Small business privacy laws in parliamentary crosshairs

Powered by SC Magazine

Parliamentary Committee calls for abolition of Privacy Act exemptions.

The Australian Parliamentary Cyber-Safety Committee has called for the scrapping of an exemption that exempted small businesses from Australia’s Privacy Act.

In a report tabled yesterday, the committee said it was concerned that small businesses with annual turnovers of $3 million or less were exempt from the Privacy Act 1988.

It recommended that the Government consider dropping small business exemptions and undertake a review of categories of businesses with “significant personal data holdings”.

“A large proportion of the Australian private sector is not subject to any privacy laws,” the committee wrote.

“Such legislation may be insufficient to protect young people from cyber-safety risks occurring as a result of individuals acting in private capacities.”

According to the Office of the Information Commissioner, businesses subject to the Privacy Act are required to:

  • Inform users about the collection of personal information and how the information will be used;
  • Not share personal information without notifying users, and only use personal information in ways users might expect;
  • Allow users to see any information that the business holds about them, if they ask;
  • Keep personal information safe; and
  • Inform users, if they ask, about how the business handles personal information.

Internet Industry Association CEO Peter Coroneos expected a majority of online businesses to comply with most of those requirements – whether or not they were legally obliged to.

“To the end user, the size of a business is not the critical determinant of their propensity to interact with the business; the critical determinant is whether they feel safe,” he said.

“Certainly in the internet space, small businesses have as much to gain from complying, because it speaks to the issue of trust.”

Outside of the online environment, however, the cost of complying with the Privacy Act may be less attractive to small businesses.

Robert Mallett, general manager of the Council of Small Businesses of Australia (COSBOA), said many small businesses lacked both knowledge of privacy regulations and the skills required to comply.

“Added compliance is just making it burdensome for small businesses,” he told iTnews.

Compared to large organisations like Telstra, Apple and Woolworths, small businesses had a “far smaller capacity” to harvest personal information, and thus posed less risk, Mallett said.

Instead of introducing new laws, he urged the Government to focus on “high-risk” areas and policing, noting that existing, unenforced laws made it “grossly uncompetitive” for businesses that chose to comply.

Additionally, Mallett said there was “no empirical evidence” to support the introduction of privacy laws for small businesses.

“I’ve not heard of any complaints of a small business using customer data for the wrong reasons,” he said.

The Office of the Information Commissioner told iTnews that it was unable to provide data about privacy breaches by small businesses, as that did not come under its jurisdiction.

Mandatory or voluntary compliance?

Yesterday’s small business recommendations by the 12-person Joint Select Committee on Cyber-Safety echoed those in an April 2011 report on online privacy by a separate committee that shared two of its members.

The Australian Law Reform Commission (ALRC) also raised the issue in 2008, which found the exemptions “neither necessary nor justifiable” despite the burden compliance would place on businesses.

The Government has not yet formulated a response to that ALRC recommendation.

Although he welcomed parliamentary debate on small business privacy practices, the IIA’s Coroneos said black letter law might not be the solution.

Instead of introducing new legislation, Coroneos recommended that the Government get behind more flexible industry codes of practice.

In 2003, the IIA approached the Privacy Commissioner to register a voluntary Privacy Code of Practice (pdf), designed to target personal information protection and spam.

Those efforts were discontinued due to technical, legal hurdles within the Privacy Act, as well as the introduction of the Spam Act 2003.

“In the internet industry in particular, the environment is always changing. Legislation is not very good at adapting to technological changes,” Coroneos told iTnews.

“I wouldn’t necessarily be arguing for new laws for small businesses; where we need to look is changing the Act to permit the registration of the kind of codes that we were trying to introduce.

“Maybe there’s a middle ground where you might incorporate some of those elements [of the Privacy Act] and not others, and take a granular approach.”

Copyright © . All rights reserved.

Small business privacy laws in parliamentary crosshairs
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
In which area is your IT shop hiring the most staff?

   |   View results
IT security and risk
Sourcing and strategy
IT infrastructure (servers, storage, networking)
End user computing (desktops, mobiles, apps)
Software development

Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results