Minimising costs of compliance on small businesses

39.192 In DP 72, the ALRC acknowledged that removing the small business exemption would have compliance cost implications for small businesses. The ALRC expressed the view, however, that there are a number of ways that unnecessary compliance costs can be minimised, including by simplifying the Privacy Act and streamlining the privacy principles, and by assisting small businesses in understanding their regulatory rights and obligations.

Discussion Paper proposal

39.193 The ALRC proposed that, before the removal of the exemption, the OPC should provide dedicated assistance and support to small businesses, including: the establishment of a national helpline for small businesses; the development of educational materials; the provision of templates for Privacy Policies free of charge; and liaison with other government departments and industry bodies to provide educational programs targeted at small businesses.[254]

Submissions and consultations

39.194 A number of key stakeholders supported the proposal.[255] For example, Privacy NSW agreed that simplification of the Privacy Act, together with dedicated assistance by the OPC to small businesses, would help reduce compliance costs for small businesses.[256]

39.195 The Government of South Australia suggested that the Privacy Commissioner should provide significant support through those state and territory authorities that support businesses. Further, it submitted that the OPC may need to provide different levels of support to particular industries in order to target different areas of privacy risk, or at least encourage industry cooperation to minimise the costs of compliance on small businesses that hold a small amount of personal information.[257]

39.196 The Australasian Compliance Institute submitted that there should be guidance notes for use by small businesses about how to reduce the risk of identity theft. It also suggested that the use of audit powers by the OPC on its own motion would be of particular assistance to small businesses as an educative tool to assist them in identifying areas for improvement within their privacy compliance framework.[258]

39.197 The OVPC submitted that a staggered introduction of privacy regulation, with a longer lead time for smaller businesses, could be considered as a means of assisting small businesses to prepare for compliance with the Privacy Act. It suggested that, in determining the different commencement dates for businesses of different sizes, a simpler, more transparent measurement should be adopted instead of the ‘highly complex’ annual turnover criterion. The OVPC suggested that a sliding scale of commencement dates could be based on the ABS categorisation of businesses in terms of the number of employees.[259]

39.198 While supportive of the ALRC’s proposal, PIAC expressed concern that the proposal might be interpreted as making the removal of the small business exemption contingent upon the provision of support and advice by the OPC to small businesses. PIAC submitted that this could delay the removal of the exemption as well as other amendments to the Privacy Act indefinitely—which it regarded as inappropriate and unjustifiable. PIAC suggested that the removal of the exemption should take effect within a specific timeframe set in the legislation—for example, that the removal should take effect within three months of the enactment of the amended Privacy Act, and no more than 12 months after this time.[260]

39.199 Some stakeholders who opposed the removal of the small business exemption nevertheless supported the proposal that the OPC provide substantial assistance to small businesses.[261] For instance, the OPC stated that, if the small business exemption were to be removed, the ALRC’s proposal is ‘sensible and necessary to assist small business in understanding and meeting their obligations’. The OPC indicated that it should provide such support, as it is consistent with OPC’s functions under s 27(d) and (e) of the Privacy Act. It noted, however, that fulfilling the additional requirements would have resource implications.[262]

39.200 The Arts Law Centre of Australia submitted that assistance to small businesses should be extended to not-for-profit organisations in the event that the exemption is removed. In addition, it was of the view that there ‘should be support networks to assist people in adapting the templates to their needs’ and funding for the provision of legal advice to small businesses in understanding their privacy responsibilities.[263]

39.201 Some business and industry groups argued that the provision of substantial advice and assistance from the OPC would not be sufficient to outweigh the adverse impact of the removal of the small business exemption.[264] For example, Australian Business Industrial submitted that, while such advice and assistance would be essential in the event that the small business exemption is removed, it would not be sufficient to counterbalance the compliance costs involved in the removal of the exemption:

The difficulty in reaching and communicating with small business on these complex issues should not be underestimated. Small business are primarily concerned with the day-to-day running of their business, and often are unable to leave their workplace premises to attend training, or otherwise remain away from the ‘front of shop’ for any length of time, as they do not employ sufficient personnel to replace them.[265]

39.202 The Retail Motor Industry submitted that assistance and support from the OPC would not alleviate the concerns raised by small businesses that time would be taken away from their core business activities to ensure that their business is compliant with the UPPs.[266] COSBOA submitted that, while the initial implementation costs could be reduced by assistance from the OPC, the costs of compliance are ‘largely on-going or unavoidable in nature’ and would affect a large number of small businesses. In addition, it argued that there would be significant costs and resource implications for the OPC in providing such assistance and in regulating the small business sector.[267]

39.203 While recognising that dedicated assistance by the OPC would reduce the compliance burden on small businesses, CPA Australia Ltd made the point that the proposal did not recognise the cumulative effect that regulatory compliance has on businesses, and that the impact of regulation in one area should not be viewed in isolation from the effect of regulation on businesses in other areas.[268]

ALRC’s view

39.204 The ALRC acknowledges and is sensitive to the fact that removal of the exemption will result in compliance costs for small businesses. The main thrust of this Report is to simplify and harmonise privacy laws and practices in Australia, and the ALRC makes a large number of recommendations aimed at reducing the complexity of the existing regime—in itself a substantial cause of the current costs of compliance. In Chapter 5, the ALRC recommends that the Privacy Act be amended to achieve greater logical consistency, simplicity and clarity, and that the privacy principles be streamlined. The simplification of the legislation should go some way towards reducing unnecessary costs of compliance to small businesses.

39.205 Another way to reduce compliance costs to small businesses is by assisting them in understanding their regulatory rights and obligations.[269] This can be achieved by the OPC providing dedicated assistance and support to small businesses, which should include:

  • 39.206a special national helpline for small businesses, similar to the Australian Competition and Consumer Commission’s small business helpline;[270]

  • 39.207developing guidelines and other educational material;

  • 39.208providing templates for Privacy Policies free of charge; and

  • 39.209liaising with other government departments and industry bodies—such as the OSB, the Business Council of Australia and the ACCI—to provide educational programs targeted at small businesses.[271]

39.210 Such assistance should be in place before the removal of the exemption comes into effect. This will ensure that small businesses have sufficient time to understand their obligations under, and prepare for compliance with, the Privacy Act once the exemption is removed. Finally, it is essential that the OPC is resourced adequately to assist small businesses.

39.211 The ALRC acknowledges the concern that making the removal of the small business exemption contingent on assistance being provided by the OPC may delay indefinitely the removal of the exemption. While no recommendation is made for a fixed timeframe, the ALRC agrees that the removal of the exemption should come into force within a year from the enactment of the amended Privacy Act.

Recommendation 39-2 Before the removal of the small business exemption from the Privacy Act comes into effect, the Office of the Privacy Commissioner should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Act, including by:

(a) establishing a national hotline to assist small businesses in complying with the Act;

(b) developing educational materials—including guidelines, information sheets, fact sheets and checklists—on the requirements under the Act;

(c) developing and publishing templates for small businesses to assist in preparing Privacy Policies, to be available electronically and in hard copy free of charge; and

(d) liaising with other Australian Government agencies, state and territory authorities and representative industry bodies to conduct programs to promote an understanding of the privacy principles.

[254] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 35–2.

[255] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Government of South Australia, Submission PR 565, 29 January 2008; National Legal Aid, Submission PR 521, 21 December 2007; Federation of Community Legal Centres (Vic), Submission PR 509, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[256] Privacy NSW, Submission PR 468, 14 December 2007.

[257] Government of South Australia, Submission PR 565, 29 January 2008.

[258] Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[259] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. The ABS defines ‘small businesses’ as businesses that employ less than 20 people (except in the agricultural industry). Small businesses are categorised into three groups—‘non-employing businesses’, ‘micro businesses’ with between one and four employees, and businesses with between five and 19 employees: Australian Bureau of Statistics, Characteristics of Small Businesses, Australia, 8127.0 (2005), 101.

[260] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[261] See, eg, Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Arts Law Centre of Australia, Submission PR 450, 7 December 2007 (endorsed by Contemporary Arts Organisations Australia, Submission PR 384, 6 December 2007).

[262] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[263] Arts Law Centre of Australia, Submission PR 450, 7 December 2007 (endorsed by Contemporary Arts Organisations Australia, Submission PR 384, 6 December 2007).

[264] Australian Business Industrial, Submission PR 444, 10 December 2007; Australian Institute of Company Directors, Submission PR 424, 7 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.

[265] Australian Business Industrial, Submission PR 444, 10 December 2007.

[266] See also Retail Motor Industry, Submission PR 407, 7 December 2007.

[267] Council of Small Business of Australia, Submission PR 389, 6 December 2007.

[268] CPA Australia, Submission PR 476, 14 December 2007.

[269] Small Business Ministers Council, Giving Small Business a Voice—Achieving Best Practice Consultation with Small Business (Endorsed Paper) (2000) Australian Government Office of Small Business.

[270] The helpline was established to assist small businesses in complying with the Trade Practices Act 1974 (Cth): Australian Competition and Consumer Commission, Easy Access for Small Business to Advice (2005) <www.accc.gov.au/content/index.phtml/itemId/718924> at 23 April 2008.

[271] It should be noted that, currently, the OPC provides several plain English resources to assist small businesses in understanding whether they are covered by the Privacy Act and, if so, their obligations under the Act, including, eg, Office of the Privacy Commissioner, A Snapshot of the Privacy Act for Small Business (Updated with Minor Amendments 27 November 2007) (2007); Office of the Privacy Commissioner, A Privacy Checklist for Small Business (Updated with Minor Amendments 27 November 2007) (2007); Office of the Privacy Commissioner, A Guide to Privacy for Small Business (Updated with Minor Amendments 27 November 2007) (2007).