The Joint Select Committee on Cyber Safety has advised the Federal Government to amend the Privacy Act 1988 to ensure certain small businesses are subject to the requirements of the Act.
In its report on the enquiry into cyber-safety, the committee noted current Australian privacy legislation has exemptions for small businesses with an annual turnover of $3 million, resulting in a large proportion of the private sector not being subject to any privacy laws.
The committee recommended the Federal Government amend the exemptions for small businesses to ensure that those retaining “substantial” quantities of personal information or those which transfer personal information offshore, are subject to the regulations of the Act.
“I have identified in the submission the gaps in privacy laws, with one of the greatest being small business exemption and also the fact that privacy laws do not apply to individuals acting in a private capacity,” the report cited from the submission by the Victorian Privacy Commissioner.
The committee also suggested the Office of the Australian Privacy Commissioner (OAPC) undertake a review of small businesses with “significant data holdings”, and to make relevant recommendations to Government about expanding the categories of small businesses as prescribed in regulations of the Act.
According to the report, Australian organisations which transfer personal information offshore, including small businesses, should ensure the protection of the information at a level “at least equivalent to the protections under Australia’s privacy framework.
“Organisations may not require all the personal information they collect, other than to verify the provider’s identity,” the report reads. “If this information is not kept securely, it can be lost or disclosed to unauthorised persons. It may be transmitted and stored outside Australia, despite national and State/Territory privacy laws.”
“The effectiveness of privacy laws are limited in an online environment. Data is increasingly transmitted and stored globally despite privacy regulation occurring at a state and national jurisdictional level,” the report cited from the submission by the Victorian Privacy Commissioner.
The committee also found the Australian people and industry were divided on the benefits of establishing an office of an online ombudsman to “investigate, advocate and act” on cyber-safety issues.
Those for the creation of ombudsman noted the potential for an investigative function as well as a more transparent reporting location, while those against it reported concerns around duplicating existing facilities, the functions of the office, jurisdictional considerations and the timeliness of procedures.
“... to advocate and act on cyber-safety issues, and would suggest that it could be structured in such a way that enables and promotes engagement with education/academia/research, in addition to police and industry,” the report cited from a submission by the Australian University Cyberbullying Research Alliance.
Read more: Industry calls for more proportional limits to metadata retention
While the Office of Youth South Australia saw the establishment of an ombudsman office as a step towards addressing the lack of a clear agency to respond to cyber-safety issues and “quite a bit” of public confusion about where to go to seek help.
However, a number of organisations maintained an opposing stance, including the Australia Federal Police (AFP), who “did not see a need for an additional reporting point or investigative structure dedicated to cyber safety. Instead the AFP improved better coordination, longer term evaluation and policy synergies of existing cyber-safety programs.
Several industry groups recently highlighted the need to strengthen the Privacy Act 1988 to make information held by a company available to end users.
Follow Chloe Herrick on Twitter: @chloe_CW
Follow Computerworld Australia on Twitter: @ComputerworldAU