How will the new Privacy laws affect your organisation?

What are the changes?

Legislative changes to the Privacy Act 1988 (Cth) (Privacy Act) will come into effect on 12 March 2014.  The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Amendments) amends the Privacy Act by introducing:

  • a new definition of Personal Information;
  • the Australian Privacy Principles (APP);
  • a more comprehensive credit reporting system;
  • new provisions on privacy and credit reporting codes; and
  • new powers for the Privacy Commissioner

Changes to the definition of Personal Information

The current definition of Personal Information as contained in section 6 of the Privacy Act states that Personal Information is:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.’

The new definition of Personal Information is:

‘personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is  recorded in a material form or not.’

What are the “APPs”?

  • The APPs create a single set of privacy principles that will apply to both Commonwealth agencies and private sector organisations.  Previously, the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) applied to the public and private sectors respectively.The APPs set out standards, rights and obligations in relation to the:
  • handling and maintenance of information by APP entities;
  • Privacy Commissioners dealing with privacy policies;  and
  • collection, storage, use and disclosure of personal information.
  • The Amendments create Schedule 1 to the Privacy Act which contain the APPs:
  • Australian Privacy Principle 1 – open and transparent management of Personal Information
  • Australian Privacy Principle 2–anonymity and pseudonymity
  • Australian Privacy Principle 3–collection of solicited Personal Information
  • Australian Privacy Principle 4–dealing with unsolicited Personal Information
  • Australian Privacy Principle 5–notification of the collection of Personal Information
  • Australian Privacy Principle 6–use or disclosure of Personal Information
  • Australian Privacy Principle 7–direct marketing
  • Australian Privacy Principle 8–cross-border disclosure of Personal Information
  • Australian Privacy Principle 9–adoption, use or disclosure of government related identifiers
  • Australian Privacy Principle 10–quality of Personal Information
  • Australian Privacy Principle 11–security of Personal Information
  • Australian Privacy Principle 12–access to Personal Information
  • Australian Privacy Principle 13–correction of Personal Information

New Powers

The Privacy Commissioner will have enhanced powers aimed to improve the Commissioners ability to:

  • resolve complaints;
  • conduct investigations; and
  • promote Privacy Act compliance.

New Penalties

Furthermore, the Privacy Commissioner will be able to apply to the Court for a civil penalty order against organisations for credit reporting breaches.

Penalties range from:

  •  $2,200 to $220,000 – for an individual; and
  • $110,000 to $1.1 million – for a company.

What does your organisation need to do?

Organisations should consider conducting a Privacy Act Compliance Audit (PACA) in order to determine any relative strengths and weaknesses in their business operations.  This may include an analysis and assessment of the following:

  • customer marketing material;
  • standard form terms and conditions;
  • privacy policies and procedures manuals;
  • collection, retention, use and disclosure of personal information;
  • IT and data storage processes;
  • website privacy policies;
  • e-commerce terms and conditions; and
  • employee privacy training.


The effect of the Amendments for organisations is the potential need to update and change current systems and processes before 12 March 2014.  This is particularly the case in relation to the way that current marketing and cross border data transfers are conducted.

Further information

If you need assistance in assessing whether or not your organisation is compliant with the Privacy Act contact us for an obligation free and confidential discussion.

Malcolm-Burrows-LawyerMalcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013
Fax: (07) 3221 0031
Mobile: 0419 726 535




This article contains general commentary only.  You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

Send this to a friend