Privacy for Small Business

Protecting your business online

This module covers privacy law relevant to your business. Protect yourself and your business by ensuring you adhere to privacy law.

Key learning outcomes:

  • Overview of privacy law in Australia & around the World
  • Understanding what is personal information
  • Privacy and social media
  • Mandatory data reporting
  • Penalties attached to privacy breaches

Please note that the information presented in this section is general information only and not to be acted on. If you have a particular problem to your circumstances, please seek professional advice.

Video Presentation: Privacy for Small Business

Privacy for Small Business

Hello. My name is Jeanette Jifkins from Onyx Legal. We're a local, commercial law firm based in North lakes, looking after people doing business online. We are aiming to be plain English, easy to understand, easy to work with people. And our whole objective is to make doing legal stuff easier for you.

We are a small team. All of our senior people have owned their own businesses in the past. So they understand what it's like for you running a small business, and the challenges that you will face. We've all got lots of letters after our names, and I've actually written a book to help you out as well called, Cover Your Arse Online. We're practical, and we want to help you out if we can. But today we're going to be talking about privacy for your business. And why it's really important.

What we're covering. We're going to look at privacy law in Australia and overseas. What personal information is. So privacy protection is all around personal information. So it's good for you to understand what that is. We'll have a look at privacy and social media, mandatory data reporting, and some of the penalties that are attached.

Now, this is just general information. So don't go using this information to do whatever you need to do in your business. If you need specific advice relevant to your circumstances, you really do need to see a lawyer, and please don't base advice to other people on this presentation. They need specific advice to their circumstances as well. This is just information to help you better understand the whole privacy law thing.

Australian Privacy Law

So privacy law in Australia, we have the privacy act, which was, legislated in 1988, and it was updated much more recently, so we now have 13 Australian privacy principles. I'll take you through those in a minute.

The privacy law applies to governments and it applies to businesses. In terms of businesses, what it's looking at is organisations, and organisations can be anything from sole traders to companies, to listed companies on the ASX, to semi-government organisations, not for-profits, everything is covered. However, if you're a small business operator, you may be exempt. Now a small business operator is somebody with a turnover of less than $3 million per year. However, again, there are caveats. You might have less than $3 million a year in turnover, but if you work in the health space and you collect health information, you must come apply with the privacy act.

There are other areas as well. For example, organisations that collect information that they're going to on sell. So when you do, or if you do, the Australia post survey in a survey every year, that data is on sold, so that has to be done in compliance with the privacy act.

Must know privacy principles

The privacy principles are, and I'll go through them. There's a few, 13. Remember. Your privacy policy has to be open and transparent, or the way in which you deal with personal information has to be open and transparent.

You must give people the option of remaining anonymous, if it's possible. Obviously if you're selling them products or services, they can't remain anonymous, but they should have the ability to, for example, check out your website anonymously.

In terms of gaining personal information, there are rules around how you gain that personal information. And there are also rules around collecting information, or receiving information that you haven't specifically requested from the individual. So that's called soliciting information and unsolicited information.

You must notify people of collections. So if you're getting information sent to you from another source, you actually need to, or you're obliged to, notify people that you now hold their personal information.

There are rules around the use and disclosure of personal information. There is use around allowing people to not have their information used for direct marketing.

There are rules around cross-border disclosure. So many people are not aware that once you put information in the internet, it can go all over the world. If you're a small business here in Australia, it can still go all over the world, because of the systems you're using. A lot of people use MailChimp, for example, MailChimp, I'm not aware whether they allow you to specify that you can use servers here in Australia. I do know that if you don't specify that, their servers are not, their default servers are not Australian based. So that means if you're using MailChimp, your data is probably going overseas.

There are rules around security of information, access to information and the correction of information, and by access I mean by the individual.

Privacy laws outside Australia

In terms of privacy around the world, you may have heard of GDPR. That is the general data protection regulation, which was enacted in Europe back in 2018. That regulation is the strongest regulation around privacy protection in the world. And if you are collecting information about citizens of the European union, now excluding the UK, then you have to comply with GDPR. Now, is that a risk? In terms of being prosecuted, the risk is that the penalties they're giving for noncompliance are up to 4% of global revenue, which could obviously be quite significant, particularly in a bigger business. However, the risk of you being prosecuted as a small business here in Australia is probably very small. The greater area of risk for you in not being GDPR compliant is if you are using an overseas business and they need you to be compliant, and they otherwise say they can't either supply goods or services to you or use your goods and services unless you're compliant.

So your risk is more in the commercial space at the moment. In the regulatory space, I'm sure that'll catch up at some point in the future, but right now they're much more focused on prosecuting businesses within the EU. GDPR also involves some cookie monitoring. So you might've noticed that a lot more websites now have more details about the cookies they use, not just a notification that they use cookies with an I agree, or I accept button.

The CCPA is the Californian legislation for protection of privacy of Californian residents. And the main thing in that piece of legislation is that you're supposed to notify people whether or not you pay attention to their ‘do not follow’ instructions. So, if you use a browser, for example, I use Chrome. If you go into the privacy settings, there are settings that allow you to tick, ‘do not follow’, which means that when you visit a website, people are not supposed to apply pixels to your browser settings and follow you around and see where you go. And then send you targeted advertising, for example.

The Californian legislation says you need to tell people whether or not you pay attention to those signals. It doesn't say you have to comply with them, just that you have to tell people whether or not you do. Most people say, Oh, we don't because we don't monitor it or something like that.

In the US you also have the COPPA, which is for the protection of privacy of children, and that allows parental control of data about children under the age of 13. It's only relevant if you are doing business in the US, or have a large US purchasing base, and your information is targeted at children under the age of 13. So for example, Disney site. Obviously they have a large audience under the age of 13. They've got to comply with that legislation. As a small business in Australia it's unlikely to be a big issue for you.

What is personal information?

So what's personal information. Personal information. It's not just your name, your address and your phone number, and your email. It is information or opinion, and it need not be true. So when the privacy act first came in, there was this big thing about doctor's notes on the side of patient files, and whether or not that was personal information. And it was deemed to be personal information. So the doctor's opinion might be that you're a hypochondriac, and they've written that on the doctor's file. That is personal information that you are entitled to access to. Previously nobody liked to give you access to that because it's embarrassing for the doctors. And I understand that medical professionals are a bit more careful about some of the notations they make now. Keeping in mind that the privacy act came back, came in back in 1988.

Personal information need not be recorded in tangible form. So, a conversation with somebody just verbally communicating information could potentially be a big breach of personal information. Personal information must be about a natural person. So not somebody who is deceased. And it is information that either specifically identifies that person, or could be used together with other publicly available information to identify that person.

And it doesn't apply to any entity that's not an actual person. So your business, if you're a company or other registered entity, that entity does not have personal information, only individuals do.

In terms of it being personal information as well, photographs can be personal information. So when you join a gym and they take a photo for your ID, so that your gym pass goes through every time, or they can check your idea, you know, your image when you scan your gym pass, that is a collection of your personal information.

What are your privacy obligations as a small business?

So your privacy obligations as a small business. Not to interfere with the privacy of a natural person and to comply with the Australian privacy principles. That's the basics, but that means you need to understand their privacy principles and how they apply to your business. There's lots and lots of information on privacy.gov.au, which is the government website.

What I'd like to do now is move on to privacy and social media, because social media obviously is a whole different beast. As soon as you input information into social media, part of the purpose of social media is to share that information with every other user associate of that particular platform. So for example, with Facebook. If you put information in Facebook, you can set your privacy settings to limit who actually sees that publicly available information. But as soon as you input data, you're giving permission to Facebook to share it with everyone else on that platform, unless you trigger those privacy settings. And this is a trick for new players. A lot of younger people coming through, setting up their first Facebook account and not putting privacy settings on it, maybe quite surprised that it is reviewed by potential employers. There's no prohibition on potential employers doing that, and you should expect that it's going to happen. So if you have a publicly available profile, you might want to ensure that you've checked it before you go and apply for a job.

Social media privacy for your business

In terms of privacy on social media, as soon as you share something with others, it's shared. So when you talk about personal information, “I had a great birthday today”, everybody knows your birthday, because they can find out on social media. “I saw this on the street today” and somewhere in that shot is a street sign, they're going to know where you live. Things like that. Taking photos of the car and, “Oh, look, I got a new car”. I'm putting it on and social media. There's obviously going to be your rego on there and your number plate, people are going to know what your number plate is. That's the casual sharing of personal information that people don't really think about. And if you're a business, you've got to consider your employees in doing that.

So if you take photographs in the work environment, how many people are in the background and are you sharing their personal information, and do you have permission to do that? That kind of thing. And that happens, people take photos for social events, you know, work events, that kind of thing, and it ends up on the work page. That's what I'm talking about.

In terms of how you protect that for your own self is to make sure you've got privacy settings in place for business. What you need to do is think about how you use social media for your business, and what policies or what conditions you might put around that in terms of sharing information about the business and the people involved in that business.

So if you're, I know our local marketing business. They're happy to share the events that they participate in and photos of the whole team on the website on a fairly frequent basis, because that's part of their business. If you're in the security space, you might not want to do that. So it's thinking about what policies do you need in your business to ensure that you are protecting the privacy of both the employees in your business and also the people you're working with.

If you link with your clients on social media and then start sharing comments with them about the business on social media, people are going to know they're your clients. As a lawyer, that's something we have to be careful of because we have an obligation under the conduct rules, not to disclose confidential information, which obviously is personal, personal information is obviously confidential information.

Read and understand permissions

Okay. I have some great slides. So an example that I would like you to look at in terms of sort of it's stretching social media a bit. You get a lot of ads for apps and people don't check privacy settings in apps. On this slide, you can see, this is a simple scan app, which is a business app. If you have a look in the additional information about it, you'll see that there's a heading called permissions.

Now a lot of people don't ever bother to check on that. But if you look on that, the next slide shows you identity, photos, media files, and storage, and what people, what the app owner can do with that. So for example, with your identity, they can add or remove accounts. So what does that mean? As a business. If you set up a business app and you have a number of people within your business using it, that app can actually delete those accounts. You're giving them permission to delete those accounts. And it makes sense if you've got an administrator in the business whose responsibility is to do that. But if you don't then why have you got that permission? Why is that an app you want to use with that level of permission?

Other apps can access your entire contact list now. As a business, how many of your employees have your entire business contact list in their phones? And they download an app and that contact list can be accessed. So as a business, you need to look more closely at the kind of software and apps and social media, and how you're using everything, and what potential risk there is to personal information about your clients or suppliers that you've collected.

The risk of that is if there is a breach, for any reason, and you're required to comply with the privacy act. So, not a small business operator, but if you are a small business operator that collects health information, or collects lists of information to sell, then you do have to comply. If you're in that bracket of people, then you have an obligation to report any data loss, and data loss can be not just hacking of your systems, but, for example, NASA leaving a Laptop in the back of a taxi. They left a laptop that had security codes for the international space station in the back of the taxi. They got it back fairly quickly, but that's more of a security breach then having someone hack your systems, it's not just about having a systems hacked.

You have a member of staff who comes back from a client meeting and they leave a laptop, or they leave a iPad, or they leave a phone in the back of a cab, or an Uber. Uber is a harder to track, you know. What are you going to do? That's a whole lot of information. Do you have the ability to automatically erase it or anything like that? This is, this is the kind of security you need to think about in terms of personal information.

Your obligations for a breach in data

Your data notification obligations are to report to the privacy commissioner, to give a notice to anybody who is potentially, affected. So if it involves their personal information, they're potentially affected. You need to let them know if the data has been accessed ,or disclosed or lost, or has the potential to be disclosed or accessed. So for example, the, even a USB key in the back of a vehicle.

You've got to let them know if there is a likely risk of serious harm. Serious harm is not defined and it is not just, you know, it could be physical harm, it could be financial harm, it could be psychological harm. So for example, just before the mandatory data reporting obligations came in in Australia, there was a website, a singles website for, or adulterous website, I think it was, and that website got hacked, and all of that data was threatened to be released into the public domain. So that's a fairly substantial, psychological and emotional, potentially domestic violence risk, for all of those people who are listed on that website. So that's a risk of serious harm that is not necessarily financial, but one of the other areas.

If you do get a data breach, again, your obligation advise the privacy commissioner. Notify those affected. Publish a notification on your website. Carry out remedial action as soon as possible. And let people know what that remedial action is. So it might also be letting people know that they need to update their passwords, or do some sort of changes in their systems to help protect themselves.

Okay potential penalties for breaching privacy. The privacy commissioner's powers were increased in the last few years. So now the privacy commissioner can actually issue fines. The privacy commissioner can seek compensation for financial or nonfinancial loss. So if you're very distressed by the misuse of your personal information, you can potentially seek compensation for that. You can require, the privacy commissioner can require an apology from the company, making the error. They can apply to the court for that organization to be fined. They can seek an application to the court for an emergency stop of that behavior, which is called an injunction. It's an urgent application. And they can require an organisation to enter into undertakings, to carry out training within the organisation to change their practices and procedures.

So it can be quite significant. Woolworths recently, although that was a spam issue, they were fined a hundred thousand dollars. No, it was more than that. And that was because they had an non-functioning unsubscribed facility. So that's, that's in the spam space, but the privacy commissioner has similar ability to say, well, you're doing something wrong in the privacy space. You need to protect these people's privacy. And we're going to either impose will impose penalties if you don't comply.

So there kind of things that can happen in terms of how we can help. If you do not understand your privacy policy, if you copied and pasted it from someone else, if you don't understand what your privacy obligations are as a business, we can help you out.

In all of those areas. You can visit our website, which is onyx.legal, and, or just give us a quick call to find out how we can help you best. Thank you for today.

Podcast

Weekly Business Updates

Direct to your Inbox

Subscribe