In late-September, the Attorney-General released its response to the Privacy Act Review Report. The National Retail Association contributed to the Privacy Act Review consultation on behalf of industry and recognises that the changes, if implemented, will significantly impact Australian businesses.

As most small businesses are not currently subject to the Privacy Act, it is important that retailers understand and start preparing for these key changes.

End of Small Business Exemption
Previously, businesses with an annual turnover of less than $3 million were exempt from the Privacy Act. The government believes this exemption should be removed because there is now a community expectation that their personal information will be kept safe, even when it is provided to small businesses. This would bring approximately 95 per cent of actively trading Australian businesses into the scope of the Privacy Act, requiring them to meet compliance obligations. The government acknowledges that small businesses will face challenges in adapting to these new compliance measures. It is proposing a transition period and further consultation with the small business sector on the likely impact of removing the small business exemption.

Employee Data to be Covered
There are also proposed reforms to the act, which would impact small businesses. One of the main ones is the inclusion of current and former employee data under the Privacy Act, which is currently excluded. The government intends to consult with employer and employee representatives to determine how enhanced privacy protections for employees would be implemented in legislation.

Enforced Data Retention Periods
There was concern about the storage of personal information by businesses for periods that extend beyond what is justifiable for business purposes. The government sees this unnecessary data retention as creating a “honey pot” for cybercriminals. It is considering rules that would force businesses to have set minimum and maximum data retention periods that would have to be stated in their privacy policies.

Strengthening Informed Consent
The government aims to give individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information. The objective is to give users a clearer understanding of how their data will be used. The intention is for customers to have sufficient information to enable meaningful informed consent about the use of their personal information.

Reforming Privacy Notices
The government criticised the current use of “complex, lengthy, legalistic and vague” privacy notices. It is recommending that privacy notices should be “clear, up-to-date, concise, and understandable.” The government is proposing to develop standardised templates to assist small businesses in creating effective privacy notices.

New Rights of the Individual
A range of new rights are proposed, allowing individuals greater control over how their data is being used. Measures under consideration include reinforced rights to request an explanation of data handling practices, to request the deletion of personal information, and a right to object to the collection, use or disclosure of personal information.

Drafted by National Retail Association and Ignite Systems, Cyber Security Specialists

Contact the Policy Team at