Publications / Intellectual Property

18 Feb 14
Imminent changes to the Privacy Act - Why you need to act now

Download PDF

Many companies don’t give a lot of attention to privacy and data protection law.  It is, after all, typically associated with a handful of data-intensive consumer businesses like telecommunications, banking and retail that have extensive loyalty programs and hold large amounts of consumer information.

However, the Privacy Act is due to change on 12 March 2014, with significant amendments coming into effect that will affect almost all industries.  That gives you less than a month to prepare.  These changes include:

  • the replacement of the existing National Privacy Principles (NPPs) for the private sector, and Information Privacy Principles (IPPs) for the public sector, with a harmonised set of Australian Privacy Principles (APPs)
  • new enforcement and investigative powers for the Information Commissioner
  • the implementation of a new civil penalties regime (including fines of up to $1.7 million), and
  • fundamental reforms to the credit reporting regime.

Personal information

Personal information is basically information which can be used to identify an individual.  Many businesses are surprised to learn the breadth of situations where personal information can be used day to day.  The collection and use of personal information does not only arise when a customer fills out an application form, or when a marketing database is acquired.  Some other ‘unexpected’ examples include:

  • keeping records of contractors who do work on site, timesheets, or even records of site visitors, which includes the collection and storage of personal information
  • using surveillance and safety cameras that capture images of individuals who can be identified involves the collection, storage and use of personal information (and you need privacy collection statements and privacy policies with mandatory inclusions to cover this)
  • keeping records of site accidents may involve the collection and storage of sensitive information, which is subject to higher standards than other personal information
  • sending project team details to a third party who is project managing a contract for you involves a third party disclosure, which should be identified in your privacy policy, and you should ensure you have the contractual power to ensure that the third party complies with a request to correct that personal information
  • using a cloud-based email, storage, backup or data-processing service provider may involve an overseas disclosure of personal information.  Not only do you have to cover this likely disclosure in your privacy policy, but you can be liable if the overseas company doesn’t handle the information properly, and
  • conducting credit checks on individuals will be subject to new rules because the credit reporting regime has been completely overhauled.

If your business undertakes in any of the activities mentioned above, then you need to think about how the changes will affect your business.  Some areas are easy – like updating your privacy collection statements and privacy policy - but others are harder and may involve a review or even renegotiation of your contracts with contractors, suppliers and others.

Key changes

The new APPs do much more than introduce a name change, they require organisations to ‘design for privacy’ when setting up (or revising) their business processes and introduce significant new obligations.

For example, there are new mandatory matters that must be dealt with in Privacy Policies and Privacy Collection Statements, new obligations about how to deal with unsolicited personal information, new rules regarding direct marketing – including a mandatory opt out notice in some cases, new rules about overseas disclosures of personal information (not to mention increased liability for disclosures by your third party service providers) and increased rights of individuals to access and correct their personal information.

These obligations mean businesses need to make sure they’ve reviewed their contracts with third parties to make sure their liability is covered, and they have the power to ensure their privacy processes are enforceable throughout their supply chain.

Civil penalties regime
The Commissioner can now investigate without a complaint and along with new powers, the commissioner is also armed with a new civil penalties regime.  Penalties of up to $340,000 for individuals, and $1.7m for corporations, can be imposed for breaches of the credit reporting regime, and for anyone who commits a serious or repeated interference with privacy.

Credit reporting regime
The credit reporting scheme has long been criticised for capturing only negative information.  This will change, with the capture of positive credit information (like regular payment histories) as well.  To address the increased volume of credit information held by credit reporting agencies, strict new rules will be introduced regarding the handling of credit information, and the civil penalties regime will apply to any breaches.

Next steps

Relying on existing policies, processes and contracts will not be enough to comply with the revised Privacy Act.  The new provisions will require a review of your policy documents and privacy statements, the implementation of internal policies to deal with information requests, and the updating of contracts with contractors and suppliers to ensure your liability for the actions of third parties is appropriately addressed, and you have the ability to enforce your privacy policies and procedures.

There are many issues to deal with, and they will be different for each business.  But your business needs to consider these issues now and allow time to implement all the necessary changes.  We can help you navigate the process.

We are running a seminar in our Sydney office on 12 March 2014 to discuss the changes in-depth and to show you how you can change your documentation and business processes to align with the changes and avoid any future penalties.  There will be an interactive discussion component so you can ask your key questions to the presenters directly.

To register your interest in the seminar, please click here.

Focus covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. Focus is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

Download PDF


For further information please contact: