³Ô¹ÏÍøÕ¾

Small businesses can’t be held to the same privacy standards

Opinion piece by the Ombudsman Bruce Billson.

Originally published in the

The public rightly expects any personal information collected and stored by businesses – whether they are large or small – will be protected and only used for the reasons it was provided.

It is not credible for small business to continue to have a blanket exemption from providing necessary and appropriate protection of the personal information they have about their customers, staff, and other businesses they are dealing with.

The digital world has added so much, creating new opportunities and risks and the responsibilities that accompany handling personal information need to evolve with the times.

That is why my office has been working with the Australian government to ensure what replaces the current small business privacy exemption and any new regulations, are right-sized and appropriate for small business, easy to implement with clear advice and timelines and will give confidence to customers.

While the exemption is no longer tenable, nor is it practical to directly apply legalistic privacy principles, which larger businesses have to work through, to a small business.

These are principles big business and government agencies need to decipher, interpret and apply to their circumstances, which most small or family businesses do not have the resources or staff to navigate and implement.

We welcomed the acknowledgement by Attorney-General Mark Dreyfus of the special circumstances and limited time and resources of small business, the need for support and a reasonable transition period and the need for an impact analysis of what changes would mean.

In the consultation sessions involving ASBFEO, we have worked hard with officials to help them appreciate that small businesses do not already have and will not soon have mastery of the Privacy Act. Nor will many be able to navigate data-handling protocols to develop a privacy statement and data-breach response plan. This understanding is critical to appreciate how small businesses operate and then appropriately design regulations to allow small businesses to be compliant.

Small businesses and their representatives are alarmed the system being contemplated would require a small business to interpret legalistic principles and undertake onerous and unfamiliar activities – exactly what small business consultation participants said was the worst way forward.

It is important now the consultation by officials focuses on readily understandable and practical steps supported by actionable information to ensure small businesses are not drowned in a sea of legal technicality and complexity.

A small business isn’t a shrink-wrap version of a big corporation. There’s no regulatory team or dedicated privacy experts, on-staff lawyers or sophisticated compliance systems. Typically, it’s the owner – at 10pm – grappling with this after they’ve been running their business all day.

Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff, and themselves and to fulfil their responsibilities. This may include procedural templates, information guides and checklists explaining the clear steps required to meet their privacy obligations.

The government needs to translate privacy principles into clear, sequential actions, calibrated to the degree of privacy risk prevalent in the business that clearly responds to the question that will be asked by a small business: What is it I need to do?

Small business fears about new and unfamiliar compliance obligations would be eased by the government making a clear statement that it will provide concise, relevant and accessible guidance and there will be a suitable transition period.

Small businesses know they can suffer if customers lose confidence in their ability to protect personal information and will benefit from increased certainty around the way information is being managed and protected. There is a compelling business benefit in sound and dependable ‘information management’ in this digital era of opportunities and risks.

A cyber hack or malicious information release is harmful at many levels, including for the targeted small business that irreparably damages the business’s ability to operate. The latest chilling report from the Australian Cyber Security Centre is that a cyberattack happens every six minutes and when a small business is hit, on average they suffer a financial loss of $46,000.

Sadly, in many cases it ends up being an enterprise-ending event as they never recover or re-earn the confidence of employees, customers, suppliers and partners.

Government should also embed any privacy changes in a nest of information management issues for small and family business including cyber protection, a safe digital presence, managing opportunities and risks presented by digital platforms, eInvoicing, data custodianship and consumer data right participation. Each is being pursued in a siloed way with different (often unknown) lead agencies, bespoke duties and concerns about mounting complexity and compounding compliance obligations.

These all can and should be addressed as an integrated ‘information management’ initiative highlighting both the business benefits as well as any new obligation through a synchronised engagement with small businesses through familiar intermediaries. This is an opportunity for government to progress important policy objectives while assisting small businesses to deepen their digital engagement, bolster vital information management tools and even explore the responsible use of generative artificial intelligence.

Why can’t we explore what requirements can be systematised and routinely actioned by small business in existing ‘natural business systems’ and already familiar digital platforms and software being used for accounting and single-touch-payroll reporting? Rather than sprinkle resources around in the hope it better equips small business, why not work with the likes of MYOB, Xero, Intuit and Hnry (just to name a few) to embed key duties and action steps into the software businesses use daily?

More than nine out of 10 businesses are currently exempt from the privacy laws. Getting this reform right offers a golden opportunity to extend protection for customers, staff and suppliers. But it will not succeed unless the real-world circumstances and limitations of time-poor and resource-constrained small businesses are honestly understood and embraced by policymakers to create a workable, mutually beneficial and secure system for everyone.

/Public Release. View in full .