Small businesses with an annual turnover of $3 million or less — who are currently not required to protect your personal information, or disclose how it is used — could soon have to comply with the Privacy Act.
Key points:
- Small business groups say scrapping an exemption to the privacy act could send them bust
- Businesses with a turnover of less than $3million currently do not have to comply
- The government is yet to announce what proposals it will adopt
A wide-ranging review of the Privacy Act by the Attorney General's Department, has laid out the case for scrapping the 20-year-old exemption, introduced prior to business take-up of online platforms.
The Australian Information and Privacy Commissioner Angelene Falk said the risk of small business falling target to cybercrime was growing.
"While small businesses might be using their best efforts to protect personal information there is no legal requirement to do so and therefore no recourse for individuals if their personal information in compromised," Commissioner Falk said.
"If they were to be brought into the act then they would need to tell their customers how they're handling personal information.
"They would have to have a privacy policy, they'd need to ensure that they kept personal information secure and delete it or de-identify it when it was no longer required for their purposes."
A majority of submitters to the review supported the reform with business groups citing concerns the cost of compliance would severely damage the 2.5 million small businesses which had already suffered through the pandemic.
Change could 'be the end' of some small businesses
Sydney travel agent Donna Meads-Barlow, who has 40 years of industry experience, said she may be forced to close her business if the exemption was removed.
"Pre-COVID we were a very large business that was turning over in excess of $25 million," Ms Meads-Barlow said.
"Post COVID we are now a business that fits into that less than three million. we would be lucky if we have a gross revenue of $150,000.
"I understand cyber security and the Privacy Act and I think it's very important, but for us to be able to report like big business does that's a substantial cost that's required to a small business with very little income.
"If the exemption's scrapped then there is an additional cost at my point having spent 40 years in the industry that might be the end of me."
The deputy chair of the Council of Small Business Organisations Australia Elizabeth Skirving agreed the cost burden of removing the exemption was too high.
"We understand the concern people have with regard to privacy and data security but we really believe there should be a scaled response as dealing with small businesses they are resource and time poor," Ms Skirving said.
"Those businesses that are under 3 million that are currently exempt are made up of mum and dad families are probably not the ones that are not going to be targeted for cyber acts but also don't have the ability to buy really sophisticated software to cover off on that concern.
"The cost to business of putting that in place rather than having an impact from a cyber-attack would certainly be best but it's about a measured way of doing that so that it is a scaled response."
Small business no longer low risk
The Actuaries Institute has compiled evidence that hackers viewed smaller businesses as easier targets.
The Australian Cyber Security Centre last year found small businesses faced an average cost of $39,000 thousand dollars per cybercrime report.
RMIT cyber security expert Professor Matt Warren said limited budgets leave small businesses vulnerable.
"The government from a cyber security perspective sees small businesses as very much a weak link," Professor Warren said.
"They don't necessarily have the expertise or the systems in place to protect the information they hold but yet they can hold credit card details, passport details anything a cyber attacker would be interested in.
"With the Privacy Act data about Australian citizens has to reside within Australia but because small businesses have been exempt if they use a cloud service provider to store their data and they've picked the cheapest system there was never a requirement for them to ask the question."
The Federal Government has not made a decision on the proposal with consultation closing at the end of the month.