Part 1 - The Privacy Act 1988 and Australian Privacy Principles

Posted on 04 February 2014

In our first of three (3) part blog on the amendments to the Privacy Act 1988 (Privacy Act) we address the new Australian Privacy Principles (APP) that commence on 12 March 2014 and changes businesses will need to implement in order to comply with the Privacy Act. 

New amendments to the Privacy Act

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (PA Act) was introduced to Parliament on 23 May 2012 and was passed on 29 November 2012. The PA Act is a new phase of the privacy law reform process that began in back in 2006 and introduces some significant changes to the Privacy Act. The object of the PA Act is set out in the explanatory memorandum and includes the following:

  • to create a single set of APP's applying to both Australian Government agencies and the private sector. These principles will replace the existing Information Privacy Principles and National Privacy Principles;
  • to introduce more comprehensive credit reporting, improved privacy protections and more logical, consistent and simple language;
  • strengthen the functions and powers of the Australian Information Commissioner to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance; and
  • create new provisions on privacy codes and the credit reporting code, including codes that will be binding on specified agencies and organisations.

Australian Privacy Principles

The APP's set out standards, rights and obligations in relation to the handling and maintenance of personal information by APP entities, including dealing with privacy policies and the collection, storage, use, disclosure, quality and security of personal information, and access and correction rights of individuals in relation to their personal information.

Under the changes, there will be 13 new APPs. The APP's are grouped into five sets of principles:

  • Principles that require APP entities to consider the privacy of personal information, including ensuring that APP entities manage personal information in an open and transparent way (APP 1, APP 2);
  • Principles that deal with the collection of personal information, including unsolicited personal information (APP 3, APP 4, APP 5);
  • Principles about how APP entities deal with personal information and government related identifiers, including principles about the use and disclosure (including cross-
  • border disclosure) of personal information and identifiers (APP 6, APP 7, APP 8,
  • APP 9);
  • Principles about the integrity, quality and security of personal information (APP 10, APP 11);
  • Principles that deal with requests for access to, and correction of, personal information (APP 12, APP 13).

 A number of the APPs are significantly different from the existing Information Privacy Principles and National Privacy Principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.

Mandatory Privacy Policies

All businesses regulated by the Privacy Act must have a published privacy policy by 12 March 2014. The new APP 1 sets out the information which a privacy policy must contain and maintains the existing obligations to clearly disclose the kind of personal information which an entity collects, how that information is collected, the purposes for which it is collected, and how it may be used or disclosed. In addition, it is now mandatory to include how an individual may complain about a privacy breach, how an organisation will deal with such a complaint, whether or not personal information is likely to be transferred overseas, and if possible the countries to which it is likely that personal information will be transferred.

From 12 March 2014, organisations subject to the amended Privacy Act face maximum penalties of $340,000 for individuals and $1.7 million for corporations for breaches. The fines will be sought from the Court by the Privacy Commissioner and will be handed down to organisations for serious or repeated violations of the APP's. In addition, there is also the possibility of actions for misleading and deceptive conduct under the Australian Consumer Law for organisations that breach the APP's.

To ensure compliance with new laws, businesses need to review their privacy policies, data collection and handling policies, and third party IT and data management contracts to ensure that they fulfil their obligations under the Privacy Act in 2014.

If you need further information on the Privacy Act and the APP's please contact us.