From the CEO: Privacy Act changes likely to be on the table in 2024

Privacy Act, NatRoad, small businesses, cybersecurity, customer information,
The  Government released its response to a review of the Privacy Act late last year.

Read time: 2 mins

By Warren Clark

Originally Published in Deals on Wheels – February 2024

How safe is your stored customer information?

That’s a question you’ll probably need to ask yourself if you’re part of a small road transport operation in Australia in 2024.

The  Government released its response to a review of the Privacy Act late last year. The review had proposed changes like removing many current exemptions and upping the ante in the penalties for its enforcement.  The Government agrees in principle on both those points, so it looks like we will see the biggest changes to privacy legislation since the Privacy Act was first introduced in 1988.

Small businesses with an annual turnover of $3 million or less have been exempt from the Privacy Act since it was introduced in 1988. The reasoning was that they posed a low risk to privacy and making them comply would impose an unreasonable burden on them. Times have changed and the rapidly rising tide of cybersecurity breaches in businesses of all types have raised community expectations. The possibility is small business may be subject to elements of the Privacy Act in the future.

It wouldn’t happen overnight because it would involve amending legislation. One legal opinion I have seen suggests we won’t see any re-drafted law until 2025 at the earliest. A certainty is that the Government will have to consult first with small business before changing anything.

NatRoad will formulate its own position after consulting its members, but my own view is that small road transport operators could have room to move. Most don’t collect biometric information or retain large amounts of personal information from their customers.

The Government accepted various other proposals aimed at improving protections for individuals. This include giving The Information Commissioner additional powers to enforce the Privacy Act and introducing a tiered system of civil penalties.

Law changes can carry unintended consequences if not thoroughly discussed first with stakeholders. At the very least, small businesses will need considerable assistance and time to make any changes. That could mean the government providing e-learning tools or even tax breaks for appropriate software purchases.

The Federal Government had to move on privacy issues following the massive data breaches involving Medicare and Optus in 2023. They resulted in the introduction of penalties in upwards of $50 million for big businesses not taking sufficient care to protect customer information. Nobody is suggesting small businesses will be subject to penalties anywhere near that severe.

There’s a lot to be said for being proactive when it comes to storing customer data anyway. Auditing your business’s data collection and storage makes sense – and that includes hard copy information. Paying for decent cybersecurity software and educating employees in good password practice are simple things we can all do to make our businesses more secure.