Housing and SME advocates mixed on Privacy Act changes

On Thursday, the Attorney-General Mark Dreyfus responded to his department’s review of the Privacy Act, agreeing with 38 of its 116 recommendations and agreeing in principle to 68 more, which will undergo further consultation. Consequently, the exemption on small businesses with a turnover of under $3 million is expected to be lifted.

Commenting on the proposal, Real Estate Institute of Australia (REIA) president Hayden Groves was critical of the government’s move, as the body had advocated for the exemption to remain in place.

It estimates the change will impact roughly 65 per cent of real estate businesses that fall within the current exemption.

Though he acknowledged that data privacy is an important issue, Mr Groves argued that the government has not adequately assessed the burden of the change on small businesses, with a promised cost-benefit analysis yet to materialise.

“We want to be good corporate citizens and work in partnership with government as we at the coalface know data protection is on the minds of Australia’s home buyers, renters and investors every single day.”

Continuing, he said: “We are another report down, with still no cost-benefit analysis or sector consultation plan available on small business exemptions or clarity on day-to-day marketing practices.

“The commitment to doing a cost-benefit analysis is both necessary and welcome but remains an open-ended and unclear exercise.”

The mortgage broking industry, meanwhile, welcomed the proposal to lift the small business exemption.

The Mortgage and Finance Association of Australia (MFAA) said it believes its members are already on the front foot with regards to data security.

The organisation’s head of policy and legal, Naveen Ahluwalia, commented: “In the course of helping their clients, mortgage and finance brokers handle personal information (including credit information and sometimes sensitive information), and therefore take their obligations to protect client information very seriously.

“Therefore, our members are already well-versed in ensuring the information that their clients trust them with is properly handled, is safe and is secure.”

Though Ms Ahluwalia noted extensive support will be needed for small businesses during the transition.

“As such in our submission to the review, we noted our support for the removal of the small-business exemption. However, in doing so, we also said it is critically important that there is deep consultation on what this will look like for small businesses, that small businesses feel properly supported and that there is a clear transition period for all small businesses to comply.”

Similarly, the managing director of the Finance Brokers Association of Australia (FBAA), Peter White, commented that the FBAA is “very supportive of the outcome”, adding that “it makes sense” that the exemptions should be removed to bring small businesses under the Privacy Act.

Mr White said: “We’ve seen so many cyber attacks over the recent 12–18 months [and] these things really need to be tightened. I don’t think that any of us should be slipping through the gap on that.”

He suggested that the government should roll out an awareness campaign about the changes to ensure that businesses being subject to the act are prepared ahead of the exemption being lifted.

The FBAA head commented: “The government has to do an education piece on this. You can’t expect people, who have been exempt for something and who have lost that exemption, to automatically be very quickly up to speed with it.

“The education piece needs to be thorough and clear and done with the right approach. That means that it should be something that people understand; not something that’s drafted by lawyers, and everybody is left scratching their heads going, ‘What the hell does that mean?’”

SME representatives have similarly supported the measures, but are calling for close consultation as the next steps are taken.

The Australian Small Business and Family Enterprise Ombudsman (ASBFEO) Bruce Billson also supported the decision to remove the exemption but said the government must work with the community on the undertaking.

“To make this change work and to provide confidence to the community, we need to have right-sized and appropriate requirements that are readily implementable by a small business,” he said.

“While the exemption is no longer tenable, nor is it practical to apply to a full suite of privacy principles to small business – principles that big business and government agencies need to decipher, interpret and apply to their circumstances – [given] a small or family business can never hope to have the resources or staff to navigate and implement.”

Chief executive of the Council of Small Business Organisations Australia (COSBOA) Luke Achterstraat said the body “accepts that the government has made that decision” to remove the exemption.

Mr Achterstraat added: “It’s about making sure in practical terms that it doesn’t impose unnecessary red tape onto small businesses and that small businesses are given the resources they need in practical terms to comply with the changes.

“We would encourage the government to do a really thorough and in-depth consultation program before implementation.

“It’s really important that there is adequate time because there will be significant costs to small businesses to adapt and adopt the various principles that are set out in the guidelines. We are urging the government to continue to work really credibly with small businesses to get the implementation right and ensure small businesses aren’t set up to fail.”