Small Business Ombudsman supports ‘right-sized’ privacy changes for SMEs

  • Legal

“THE PUBLIC rightly expects any personal information collected and stored by business – whether they are large or small – will be protected,” Australian Small Business and Family Enterprise Ombudsman, Bruce Billson has said in support of a Federal Government decision to remove a privacy exemption for the sector.

Mr Billson said he supported the decision by Attorney-General Mark Dreyfus to remove the privacy exemption for small business and is working with the Australian Government to ensure new regulations are “right-sized and appropriate” for small business, easy to implement, with clear advice and timelines “and will give confidence to customers”. 

“It is not credible for small business to have a blanket exemption from providing necessary and appropriate protection of the personal information they have about their customers, staff and other businesses they are dealing with,” Mr Billson said.  

“To make this change work and to provide confidence to the community, we need to have right-sized and appropriate requirements that are readily implementable by a small business.  

“While the exemption is no longer tenable, nor is it practical to apply to full suite of privacy principles to a small business – principles that big business and government agencies need to decipher, interpret and apply to their circumstances which a small or family business can never hope to have the resources or staff to navigate and implement.” 

Mr Billson said he welcomed the Attorney-General's acknowledgement of the special circumstances and limited time and resources of small business and that the exemption would only be removed following an impact analysis once what replaces it has been determined through consultation with the small business community, consideration of a support package and a transition period giving small businesses time to prepare. 

“We have been engaging constructively with the Attorney-General and his department and look forward to continuing to do so to establish a right-sized, actionable, fit-for-purpose and efficient approach to privacy protections and personal information management with appropriate support and guidance,” Mr Billson said. 

“Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff and themselves and to fulfil their responsibilities. This may include procedural templates, information guides and checklists explaining the clear steps required to meet their privacy obligations. 

“And it would be sensible to join this up with other important reforms around cyber risk management, Digital ID, payment times, deepening the digital engagement of small business and the responsible use of artificial intelligence (AI). 

“Small businesses themselves know they can lose business if customers lose confidence in their ability to protect personal information and will benefit from increased certainty around the way information is being managed and protected. 

“A cyber hack or malicious information release is harmful at many levels, including for the targeted small business as it can irreparably damage the businesses’ ability to operate and it may never recover or re-earn the confidence of its employees, customers, suppliers and partners.”

Contact Us


PO Box 2144