Compliance costs

39.144 ‘Compliance costs’ are defined as ‘the direct costs to businesses of performing the various tasks associated with complying with government regulation’.[202] One of the main arguments in favour of retaining the small business exemption is that previously exempt small businesses would incur significant compliance costs to ensure that they meet their obligations under the Privacy Act.

39.145 Business has identified privacy requirements as an important contributor to their cumulative regulatory burden. In its 2006 report, Rethinking Regulation, the Productivity Commission’s Taskforce on Reducing Regulatory Burdens on Business recommended that the Australian Government consider the impact of privacy requirements on business compliance costs in the context of a wider review of Australian privacy laws.[203]

39.146 In its 2006 report, The Victorian Regulatory System, the Victorian Competition and Efficiency Commission (VCEC) noted the challenge for government in assisting small businesses in complying with regulation, given the need to provide adequate protection to consumers, workers and the environment:

There are a number of ways of meeting this challenge. In some cases, there may be less onerous provisions in the regulations which relate to small businesses … or even exemptions … However, such approaches by favouring some businesses over others can distort markets, and discourage smaller businesses growing past such thresholds. Another approach, advocated by the United Kingdom’s Better Regulation Taskforce was to ‘think small first’ based on the assumption that regulation designed with the capacity and constraints of small business in mind would also be readily implemented by larger businesses.[204]

39.147 The VCEC went on to note that ‘another approach is to have a consistent regulatory system but to provide special assistance for smaller businesses’.[205]

Submissions and consultations

39.148 Many business and industry groups expressed concern that removing the small business exemption would increase the overall regulatory burden and compliance costs on small businesses.[206] For example, Australian Business Industrial submitted that, in a 2007 survey by the NSW Business Chambers,

77% of respondents reported that the cost of compliance with government regulations was of moderate or major concern in the context of their business, and 47% of respondents reported that specifically, compliance with privacy requirements was of moderate or major concern in the context of their business.[207] This is a high level of concern among our membership, particularly given that at this point in time, only approximately 45% of our members are currently required to comply with the NPPs.[208]

39.149 A number of stakeholders submitted that, if the small business exemption were removed, the costs of compliance would be significant.[209] It was suggested that the costs of compliance would include costs relating to:

  • 39.150initial familiarisation with the new privacy regime;[210]

  • 39.151conducting an initial privacy audit and a legal review;[211]

  • 39.152developing a Privacy Policy;[212]

  • 39.153obtaining advice from external sources, such as legal advice;[213]

  • 39.154training and educating staff,[214] and appointing staff members to the role of privacy officers;[215]

  • 39.155purchasing and maintaining information technology systems and administrative items to facilitate record keeping, such as filing cabinets that can be locked, paper shredders and computer software;[216]

  • 39.156handling customers’ requests and complaints,[217] and obtaining consent from individuals for the collection and use of their personal information;[218]

  • 39.157maintaining the security of personal information held and keeping such information up-to-date;[219] and

  • 39.158conducting periodic privacy audits to delete records that are no longer required.[220]

39.159 In addition, the REIA submitted that removing the exemption would result in lost business opportunities in circumstances where restrictions on the use of information precludes normal activities that violate the Unified Privacy Principles (UPPs).[221]

39.160 Some stakeholders noted that certain compliance costs would be ongoing, including the cost of: implementing and updating the Privacy Policy;[222] keeping abreast of changes to privacy regulation;[223] dealing with customers’ complaints;[224] and management and staff time for reporting and training.[225]

39.161 The ACCI submitted that the total fixed costs to establish a simple privacy regime for an individual small business would be $3,500. It stated that:

Estimates of the legal costs for drafting a rudimentary privacy policy in 2007, though again tempered by the fact that the cost could vary considerably depending upon the characteristics of the business, were approximated at $2500. Supporting documentation, in terms of reference material such as the Federal Privacy Handbook and the Privacy [Compliance] Toolkit would now cost an additional $1000.[226]

39.162 Several stakeholders submitted that small businesses would be affected disproportionately by the need to comply with the Privacy Act compared to larger businesses because they do not have the same capacity and resources to comply with their regulatory obligations.[227] For example, the ACCI suggested that small businesses: have a narrower revenue base over which to spread the fixed costs of compliance; may not have in-house regulatory expertise to assist with compliance; may lack the time to keep abreast of regulatory developments; and may be discouraged by the complexity of regulation and the threat of penalties for even inadvertent non-compliance. The ACCI was of the view that regulation also can cause businesses to adjust their processes in ways that add to costs, and can make some commercial pursuits less viable or attractive.[228]

39.163 The AIG and AEEMA submitted that the compliance burden would fall disproportionately heavily on small businesses, because most of the costs involved would be fixed costs, which apply regardless of the size of the business.[229]

39.164 Other stakeholders submitted that any reform of the exemption should be subject to an appropriate consultation process. Abacus submitted that there should be appropriate consultation with affected industries and industry bodies to consider compliance and implementation issues and ensure that compliance costs would not be substantial.[230] Similarly, the Queensland Government submitted that the Australian Government should undertake significant consultation and develop strategies to assist small businesses before the removal of the exemption.[231]

39.165 The Government of South Australia suggested that any compliance costs would be proportional to the business size—if business operations were small, the costs of compliance would be low. It further noted that there are many ways to reduce unnecessary costs of compliance without having an exemption, such as providing small businesses with guidance on records management and collection.[232]

As many small businesses do not have significant holdings of personal information, the effect of removing the exemption on the cost burden of compliance is not expected to be significant … Minimising compliance costs should focus on unnecessary compliance cost, not compliance cost per se. There may be different ways and means to minimize unnecessary compliance costs, such as effective business awareness raising [and] more detailed and practical guidance from relevant government agencies, particularly the Office of the Federal Privacy Commissioner (through provision of sample privacy policies, manuals and training kits).[233]

39.166 PIAC noted that some small businesses, such as certain government-funded community organisations, already are required to comply with the Privacy Act. PIAC stated that, although such organisations received neither additional funding nor tax benefits to cover the costs of compliance, they did not have any difficulty in meeting their privacy obligations. PIAC submitted, therefore, that any argument that the exemption should not be removed on the basis of compliance costs is flawed.[234]

Estimated costs of compliance

39.167 In October 2007, the Office of Small Business (OSB) provided the ALRC with an estimate of the compliance costs for small businesses in the event that the small business exemption were to be removed.[235] The OSB estimated that the removal of the small business exemption would affect 1,805,000 businesses and result in a total cost on small business of $3.186 billion. The OSB also estimated that each small business would incur a start-up cost of $842 and an ongoing cost of $924 per year.[236]

39.168 In January 2008, the ALRC engaged an external consultant, Applied Economics, to provide an independent assessment of the likely costs of compliance that would result from the removal of the small business exemption.[237] The detailed cost estimate prepared by Applied Economics is attached to this Report as Appendix 4.

39.169 Applied Economics reviewed the OSB’s cost estimates and concluded that it overestimated both the number of businesses that would be affected by the removal of the exemption and the average compliance costs that would be incurred by an affected business. Applied Economics estimated that the removal of the small business exemption would affect about 1,685,000 businesses and result in a total cost on small business of $0.88 billion. It also estimated that each affected business would incur a start-up cost of $225 and ongoing annual costs of $301.

Number of business affected

39.170 One of the main differences between the estimates prepared by the OSB and those prepared by Applied Economics concerned the number of small businesses that would be affected by the removal of the small business exemption. As noted by Applied Economics, this calculation is complicated because under the Privacy Act ‘small business’ is defined as a business with an annual turnover of $3 million or less, while the ABS only publishes data on the number of businesses with an annual turnover of less than $2 million. There are no hard data on the number of businesses with an annual turnover of between $2 million and $3 million.[238] It also is difficult to determine the number of businesses that do not hold any personal information about their staff or customers, and thus would be unaffected in any practical sense even if they were formally brought under the Privacy Act.

39.171 In addition, as noted above, a number of small businesses already are covered by the Privacy Act—such as small businesses that trade in personal information without the consent of the individuals concerned, and those that provide a health service and hold certain personal health information. Both the OSB and Applied Economics noted the difficulty in identifying the number of small businesses that currently are covered by the Act.[239]

39.172 In estimating the number of businesses that would be affected by the removal of the small business exemption, the OSB apparently used the number of businesses that employ up to 19 people as a proxy for the number of businesses with an annual turnover of $3 million or less. The OSB noted that, as at June 2006, there were approximately 1.88 million small businesses with less than 20 staff, and 75,000 small businesses that provided health services. By subtracting the number of small businesses that provide health services from the estimated 1.88 million ‘small businesses’, the OSB estimated that 1,805,000 small businesses would be affected by the removal of the exemption.[240]

39.173 Applied Economics considered, however, that using the total number of businesses with up to 19 employees as a proxy for the number of businesses with an annual turnover of $3 million or less would be an overestimate. By analysing ABS data on the average turnover per employee, Applied Economics showed that in several industries, businesses with fewer than 20 employees could have a turnover of over $3 million. Since the ABS data shows that, as at June 2006, 1.84 million businesses had an annual turnover of less than $2 million, Applied Economics adopted the assumption that there are 1.86 million of businesses with an annual turnover of $3 million or less.[241]

39.174 Applied Economics also noted that, although the OSB subtracted 75,000 small health businesses to account for small businesses that do not qualify for the small business exemption, the OSB did not take into account other small businesses that would not be affected by the removal of the exemption—including those that already are ineligible for the exemption, and those that do not employ any staff and hold no personal information. For example, some non-employing businesses hold no personal information because they operate on the basis of cash transactions—such as butchers, greengrocers, corner shops, convenience stores and some tradespeople. Other non-employing businesses do not hold any personal information because they only provide goods and services to the business sector, instead of to individuals—for example, consultants, business tradespeople, and owners or operators of trucks. On this basis, Applied Economics estimated that a further 100,000 businesses would not be affected by the extension of the Privacy Act to the small business sector. Consequently, Applied Economics estimated that 1.685 million small businesses would be affected by the removal of the small business exemption.

Compliance tasks

39.175 The OSB estimated that small businesses would have to complete a total of 11 tasks in order to comply with the Privacy Act, including: familiarisation with privacy legislation; conduct of a privacy audit; development of a privacy plan; amendment of existing business documentation; training of staff; purchase of a filing cabinet; purchase of a paper shredder; handling of customer complaints; record keeping; promulgation of Privacy Policy; and update or review of a Privacy Policy.[242]

39.176 While Applied Economics accepted the 11 compliance tasks involved, and adopted the OSB’s assumptions on the costs of labour,[243] it challenged some of the other assumptions. One of the major assumptions made by the OSB is that every small business would have to perform each of the 11 compliance tasks. For example, the OSB estimated that all 1.88 million small businesses would have to conduct two hours of privacy training for their staff, with 75% conducting the training ‘in-house’ at $26 per hour and 25% outsourcing this task to a professional at a cost of $100 each—resulting in a total weighted average cost of $89 for each small business.[244] As Applied Economics pointed out, however, the training of staff can apply only to businesses with employees. As at June 2006, there were 1,156,00 non-employing businesses in Australia. While this number includes some larger businesses that fall outside the small business exemption, the OSB’s assumption that all of the small businesses would have to train staff seems unlikely. According to the estimate by Applied Economics, only 649,000 small businesses were employing businesses, and therefore the weighted average cost per business should be $34.[245]

39.177 Applied Economics also queried the estimated costs on two grounds: first, whether there may be other, less expensive, ways to perform each of the compliance tasks; and secondly, whether some businesses already have taken some of these steps before they were required to do so. By analysing the OSB’s estimate on these two grounds, Applied Economics arrived at a lower average cost per business for 10 of the 11 compliance tasks. The following table compares the breakdown of the cost estimate prepared by the OSB and that prepared by Applied Economics:

Task

Estimated weighted average cost per small business

OSB

Applied Economics

1. Familiarisation with privacy legislation

$52.00

$31.00

2. Conduct a privacy audit

$89.00

$ 48.00

3. Develop a privacy plan

$133.50

$16.00

4. Amend existing business documentation

$100.00

$20.00

5. Train staff

$89.00

$34.00

6. Purchase of a filing cabinet

$299.00

$76.00

7. Purchase of a paper shredder

$79.00

Total start-up cost

$841.50

$225.00

8. Handle customer complaints

$156.00

$120.00

9. Record keeping

$229.84

$112.00

10. Promulgate Privacy Policy

$499.00

$30.00

11. Update / review Privacy Policy

$39.00

$39.00

Total ongoing cost

$923.84

$301.00

39.178 An example of an alternative way to complete one of the compliance tasks concerned the publication of a Privacy Policy. The OSB assumed that the most streamlined approach to develop and publish a Privacy Policy would be to print 500 colour-printed flyers, at a cost of $499 per business, and distribute them on request.[246] Applied Economics, on the other hand, noted statistics published by the ABS showing that 40% of businesses with 5–15 employees have a website—and so could publish their Privacy Policy online at little or no cost. Further, Applied Economics estimated that 50% of businesses would create a Privacy Policy on their computer and print out copies of the document at a cost of $0.50 per copy, resulting in a total cost of $10 per business. It also was estimated that only 5% of small businesses—for example, those dealing with government or large corporations—may consider it necessary to have a colour-printed Privacy Policy available at a cost of $499 per business. Accordingly, Applied Economics estimated that, to complete the task of developing and publishing a Privacy Policy, each business would incur a weighted average cost of only $30.

39.179 Similarly, the OSB assumed that every small business affected would have to engage a legal professional to amend their existing business documentation, such as emails, advertising and contracts, to include general information on their Privacy Policy, and in some instances, consent and disclosure clauses.[247] Applied Economics, on the other hand, noted that many small businesses (eg, convenience stores and beauty parlours) operate on the basis of informal (oral) contracts, and that advertising by many small businesses would not require the provision of general information on their Privacy Policy. Accordingly, Applied Economics estimated that only 20% of small businesses would consider it necessary to engage a legal professional to amend their business documentation and the weighted averaged cost per business would be $20.

39.180 Further, the OSB estimated that every small business operator would have to purchase a ‘low range fully lockable filing cabinet’ and a low range paper shredder at a combined cost of $378.[248] However, Applied Economics estimated that only 20% of small businesses would need to purchase these items, the rest already possessing them for other record-keeping purposes (such as tax and business planning). It was estimated, therefore, that the weighted average cost only would amount to $76 per business.

[202] Australian Government, Best Practice Regulation Handbook (2007), 26.

[203] Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), rec 4.48.

[204] Victorian Competition and Efficiency Commission, The Victorian Regulatory System (2006), 26–27.

[205] Ibid, 27.

[206] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[207] See NSW Business Chambers, 2007 Australian Business Priorities—Fixing the Federation (2007), 20.

[208] Australian Business Industrial, Submission PR 444, 10 December 2007.

[209] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; AXA, Submission PR 119, 15 January 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[210] Council of Small Business of Australia, Submission PR 389, 6 December 2007.

[211] Ibid.

[212] Ibid.

[213] Retail Motor Industry, Submission PR 407, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[214] Retail Motor Industry, Submission PR 407, 7 December 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.

[215] Retail Motor Industry, Submission PR 407, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[216] Council of Small Business of Australia, Submission PR 389, 6 December 2007.

[217] Ibid; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[218] Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[219] Council of Small Business of Australia, Submission PR 389, 6 December 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[220] Council of Small Business of Australia, Submission PR 389, 6 December 2007.

[221] Real Estate Institute of Australia, Submission PR 84, 12 January 2007.

[222] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.

[223] Council of Small Business of Australia, Submission PR 389, 6 December 2007.

[224] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.

[225] Retail Motor Industry, Submission PR 407, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.

[226] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.

[227]Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007; Australian Institute of Company Directors, Submission PR 424, 7 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007. See also Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; AXA, Submission PR 119, 15 January 2007.

[228] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.

[229] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007.

[230] Abacus–Australian Mutuals, Submission PR 174, 6 February 2007.

[231] Queensland Government, Submission PR 490, 19 December 2007.

[232] Government of South Australia, Submission PR 187, 12 February 2007.

[233] Ibid.

[234] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[235] The estimate was calculated using the Australian Government Business Cost Calculator: Australian Government Office of Small Business, Costing into the Review of the Privacy Act 1988 (2007). The Australian Government Business Cost Calculator is an information technology-based tool designed to assist policy officers in estimating the compliance costs of different policy options on businesses: Australian Government, Best Practice Regulation Handbook (2007), 26.

[236] Australian Government Office of Small Business, Costing into the Review of the Privacy Act 1988 (2007).

[237] The Applied Economics cost estimate was prepared by Dr Peter Abelson and David Maynard. Notes on the authors appear in App 4.

[238] Australian Bureau of Statistics, Counts of Australian Businesses, 8165.0 (2007), 20.

[239] See Australian Government Office of Small Business, Costing into the Review of the Privacy Act 1988 (2007), 2; and the cost estimate prepared by Applied Economics in App 4 of this Report.

[240] Australian Government Office of Small Business, Costing into the Review of the Privacy Act 1988 (2007), 1, 3.

[241] See App 4 of this Report.

[242]Australian Government Office of Small Business, Costing into the Review of the Privacy Act 1988 (2007), 1.

[243] The OSB estimated that the costs of labour were $26 per hour for tasks performed ‘in-house’ and $100 per hour for tasks that are outsourced: Ibid, 3.

[244]Ibid, 6.

[245] See App 4 of this Report.

[246]Australian Government Office of Small Business, Costing into the Review of the Privacy Act 1988 (2007), 7­–8.

[247]Ibid, 5.

[248]Ibid, 6–7.