Attorney-General Mark Dreyfus has moved to remove the privacy exemption for small businesses and is currently working with the Australian Government to ensure that the new regulations are “right-sized and appropriate for small business, easy to implement with clear advice and timelines and will give confidence to customers”.
The decision has generally been welcomed, with the Australian Small Business and Family Enterprise Ombudsman, Bruce Billson, stating that the public rightly expects that any personal information collected and stored by a business, whether they are large or small, will be protected,
“It is not credible for small business to have a blanket exemption from providing necessary and appropriate protection of the personal information they have about their customers, staff and other businesses they are dealing with,” Billson said. “To make this change work and to provide confidence to the community, we need to have right-sized and appropriate requirements that are readily implementable by a small business.
“While the exemption is no longer tenable, nor is it practical to apply to full suite of privacy principles to a small business – principles that big business and government agencies need to decipher, interpret and apply to their circumstances which a small or family business can never hope to have the resources or staff to navigate and implement,” he added.
The Attorney-General has previously acknowledged the special circumstances and limited time and resources of small business and that the exemption would only be removed following an impact analysis once what replaces it has been determined through consultation with the small business community, consideration of a support package and a transition period giving small businesses time to prepare.
“We have been engaging constructively with the Attorney-General and his department and look forward to continuing to do so to establish a right-sized, actionable, fit-for-purpose and efficient approach to privacy protections and personal information management with appropriate support and guidance,” Billson said.
“Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff and themselves and to fulfil their responsibilities,” he added. “This may include procedural templates, information guides and checklists explaining the clear steps required to meet their privacy obligations.”
The Ombudsman added that it would be sensible to join this up with other important reforms around cyber risk management, Digital ID, payment times, deepening the digital engagement of small business and the responsible use of artificial intelligence.
“Small businesses themselves know they can lose business if customers lose confidence in their ability to protect personal information and will benefit from increased certainty around the way information is being managed and protected,” Billson said. “A cyber hack or malicious information release is harmful at many levels, including for the targeted small business as it can irreparably damage the businesses’ ability to operate and it may never recover or re-earn the confidence of its employees, customers, suppliers and partners.”
