an environment of increasingly sophisticated cyber threats.
With the heightened risk of business interruption and reputational damage following a data breach, integrating cyber insurance into your risk management strategy can help mitigate financial and operational impacts.
By proactively addressing evolving privacy obligations, businesses can reinforce their defences against cyber threats, update their data handling practices, and navigate the changing landscape of data protection with confidence.
If you need guidance on meeting privacy obligations and implementing cyber risk strategies, the team at Barrack Broking is ready to assist.
