The government sought feedback on matters raised in the Privacy Act Review Report that had not been previously raised in consultations. In providing feedback, we reiterate our key areas of concern and addressed new areas raised in the report.

Small business exemption

We acknowledged the benefits of expanding the application of the Privacy Act to better secure its objectives and supported the proposal that further extensive consultation be undertaken with small businesses prior to removing the small business exemption.

We raised that our members in practice (typically partnerships or incorporated practices) are entitled to the small business exemption if their annual turnover is $3 million or less. Though the Privacy Act may not apply to them, such small businesses are bound by a range of professional standards and legislative requirements pertaining to the confidentiality of client information. We noted that all our members must comply with national Accounting Professional and Ethical Standards, which include standards relating to the confidentiality of client information.

Ultimately, any consideration of the removal of the exemption for small businesses should not progress until small businesses themselves have the opportunity to engage in consultation to determine the best way for them to meet any new obligations under the Privacy Act.

Employee records

We supported the existing employee records exemption. If the employer exemption should be wound back, we considered it critical that any obligations on employers will not limit their ability to collect the necessary information to manage the employee-employer relationship.

We recommended that all employers should have an employee personal information policy to inform employees on how their personal information is collected, used and disclosed and how access to employee records will be provided (or refused, if for example providing access would infringe the privacy rights of others or compromise an investigation of workplace misconduct). 

Further, to ensure employees only need to raise a complaint once, we suggest that the right for regulators to transfer complaints to the most appropriate body is embedded in legislation.

Direct marketing, targeting and trading

We supported the proposals to introduce definitions and clarify obligations when using personal data in marketing activities. We noted that embedding and clarifying individuals' opt-out rights is consistent with Australia's anti-spam laws, and preferable to the alternative approach adopted in other jurisdictions, which requires individuals to opt-in to receive direct marketing communications.

We supported the proposal that would require targeting to be fair and reasonable and prohibits targeting based on sensitive information. Recognising that individuals mistakenly believe that personalised targeted marketing is sent with their best interests in mind by a party that ‘knows’ them, placing the obligation on APP entities to act in a fair and reasonable way will better protect consumers.

We supported the proposal that an individual’s consent must be obtained to trade their personal information if implied consent in certain circumstances was considered valid consent. For example, where the sale of a business involves the transfer of intellectual property and business records, including client lists and files, from one APP entity to another, the client’s consent to the sale of their personal information should be implied from the contractual relationship between an APP entity and their client. APP entities should be free to rely on such implied consent. 

Closing comments

We welcomed further discussion on the matters raised and offered to convene a roundtable of members in small practices to enliven how small accounting practices currently meet statutory requirements and the potential impact of additional requirements if captured under the Privacy Act.