Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

SMEs urged to start preparing for Privacy Act changes

Small businesses and law firms should start taking proactive steps to comply with the Privacy Act ahead of slated changes by the government.

user iconLauren Croft 30 November 2023 SME Law
expand image

Editor’s note: This article originally appeared in Lawyers Weekly’s sister brand, Accounting Times.

With the government indicating it will look to adopt a recommendation to remove the Privacy Act exemption for small business, businesses should start preparing for this change as part of their planning for 2024, according to RSM director of risk advisory Ashwin Pal.

In late September, Attorney-General Mark Dreyfus announced the government would adopt a recommendation from the Privacy Act Review Report to remove the exemption that currently excludes small businesses with a turnover of less than $3 million from having to comply with the act.


Mr Pal said this means that any business, regardless of revenue, will have to adhere to privacy and online data protection rules.

“If your business deals with personal identity information or personal health information, soon you’ll have to comply with the Privacy Act no matter how small your revenue. Right now, most small businesses would struggle to comply,” he warned.

Mr Pal also noted that there will be smaller accounting firms that are impacted by this change.

“Accounting firms hold a lot of confidential, private information because they’re lodging tax returns,” he said.

“They’ll have all manner of information about an individual client, including all their tax details. That’s probably as personal and private as it actually gets.”

A good starting point for businesses is the Australian Cyber Security Centre’s website, which has in-depth advice on what small businesses should be doing to secure personal customer data.

Mr Pal said that small businesses first need to think about what data they have and where it’s stored.

They then start to look at who can access that data and to what degree access controls are actually in place.

“For example, is there multifactor authentication, is the data stored securely? Is it encrypted and secure? Is it backed up? If I have a ransomware-type attack, will I lose all my data?” said Mr Pal.

Businesses should also be asking their IT providers questions about what mechanisms are in place to keep data secure.

Where IT providers are unable to provide satisfactory responses to these questions, Mr Pal said businesses may want to consider changing providers.

Mr Pal said accountants could play an important role in guiding their SME clients through the process of preparing for these changes, particularly where they’ve had to adapt themselves.

“Once the accounting firm has gone through the necessary steps to prepare themselves, they can then use their own business as a case study and give advice to clients. They can turn it into a service offering of sorts,” he said.