Small business privacy laws in parliamentary crosshairs

Powered by SC Magazine
 

Parliamentary Committee calls for abolition of Privacy Act exemptions.

The Australian Parliamentary Cyber-Safety Committee has called for the scrapping of an exemption that exempted small businesses from Australia’s Privacy Act.

In a report tabled yesterday, the committee said it was concerned that small businesses with annual turnovers of $3 million or less were exempt from the Privacy Act 1988.

It recommended that the Government consider dropping small business exemptions and undertake a review of categories of businesses with “significant personal data holdings”.

“A large proportion of the Australian private sector is not subject to any privacy laws,” the committee wrote.

“Such legislation may be insufficient to protect young people from cyber-safety risks occurring as a result of individuals acting in private capacities.”

According to the Office of the Information Commissioner, businesses subject to the Privacy Act are required to:

  • Inform users about the collection of personal information and how the information will be used;
  • Not share personal information without notifying users, and only use personal information in ways users might expect;
  • Allow users to see any information that the business holds about them, if they ask;
  • Keep personal information safe; and
  • Inform users, if they ask, about how the business handles personal information.

Internet Industry Association CEO Peter Coroneos expected a majority of online businesses to comply with most of those requirements – whether or not they were legally obliged to.

“To the end user, the size of a business is not the critical determinant of their propensity to interact with the business; the critical determinant is whether they feel safe,” he said.

“Certainly in the internet space, small businesses have as much to gain from complying, because it speaks to the issue of trust.”

Outside of the online environment, however, the cost of complying with the Privacy Act may be less attractive to small businesses.

Robert Mallett, general manager of the Council of Small Businesses of Australia (COSBOA), said many small businesses lacked both knowledge of privacy regulations and the skills required to comply.

“Added compliance is just making it burdensome for small businesses,” he told iTnews.

Compared to large organisations like Telstra, Apple and Woolworths, small businesses had a “far smaller capacity” to harvest personal information, and thus posed less risk, Mallett said.

Instead of introducing new laws, he urged the Government to focus on “high-risk” areas and policing, noting that existing, unenforced laws made it “grossly uncompetitive” for businesses that chose to comply.

Additionally, Mallett said there was “no empirical evidence” to support the introduction of privacy laws for small businesses.

“I’ve not heard of any complaints of a small business using customer data for the wrong reasons,” he said.

The Office of the Information Commissioner told iTnews that it was unable to provide data about privacy breaches by small businesses, as that did not come under its jurisdiction.

Mandatory or voluntary compliance?

Yesterday’s small business recommendations by the 12-person Joint Select Committee on Cyber-Safety echoed those in an April 2011 report on online privacy by a separate committee that shared two of its members.

The Australian Law Reform Commission (ALRC) also raised the issue in 2008, which found the exemptions “neither necessary nor justifiable” despite the burden compliance would place on businesses.

The Government has not yet formulated a response to that ALRC recommendation.

Although he welcomed parliamentary debate on small business privacy practices, the IIA’s Coroneos said black letter law might not be the solution.

Instead of introducing new legislation, Coroneos recommended that the Government get behind more flexible industry codes of practice.

In 2003, the IIA approached the Privacy Commissioner to register a voluntary Privacy Code of Practice (pdf), designed to target personal information protection and spam.

Those efforts were discontinued due to technical, legal hurdles within the Privacy Act, as well as the introduction of the Spam Act 2003.

“In the internet industry in particular, the environment is always changing. Legislation is not very good at adapting to technological changes,” Coroneos told iTnews.

“I wouldn’t necessarily be arguing for new laws for small businesses; where we need to look is changing the Act to permit the registration of the kind of codes that we were trying to introduce.

“Maybe there’s a middle ground where you might incorporate some of those elements [of the Privacy Act] and not others, and take a granular approach.”

Copyright © iTnews.com.au . All rights reserved.


Small business privacy laws in parliamentary crosshairs
Tags
 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
This 4G smartphone costs $219
Sep 3, 2014
It's possible to spend a lot less on a smartphone if you're prepared to go with a brand you ...
Looking for storage? Seagate has five new small business NAS devices
Aug 22, 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
Aug 15, 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Buying a tablet? Microsoft's Surface Pro 3 goes on sale this month
Aug 8, 2014
Microsoft has announced its Surface Pro 3 will go on sale in Australia on 28 August from ...
Apple's top MacBook Pro with Retina is now cheaper
Aug 1, 2014
Apple has updated its MacBook Pro range with faster processors and new pricing, including ...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1048

Vote