Small Businesses Could be Forced to Protect Customers' Personal Information

March 8, 2023

Small businesses with an annual turnover of $3 million or less — which are currently not required to protect your personal information or disclose how it is used — may soon have to comply with the Privacy Act.

A wideranging review of the Privacy Act by the Attorney-General's Department has laid out the case for scrapping the 20-year-old exemption, which was introduced prior to businesses' take-up of online platforms.

Australian Information and Privacy Commissioner Angelene Falk said the risk of small businesses falling victim to cybercrime was growing.

"While small businesses might be using their best efforts to protect personal information, there is no legal requirement to do so and therefore no recourse for individuals if their personal information is compromised," Ms Falk said.

"If they were to be brought into the act then they would need to tell their customers how they're handling personal information.

"They would have to have a privacy policy, they'd need to ensure that they kept personal information secure and delete it or de-identify it when it was no longer required for their purposes."

A majority of submitters to the review supported the reform, with business groups citing concerns the cost of compliance would severely damage the 2.5 million small businesses which had already suffered through the pandemic.

Change could be the end of some small businesses

Sydney travel agent Donna Meads-Barlow, who has 40 years of industry experience, said she might be forced to close her business if the exemption was removed.

"Pre-COVID, we were a very large business that was turning over in excess of $25 million," Ms Meads-Barlow said.

"Post-COVID, we are now a business that fits into that less than $3 million. We would be lucky if we have a gross revenue of $150,000.

"I understand cybersecurity and the Privacy Act, and I think it's very important, but for us to be able to report like big business does, that's a substantial cost that's required to a small business with very little income.

"If the exemption's scrapped, then there is an additional cost at my point. Having spent 40 years in the industry, that might be the end of me."

Deputy chair of the Council of Small Business Organisations Australia Elizabeth Skirving agreed the cost burden of removing the exemption was too high.

"We understand the concern people have with regard to privacy and data security, but we really believe there should be a scaled response as dealing with small businesses, they are resource and time poor," Ms Skirving said.

"Those businesses that are under $3 million that are currently exempt are made up of mum and dad families, are probably not the ones that are not going to be targeted for cyber acts, but also don't have the ability to buy really sophisticated software to cover off on that concern.

"The cost to business of putting that in place rather than having an impact from a cyber attack would certainly be best, but it's about a measured way of doing that so that it is a scaled response."