Reforms to the Privacy Act

In December 2012 the Privacy Act 1988 (Cth) was overhauled via the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Reform Act).  These reforms will take effect on 12 March 2014.

The Reform Act has created a set of new, harmonised, privacy principles, called the Australian Privacy Principles (APPs), which apply to both the public and private sector, now termed APP entities.  A quick reference sheet of the new APPs can be found here.  Whilst the APPs are generally comparable to the pre-existing regime, some important differences should be noted:

  • APP 4 deals with unsolicited personal information, specifying when such information must be destroyed or de-identified by the APP entity.  In essence, you should not collect or retain anything on an unsolicited basis that you could not on a solicited basis.

  • APP 7 regulates when personal information can be used or disclosed for the purpose of direct marketing.  This is a new provision.

  • APP 8 imposes new requirements with respect to an APP entity’s accountability for personal information that it has disclosed to overseas recipients.  In conjunction with the amended section 16C, APP 8 introduces an accountability approach where acts done to information by an overseas recipient is taken to have been done by the APP entity.  Therefore to discharge this duty, before an entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs.  You should review both your privacy consents and your contracts with third parties who hold your information for you in a cloud.

  • Penalty provisions have been introduced, where the maximum penalties for a serious or repeated interference with the privacy of an individual will be $340,000 for individuals and $1.7 million for entities. 

The majority of the APPs (11 out of 13) rely upon what is reasonable in relation to the APP entity and the personal information held.  The reasonable test is to be determined by the factors relating to the nature of the APP entity; quality of the information held; risk to individuals’ concerned in the event of a breach; data handling practices of the APP entity; and the ease which security measures can be implemented.  APP entities have been advised to start preparing now, and complete a Privacy Impact Assessment for all projects in order to determine what is reasonable, manage privacy and avoid privacy breaches. 

The OAIC website contains additional information and guides in relation to the changes to the Privacy Act.

You should start your review now.