Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Leon Delaney.

Radio 2CC

Subject: Privacy changes coming for small business

Leon Delaney

Small businesses in Australia are facing new privacy rules, so the government is working on replacing the current arrangements. but what will they be replaced with, and will they be workable for small businesses? Well, I'm confused just so somebody who can straighten me out is the Australian Small Business and Family Enterprise Ombudsman, Bruce Billson.

Good afternoon. 

Bruce Billson

Leon, that's a big task. But maybe I can shed some light on this very important topic and, of concern to small business and understandably, their customers as well. 

Leon Delaney

Whenever a business collects any data, they have an obligation to keep that data safe. They need to protect our privacy, don't they? But that must be a unique challenge for small businesses. Surely the simple solution is don't collect customer data?

Bruce Billson

Well, that's part of the solution. I suppose that's the idea that we've been pushing forward. You and your listeners would know the Privacy Act brings with it some appropriate and big responsibilities for people that are collecting data. Businesses that may hold personally identifiable information that may, if inappropriately handled, represents a risk to their customers and, frankly, a risk to their business. That's been with us for some time.

But in the Privacy Act, there is a general exemption for most small businesses and guidance to them to not hold stuff they shouldn't, not collect data that they then use for other purposes, those sorts of things. So, whilst that long standing exemption has been earmarked for removal, what's less clear is what's going to replace it.

And certainly, just having the privacy principles applied as if a small business is a major corporation with privacy experts and lawyers on staff, that's no solution whatsoever. So what we urging the government to do is recognise, as I think most people do, in a digital economic world where data is a real currency in trade and commerce, the appropriate management of it is very important for customers, for security of systems, for the business itself. 

But don't apply a bunch of rules that are designed for big corporates when you're talking about a small local business. Come up with something that's right-sized, makes it very clear what's expected of those small businesses, and then everybody's interests are appropriately reflected. 

Leon Delaney

Now, I would imagine that a lot of small businesses might actually turn to third party providers for their customer data management systems, rather than trying to do it all themselves, just use some sort of outside provider. Shouldn't the onus then fall on that outside provider?

Bruce Billson

You can't contract out of your duties and responsibilities. So, in that scenario, if you are using an external provider and let's think about real estate - I think you and I had a giggle some years ago as I was trying to get a rental property in Canberra, waiting for a home to be built and my goodness, they wanted to even know the temperamental, how would you describe my dogs if they were a person? They wanted to know what the microchip was, and then they wanted to know who actually installed it and when, along with the vast array of personal information - If that fell into the wrong hands, it'd be a walk up start just to have identity theft writ large right before your eyes.

So, with that level of detail and sophisticated and really intrusive information being held, there's got to be commensurate responsibilities about how it's managed. So, in that case, if you are using an external provider, making sure that they are fulfilling the duties that are expected of you, that you've contracted out, that's part of that process. And that's an example of a straightforward piece of actionable information that should be provided to small business.

Who's holding your data? Do you need to have it in the first place? Are you routinely going about removing data that's no longer necessary? And how might doing that well, join up with other things that are interesting and important for the business around information management, protection against cyber attacks, and also improving the resilience of the business at a time when we know even big businesses might be the target of nefarious actors.

That's what we're saying. Join those things up. Understand the consumer interest but have a right size, able to be implemented approach for small business. 

Leon Delaney

Okay. You've been involved in the consultation process, getting a firm grasp on people's concerns over these issues. How’s the government addressing this? Are they near some sort of resolution where you know what exactly it is they're going to be putting forward?

Bruce Billson

Well, we hope we're getting closer. We have been involved in many elements of the consultative process, and we've been making these points quite clearly and quite consistently. Might be fair to say it hasn't always had an impact Leon ... and we've had to make those points a number of times. Also, for a lot of small business organisations that have been involved in them, they've also been making those points. 

A central view is don't just apply the big business privacy principles to a small business, as if it's some shrink-wrapped corporate entity. There is a need for a bespoke, right size and able to be implemented approach, and we've been urging that along with it being joined up with other things that are its close companions - information management, cyber protection. How do you make sure you can access the Consumer Data Right? Don't have them treated in separate silos that will leave time-poor and resource-stretched small businesses bewildered. Let's bring that together and have various arms of government collaborate on a meaningful and able to be implemented engagement with small business. 

Leon Delaney

You've also suggested that the principles that businesses will need to adhere to could actually be incorporated into some of the very commonplace software tools that they already use, like accounting software programs like MYOB or Xero. There's a range of different ones, but there's really only a handful that are widely used by almost every business, aren't they? So, if those measures could be implemented or in some way integrated in that software, that would be very helpful, wouldn't it? 

Bruce Billson

Well, that's what we've been proposing. We're saying use natural business systems. Where are businesses are already using systems that touch upon these duties and responsibilities and what can we do to actually embed processes in that software, so it just happens as a matter of course. 

For instance, if I'm onboarding a new staff member there’s particular disciplines around managing employee information. Well put that in as a natural process within a system you're already using, rather than having it sitting off to one side where you think, oh, I wonder what's required of me under these changes to the privacy arrangement. 

Have it used as embedded and a natural action step, along with what businesses are familiar with, that they're involved with on a daily basis. And that makes this not some overwhelming new compliance imposition. It's just a natural thing that's done as part of good practice, being implemented by good businesses. 

Leon Delaney

Indeed. Keep it simple, stupid. That's the basic principle. 

Bruce Billson

Look, you can call me stupid. I've been called other things Leon, but I'll go with that. Look, I get called Bill a lot.

Leon Delaney

I was quoting a commonly used piece of advice. I wasn't calling anybody names. 

Bruce Billson

I love it. And, you know, let's bring this home, though, for your listeners, knowing that information is being managed thoughtfully and carefully doesn't need to involve deep ponderance around principles and 20, 30, 40 hours navigating that framework.

For businesses themselves, an information breach can be a business-ending event. You'll lose the confidence of your customers. You might lose vital information. You might lose control of your systems. So, getting this right and seeing how it's adjacent to cyber security safeguards, information management and new opportunities like the Consumer Data Right. We think that integrated way forward with practical input information is the way to go.

Leon Delaney

Bruce, thanks very much for your time today. 

Bruce Billson

Good to be with you. 

Leon Delaney

Thank you. Bruce Billson, the Australian Small Business and Family Enterprise Ombudsman.