More than a million small businesses could face an up-front cost of $3500 and an ongoing red-tape nightmare if new privacy law recommendations released today are adopted.
The Australian Law Reform Commission has recommended that the current exemption from privacy laws for businesses with less than $3 million revenue be abolished in a new discussion paper.
The recommendation comes despite Privacy Commissioner and Senate committee reports in recent years supporting the exemption, and widespread opposition to its abolition among business groups.
If the recommendation becomes law, previously exempt small businesses may have to contact any customers whose information they hold to inform them of their new obligations under privacy law, and possibly even obtain their consent for its continued use, according to Victoria Scott, a senior associate who specialises in privacy law with Minter Ellison.
And this could just be the beginning. Scott says business owners would also be required to:
- Develop their own privacy policies.
- Ensure they comply with the national privacy principles in relation to use, storage and disclosure of customer information.
- Ensure customers can access their personal information if they request it.
- Maintain an appropriate level of security for customer information and possibly inform them if there has been any breach.
- Train staff members in their obligations under privacy law.
Scott says it is likely business would have to obtain legal advice when assembling their privacy policy, as well as ensuring there is a staff member has been trained to maintain information and be a contact for customer queries.
The cost of having a basic privacy policy drafted and obtaining basic supporting information is currently $3500, the Australian Chamber of Commerce and Industry estimates, with ongoing costs associated with maintain and updating a secure information database.
The Australian Law Reform Commission (ALRC) discussion paper recognises that removing the small business exemption will have significant cost implications for small businesses, but says this is outweighed by the interest all consumers have in ensuring the private information is dealt with properly.
To help small business owners deal with the new obligations they would face, the ALRC recommends that the Office of the Privacy Commissioner establish a national small business advice hotline, develop educational materials on their obligations and publish privacy policy templates that business can use as a basis for their own policies.
Council of Small Business of Australia chief executive Tony Steven says he will be lobbying strongly against the recommendation becoming law.
This would be a “red-tape nightmare” for small businesses, Steven says. “There has got to be reasonable balance struck – this red-tape burden will end up in price rises for the consumer and a risk management nightmare for small business owners.”
The ALRC will now seek feedback on its discussion paper before providing a final report to the Federal Attorney-General by 3 March 2008.
For more on privacy, go to SmartCompany’s Tax/Legal Update on Privacy: Your obligations, your rights