The federal government has committed to stronger privacy protections in a landmark review of the Privacy Act that brings Australia’s laws in line with international standards.
However, the changes could mean small businesses – including many brokerages and financial services companies – would be responsible for privacy breaches such as cyber-attacks.
With the maximum penalty for a company breaching the Privacy Act increasing from $2.5 million to $50 million last year, the industry’s peak bodies have responded to the changes – with one saying small businesses are the “biggest losers” regarding the bill.
Most small businesses with an annual turnover of $3 million or less are currently exempted from the Privacy Act.
When the Privacy Act 1988 was extended to the private sector, it was considered that most small businesses posed a low risk to privacy and that compliance costs would disproportionately and unreasonably burden small businesses.
But now, as the government attempts to bring the Privacy Act into the digital age, that is about to change.
The Government has agreed in-principle that the small business exemption should be removed due to the risks to Australian customers in the current digital environment.
“The feedback provided to the review is very clear – the community expects that if they provide their personal information to a small business, it will be kept safe and not used in harmful ways,” the government said in its response to the Attorney General’s report delivered in February.
Responding to the government’s announcement, Attorney General Mark Dreyfus said Australians increasingly relied on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones.
“But when they are asked to hand over their personal data, they rightly expect it will be protected,” Dreyfus said.
Of course, this is only one aspect of a much larger discussion, which will become clearer as time goes on.
There has been a mixed response from the industry bodies over the changes.
The Mortgage & Finance Association of Australia (MFAA) supported the removal of the small business exemption but recognised that there may be some impact to small brokerages.
The peak body acknowledged that mortgage and finance brokers handle personal information (including credit information and sometimes sensitive information) and take their obligations to protect client information “very seriously”.
“Therefore, our members are already well versed in ensuring the information that their clients trust them with is properly handled, is safe and is secure,” said the MFAA, which has over 14,500 members.
“However, it is critically important that there is deep consultation on what this will look like for small businesses, that small businesses feel properly supported and that there is a clear transition period for all small businesses to comply.”
Finance Brokers Association of Australia (FBAA) president Peter White AM agreed.
"We have seen the impacts and issues caused by data hacking over the past 12 months or so, and we are all responsible to ensure we do all we can to within our means and abilities to protect the confidential data we handle," White said.
However, the Commercial and Asset Finance Brokers Association (CAFBA) said with the current exemption being removed more businesses would be exposed.
“CAFBA members have always been aware of the sensitive client information they hold, however with the increasing sophistication of hackers it is always a challenge,” CAFBA said. “With examples of large multi-national firms succumbing, we will, through the consultation phase with Government assess the impact to small business.”
The strongest response came from the Real Estate Institute of Australia (REIA), which estimated 30,000 real estate businesses would lose their protection from the exemption, labelling the changes “regulatory overreach”.
Consequentially, REIA does not support the changes and its president Hayden Groves said small businesses were “shaping up to be the biggest losers”.
“In real estate, helping Australians be successful in their real estate goals is our business and we want to deliver on our promise of protecting both our clients and prospects privacy,” Groves said.
“We are another report down, with still no cost benefit analysis or sector consultation plan available on small business exemptions or clarity on day-to-day marketing practices.
“The commitment to doing a cost benefit analysis is both necessary and welcome but remains an open ended and unclear exercise.”
From here, the consultation with the industry begins.
The Attorney-General’s Department has committed to conducting an impact analysis and work with the community, business, media organisations and government agencies to inform the development of legislation and guidance material in this term of parliament.
The government said it would also consider appropriate transition periods as part of the development of any legislation.
CAFBA noted that the proposed legislation should not be introduced until the Digital ID Bill is implemented as this would “assist brokers securely identifying customers” and “there will be no need to hold this information”.
“CAFBA’s Compliance Committee is looking at ways to better assist members comply with the proposed legislation with the assistance of government.”
While the removal of the exemption may mean that small businesses are exposed to the Privacy Act penalty regime, the MFAA said it was important for all businesses to employ good cybersecurity practices, “irrespective of whether there is a regulatory imperative or not”.
“Brokers should be highly cognisant of continued risk of cyber-attacks, and what that means for their businesses and for their clients’ information. We continue to encourage our members to utilise the resources we have available to support them in ensuring their businesses are cyber-secure.”
