Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Business
political reporter Nicole Hegarty

Small businesses could be forced to protect customers' personal information, under government changes to Privacy Act

Small businesses are currently exempt from privacy protection requirements.  (ABC News: Jack Fisher)

Small businesses with an annual turnover of $3 million or less — which are currently not required to protect your personal information or disclose how it is used — may soon have to comply with the Privacy Act.

A wideranging review of the Privacy Act by the Attorney-General's Department has laid out the case for scrapping the 20-year-old exemption, which was introduced prior to businesses' take-up of online platforms.

Australian Information and Privacy Commissioner Angelene Falk said the risk of small businesses falling victim to cybercrime was growing.

"While small businesses might be using their best efforts to protect personal information, there is no legal requirement to do so and therefore no recourse for individuals if their personal information is compromised," Ms Falk said.

"If they were to be brought into the act then they would need to tell their customers how they're handling personal information.

"They would have to have a privacy policy, they'd need to ensure that they kept personal information secure and delete it or de-identify it when it was no longer required for their purposes."

A majority of submitters to the review supported the reform, with business groups citing concerns the cost of compliance would severely damage the 2.5 million small businesses which had already suffered through the pandemic.

Change could be the end of some small businesses

Sydney travel agent Donna Meads-Barlow, who has 40 years of industry experience, said she might be forced to close her business if the exemption was removed.

"Pre-COVID, we were a very large business that was turning over in excess of $25 million," Ms Meads-Barlow said.

"Post-COVID, we are now a business that fits into that less than $3 million. We would be lucky if we have a gross revenue of $150,000.

"I understand cybersecurity and the Privacy Act, and I think it's very important, but for us to be able to report like big business does, that's a substantial cost that's required to a small business with very little income.

"If the exemption's scrapped, then there is an additional cost at my point. Having spent 40 years in the industry, that might be the end of me."

Deputy chair of the Council of Small Business Organisations Australia Elizabeth Skirving agreed the cost burden of removing the exemption was too high.

"We understand the concern people have with regard to privacy and data security, but we really believe there should be a scaled response as dealing with small businesses, they are resource and time poor," Ms Skirving said.

"Those businesses that are under $3 million that are currently exempt are made up of mum and dad families, are probably not the ones that are not going to be targeted for cyber acts, but also don't have the ability to buy really sophisticated software to cover off on that concern.

"The cost to business of putting that in place rather than having an impact from a cyber attack would certainly be best, but it's about a measured way of doing that so that it is a scaled response."

Small businesses no longer low risk

The Actuaries Institute has compiled evidence that hackers view smaller businesses as easier targets.

The Australian Cyber Security Centre last year found small businesses faced an average cost of $39,000 per cybercrime report.

RMIT cyber security expert Matt Warren said limited budgets left small businesses vulnerable.

"The government, from a cybersecurity perspective, sees small businesses as very much a weak link," Professor Warren said.

"They don't necessarily have the expertise or the systems in place to protect the information they hold, but yet they can hold credit card details, passport details — anything a cyber attacker would be interested in.

"With the Privacy Act, data about Australian citizens has to reside within Australia but, because small businesses have been exempt, if they use a cloud service provider to store their data and they've picked the cheapest system, there was never a requirement for them to ask the question."

The federal government has not made a decision on the proposal. Consultation is closing at the end of the month.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.