The public rightly expects any personal information collected and stored by businesses – whether they are large or small – will be protected, says the Australian Small Business and Family Enterprise Ombudsman, Bruce Billson.
Mr. Billson supports the decision announced today by Attorney-General Mark Dreyfus to remove the privacy exemption for small business and is working with the Australian Government to ensure new regulations are right-sized and appropriate for small business, easy to implement with clear advice and timelines and will give confidence to customers.
“It is not credible for small business to have a blanket exemption from providing necessary and appropriate protection of the personal information they have about their customers, staff, and other businesses they are dealing with,” Mr Billson said.
“To make this change work and to provide confidence to the community, we need to have right-sized and appropriate requirements that are readily implementable by a small business.
“While the exemption is no longer tenable, nor is it practical to apply a full suite of privacy principles to a small business – principles that big business and government agencies need to decipher, interpret and apply to their circumstances which a small or family business can never hope to have the resources or staff to navigate and implement.”
Mr. Billson said he welcomed the Attorney-General’s acknowledgment of the special circumstances and limited time and resources of small business and that the exemption would only be removed following an impact analysis once what replaces it has been determined through consultation with the small business community, consideration of a support package and a transition period giving small businesses time to prepare.
“We have been engaging constructively with the Attorney-General and his department and look forward to continuing to do so to establish a right-sized, actionable, fit-for-purpose, and efficient approach to privacy protections and personal information management with appropriate support and guidance,” Mr Billson said.
“Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff, and themselves and to fulfill their responsibilities. This may include procedural templates, information guides, and checklists explaining the clear steps required to meet their privacy obligations.
“And it would be sensible to join this up with other important reforms around cyber risk management, Digital ID, payment times, deepening the digital engagement of small business and the responsible use of artificial intelligence.
“Small businesses themselves know they can lose business if customers lose confidence in their ability to protect personal information and will benefit from increased certainty around the way information is being managed and protected.
“A cyber hack or malicious information release is harmful at many levels, including for the targeted small business as it can irreparably damage the businesses’ ability to operate and it may never recover or re-earn the confidence of its employees, customers, suppliers, and partners.”