The Australian Information Industry Association (AIIA) has urged the Albanese government to release an exposure draft of proposed changes to the Privacy Act before the end of the year in the wake of a major data breach at Optus.

The AIIA believes that the process of updating the Privacy Act has been severely delayed and that urgent work needs to be done to ensure an up-to-date version of this legislative vehicle is in place to deal with current data and privacy concerns.

In a submission to the Privacy Act review discussion paper last year, the AIIA argued that the clause exempting small businesses from the requirements needs to be scraped, noting that a small business can create digital services that can host private financial data.

“The time has come for small businesses to fall under the Privacy Act and we would support measures to ensure SMEs can fully comply, including additional time for compliance and education,” AIIA CEO Simon Bush said in a statement on Thursday.

The AIIA’s views were recently supported by Information and Privacy commissioner Angelene Falk.

Speaking to ABC’s 7.30 earlier this week, Ms Falk said small companies should be obliged to hold data in the same way that their larger counterparts are.

“Currently, all organisations with an annual turnover of $3.1 million or more are covered by the Privacy Act, but I have recommended to government that it is time to relook at that small business exemption,” Ms Falk said.

“We can see now that even small businesses can hold vast arrays of data, you can develop an app in the garage and suddenly you have millions of Australians’ personal information, so they should be required to secure it in the same way that big companies do,” she added.

Last month, speaking on the ifa podcast, Adrian Johnstone, co-founder and president of Practifi, said that there is a distinct difference in how advice firms view cyber awareness.

“Depending on the firm, they either come up in fear and sometimes really genuine fear because there's a part… of understanding where your data is. What data do you have? Where is it? Who can see it? How is that accessible?” Mr Johnstone said.

His comments followed similar sentiments from Virtual Business Partners head, David Carney, who called for better management of cyber security risks following May's landmark ruling against RI Advice which saw the Federal Court find that the advice group failed to have adequate risk management systems to manage its cyber security risks.

According to ASIC, a “significant number” of cyber incidents occurred at authorised representatives of RI Advice between June 2014 and May 2020, including an incident where “an unknown malicious agent obtained, through a brute force attack, unauthorised access to an authorised representative’s file server from December 2017 to April 2018 before being detected, resulting in the potential compromise of confidential and sensitive personal information of several thousand clients and other persons”.

Mr Carney said the ruling has motivated licensees and insurers to “critically” examine their standards in an opinion piece published on ifa in August.