Publication date: December 2017
If you’re establishing a start-up it’s vital to understand how you can benefit from good privacy practice, and the obligations that may apply to your business under the Privacy Act 1988 now, or in the future.
Why is good privacy practice essential for your start-up?
There are significant reputational and commercial benefits that flow from good privacy practice. In fact, it’s increasingly critical to customer trust. When people are confident about how your start-up will handle their personal information, they are more likely to trust the product or service you offer, leading to improved business performance. Similarly, privacy is increasingly acting as a commercial differentiator amongst competitors.
Conversely, there are a number of risks associated with privacy practices that don’t meet customer and community expectations. These risks include:
- reputational damage, which can jeopardise funding and scaling
- the need to redesign products, services and processes to retrofit privacy management down the line, which can increase costs and cause delays
- regulatory scrutiny, which can lead to increased compliance obligations
- public sanctions for breaching the Privacy Act or mandatory data breach notification obligations.
The Privacy Act provides rights to individuals about how their personal information is used and managed. It also places responsibilities on most businesses. If your start-up is a small business (turnover of $3 million or less per annum) the Privacy Act may not apply to you yet. But ask yourself; do you plan for your business to stay small, or to grow?
If you’re planning for growth or acquisition, you need to adopt a ’privacy by design’ approach to your products and services. This means building the management of privacy risks into the design specifications of technologies, business practices and physical infrastructures from the beginning, rather than bolting it on later.
What does good privacy practice involve?
Privacy is not about secrecy. It is about being transparent about how you handle personal information and giving individuals confidence that it will be managed securely and appropriately.
The Australian Privacy Principles (APPs) in the Privacy Act set out the minimum expectations of the community in relation to how you handle their personal information. When your organisation is covered by the Privacy Act, they are also legally binding.
‘Personal information’ is any information or an opinion about an individual who can be reasonably identified from that information or opinion. Information that might not be personal information by itself can become personal information when it is linked to other available information to identify an individual. This may, depending on context, include a person’s name, date of birth, phone number, bank account details or commentary about a person, and, in the age of big data, may also include information like a person’s web browsing history or online purchases.
The standards in the APPs are generally framed as requiring businesses to do what is ‘reasonable’ in the circumstances. This means they are flexible and can be tailored to your particular business model, products and services.
Start-ups and the Privacy Act
For some start-ups privacy issues pose the risk of non-compliance with the Privacy Act. Whether a start-up is legally required to comply with the APPs and the Privacy Act will depend on the type and scale of its business.
The Privacy Act will generally apply to a start-up once its annual turnover is greater than $3 million. However, start-ups that undertake the following activities will also need to comply with the Privacy Act:
- collect Know Your Customer information to comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- participate in Australia’s credit reporting system (for example, providing a consumer credit report)
- provide health services (such as a product or service that tracks and holds health data)
- trading in personal information.
For more information about when the Privacy Act applies, see Small Business.
It’s important to remember that whether or not the Privacy Act applies to your start-up can change over time, especially if your business grows. Even if your start-up is not required to comply with the Privacy Act now, it may need to in the future.
- an app developer might not collect personal information as part of the initial version of an app, but builds this capability into an update of the app and then sells the information collected
- your start-up might be acquired by a larger organisation that passes the $3 million annual turnover threshold
- your start-up might scale its business and pass the $3 million annual turnover threshold.
Practising privacy by design is the best way to ‘future proof’ yourself from additional costs and redevelopment work that will be necessary once your business attracts these legal obligations.
The Commissioner has various regulatory powers to ensure compliance with the Privacy Act, including seeking a civil penalty of up to $2.1 million for serious or repeated breaches. Generally, we also make public any regulatory action we’ve taken.
Other laws that may apply
Other privacy-related legal requirements outside the Privacy Act may apply depending on your business practices:
- the Payment Card Industry Data Security Standard, if your start-up accepts, transmits or stores data from your customers’ payment cards
- the Spam Act and the Do Not Call Register Act, if your start-up markets to customers directly (for more information, visit the Australian Communications and Media Authority website)
- the Telecommunications Consumer Protection Code, if your start-up is a telecommunications provider.
If your start-up operates or transacts with customers overseas, then you may also need to comply with laws in those jurisdictions. While some jurisdictions have similar laws, they may impose additional obligations, such as the EU General Data Protection Regulation.