Publications / Resources

2 Aug 13
Changes to the Privacy Act

Download PDF

Why the resources and construction industries need to act now

Many companies operating in the resources and construction industries do not give a lot of attention to privacy and data protection law.  It is, after all, typically associated with data-intensive consumer businesses like telecommunications, banking and retail that have extensive loyalty programs and hold large amounts of consumer information.

However with significant amendments to the Privacy Act coming into effect on 12 March 2014, the changes will affect almost all industries, including resources and construction.  The changes include:

  • the replacement of the existing National Privacy Principles (NPPs) for the private sector, and Information Privacy Principles (IPPs) for the public sector with a harmonised set of Australian Privacy Principles (APPs)
  • new enforcement and investigative powers for the Information Commissioner
  • the implementation of a new civil penalties regime (including fines of up to $1.7 million), and
  • fundamental reform to the credit reporting regime.

Personal information

Personal information is basically data which can be used to identify an individual.  To give you an idea of how personal information is collected, typical examples within the resources and construction industries include:

  • keeping records of contractors who work on site, timesheets, or even records of site visitors involves the collection and storage of personal information
  • using surveillance and safety cameras that capture images of identifiable individuals involves the collection, storage and use of personal information (requiring privacy collection statements and privacy policies with mandatory inclusions to cover this)
  • keeping records of site accidents may involve the collection and storage of sensitive information, which is subject to higher standards than other personal information
  • sending personal information to a project manager, engineering, architectural or a parent company overseas, there may be an overseas disclosure of personal information, and you can be liable if that company does not handle the information properly, and
  • conducting credit checks on contractors which will be subject to new rules due to the overhaul of the credit reporting regime.

If your business carries out any of those activities, then you need to think about how to do that once the changes come into effect.  Some things are easy - like updating your privacy collection statements and privacy policy - but others are harder and may involve a review or even renegotiation of your contracts with contractors, suppliers and others.

Key changes

The new APPs do much more than introduce a name change, they require organisations to ‘design for privacy’ when setting up (or revising) their business processes and introduce significant new obligations. 

For example, there are new mandatory matters that must be addressed in Privacy Policies and Privacy Collection Statements, new obligations about how to deal with unsolicited personal information, new rules regarding direct marketing – including a mandatory opt out notice in some cases, new rules about overseas disclosures of personal information (not to mention increased liability for disclosures by your third party service providers) and increased rights of individuals to access and correct their personal information.

These obligations mean businesses need to ensure they’ve reviewed their contracts with third parties to make sure their liability is covered, and they have the power to ensure their privacy processes are enforceable throughout their supply chain.

Civil penalties regime
The Commissioner can now investigate without a complaint and along with new powers is also armed with a new civil penalties regime.  Penalties of up to $340,000 for individuals, and $1.7m for corporations, can be imposed for breaches of the credit reporting regime, and for anyone who commits a serious or repeated interference with privacy.

Credit reporting regime
The credit reporting scheme has long been criticised for capturing only negative information.  This will change, with the capture of positive credit information (like regular payment histories) as well.  To address the increased volume of credit information held by credit reporting agencies, strict new rules will be introduced regarding the handling of credit information, and the civil penalties regime will apply to any breaches.

Next steps

Relying on existing policies, processes and contracts will not be enough to comply with the revised Privacy Act.  The new provisions will require a review of your policy documents and privacy statements and the implementation of internal policies to deal with information requests.  Contracts with contractors and suppliers will need to be updated to ensure your liability for the actions of third parties is appropriately addressed.  The Privacy Act will require you, and you will have the ability to, enforce your privacy policies and procedures.

There are many issues to deal with, and they will be different for each business.  But your business needs to consider these issues now and allow time to implement all the necessary changes.  We can help you navigate the process.

We are running a series of seminars to discuss the changes in-depth and to show you how you can best prepare for the changes and avoid any future penalties.  There will be an interactive discussion component so you can ask your key questions to the presenters directly.  The seminar dates are:

Focus covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. Focus is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

Download PDF

In this section