Jurisdiction - Australia
Telecommunications, Media & Technology
Australia – Privacy Amendment Legislation Finally Passed.

27 December, 2012


Legal News & Analysis – Asia Pacific – Australia – TMT


In brief


The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) has been passed through both Houses of Parliament. The Act:


  • introduces new Australian Privacy Principles
  • implements more comprehensive credit reporting provisions
  • introduces a revised regime for privacy codes and credit reporting codes
  • increases the range of options for the Commissioner to encourage and monitor privacy compliance and to resolve complaints
  • introduces civil penalties for certain breaches of the Act.


Entities will need to update privacy policies and procedures so as to comply from 15 months after Royal Assent.


On 29 November 2012, a Bill containing long awaited amendments to the Privacy Act 1988 (Cth) was finally passed in the House of Representatives, after being passed by the Senate on 27 November 2012.


The Privacy Amendment (Enhancing Privacy Protection) Act 2012 contains amendments implementing the Government’s first stage response to recommendations first proposed by the Australian Law Reform Commission (ALRC) in 2008. The Act contains new Australian Privacy Principles, implements more comprehensive credit reporting provisions, introduces a revised regime for privacy codes and credit reporting codes, increases the power of the Commissioner to determine complaints and introduces civil penalties for certain breaches of the Act.


Structure of the Act


The substantive elements of the legislation are contained in six schedules, namely:


  • Schedule 1 – Australian Privacy Principles;
  • Schedule 2 – Credit Reporting;
  • Schedule 3 – Privacy Codes;
  • Schedule 4 – Other Amendments to the Privacy Act;
  • Schedule 5 – Amendment of Other Acts;
  • Schedule 6 – Application, transitional and savings provisions.


Some key concepts


Some of the key changes introduced by the Australian Privacy Principles, apart from the creation of a single set of Privacy Principles that apply to both Commonwealth government agencies and private sector organisations (now referred to collectively as “entities”), include:


  • an amended definition of “Personal Information” that reflects the ALRC recommendations by introducing a degree of flexibility and technology-neutrality. Specifically, the definition provides:
    • Personal Information means information or an opinion about an identified individual, or an individual whose reasonably identifiable:
      • a. whether the information or opinion is true or not; and
      • b. whether the information or opinion is recorded in a material form or not.
  • the term “Consent” continues to be defined as simply meaning “express consent or implied consent”. The Explanatory Memorandum encourages the development and publication of appropriate guidance by the Commissioner about what is required of entities to obtain an individual’s consent for the purposes of the Act;
  • the definition of “Sensitive Information”, which has always been afforded a higher level of protection in the private sector, is amended slightly to extend to other forms of biometric information. More significantly, the restrictions on the collection and use of sensitive information will now be binding upon public sector agencies as well as organisations; and
  • the various existing exemptions, some of which have proved contentious (such as the small business exemption and the employment records exemption), are unaffected by the amendments.


Structure of the APPs


As recommended by the ALRC, the Act amalgamates and refines the existing Information Privacy Principles and National Privacy Principles (APPS) to create a single set of principles, to be known as the Australian Privacy Principles, which regulate Commonwealth agencies and private sector organisations.


The APPs are contained in five parts:


  • Part 1 – Principles dealing with the management of personal information (APP 1, APP 2);
  • Part 2 – Principles dealing with the collection of personal information (APP 3, APP 4, APP 5);
  • Part 3 – Principles dealing with the use and disclosure of personal information (including direct marketing and cross-border disclosure) (APP 6, APP 7, APP 8, APP 9);
  • Part 4 – Principles dealing with the integrity, quality and security of personal information (APP 10, APP 11); and
  • Part 5 – Principles dealing with request for access to, in correction of, personal information (APP 12, APP 13).


Section 16A creates the concept of a “permitted general situation” which stipulates, in a positive sense, certain activities in which an entity might engage which will be deemed not to breach the privacy of an individual. 


Various “permitted general situations” are listed in a table, and include the use of personal information for the purpose of preventing a serious threat to life, health or safety, circumstances involving suspected unlawful activity or misconduct of a serious nature, assisting in the location of a missing person, establishing the defence of legal claim, engaging in a confidential alternative dispute resolution process, exercising a diplomatic or consular function and, in the case of the Defence Force, purposes associated with war like operations, peace keeping or humanitarian assistance.


Key APP provisions


The approach adopted by the APPs reflects, amongst other issues, the following which require special note:


  • APP 1.2 introduces a positive obligation to implement practices and procedures relating to an entity’s functions to ensure compliance with the APPs, and the Explanatory Memorandum states that this may include staff training, establishing procedures to receive and respond to complaints and enquiries, developing information to explain an entity’s policies and procedures, and establishing procedures to identify and manage privacy risks and compliance issues.
  • APP 1.4 sets out some additional information that entities must include in their privacy policies.
  • APP 2 introduces a new right of an individual to deal with an entity through the use of pseudonym.
  • APP 3 restates the existing principle that personal information may only be collected where it is reasonably necessary for an entity to pursue a legitimate function, the Explanatory Memorandum emphasising that personal information cannot be collected on the “off chance that it may become necessary for one of its functions or activities in the future, or that it may be merely helpful”.
  • APP 4 provides that unsolicited personal information must be afforded the same privacy protection as solicited personal information.
  • APP 5 requires that an individual must be made aware of how and why personal information is, or will be, collected and how it will be dealt with by an entity.
  • APP 6 reflects the existing IPPs 10 and 11 and NPPs 2 and 10 with respect to the use or disclosure of personal information and sensitive information, the Explanatory Memorandum anticipating that the Commissioner will develop specific guidance about the meaning of the “primary purpose” of collection.
  • APP 7 deals with direct marketing, broadly prohibiting direct marketing by private sector organisations (subject to certain exceptions) while broadly permitting direct marketing by government agencies (on the basis that it is important for them to retain the ability to communicate legitimate and important information to individuals).
  • APP 8 extends cross-border data flow restrictions to the public sector for the first time. Significantly, the Principle purports to follow the “accountability approach” favoured by the APEC Privacy Framework as opposed to the “adequacy approach” adopted in the European Union. Whereas the existing NPP 9 prohibits cross-border disclosure unless adequate safeguards are in place, the new APP 8 permits cross-border disclosure but the discloser remains accountable for ensuring that the data is handled overseas in accordance with the provisions of the Act (unless consent to the disclosure is obtained on the understanding that the discloser will not remain liable for the acts of the overseas recipient). APP 8 does not apply to the overseas internal disclosure of personal information within a single entity, but it does apply if personal information is sent to a related body corporate outside of Australia (notwithstanding the general exemption relating to the transfer of personal information between related bodies corporate). There is no express reference to a need to obtain a contractual commitment from an overseas recipient to comply with the APPs but rather the discloser is required to take reasonable steps to ensure compliance with the APPs and the Explanatory Memorandum acknowledges that this would normally involve an entity entering into a contractual relationship with an overseas recipient.
  • APP 9 restricts the use of government related identifiers by the private sector, thus continuing the philosophy enshrined in the existing legislation which seeks to avoid government related identifiers becoming universal identifiers.
  • APP 10 requires an entity to take reasonable steps to preserve the quality of stored personal information (that is, ensuring that it is accurate, up to date and complete).
  • APP 11 requires an entity to take reasonable steps to preserve the security of personal information.
  • APP 12 entitles an individual to obtain access to personal information held by an entity upon request, subject to specific exceptions.
  • APP 13 imposes an obligation on an entity to take reasonable steps to correct personal information if it is satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading.


Credit Reporting


Schedule 2 amends the Credit Reporting provisions which were inserted into the Privacy Act 1988 under Part IIIA in 1991. Consistent with the ALRC’s recommendations, the amendments permit more comprehensive credit reporting processes. Additional types of information may be incorporated into credit reports, namely:


  • the date a credit account was open;
  • the type of credit account opened;
  • the date the credit account was closed;
  • the current limit of each open credit account;
  • repayment performance history about the individual (available to credit providers who are licensees under Chapter 3 of the National Consumer Credit Protection Act or prescribed by the Regulations and mortgage insurers).


The philosophy underpinning the expansion of personal information available to credit providers is to help prevent over-indebtedness and to lower credit default rates amongst individuals.


The Act also introduces a provision relating to the disclosure of credit information to certain persons or bodies that do not have an Australian link.


The Explanatory Memorandum emphasises that there are additional consumer protections created by enhanced obligations and processes dealing with notification, data quality, access and correction, and complaints.


Small businesses, which remain broadly exempt from the legislation, will be bound by the CR (credit reporting) Code if they elect to participate in the credit reporting system.




Schedule 3 introduces a new Part III B dealing with Codes of Practice known as either APP Codes or a CR Code. 


An APP Code may be developed by an entity which can then seek registration of the code by the Commissioner. The Commissioner may also develop an APP Code if an entity has failed to comply with a previous request by the Commissioner to develop a code or if the Commissioner declines to register a requested APP Code. APP Codes do not replace the APPs but supplement them, and a breach of a registered APP Code is deemed to be an interference with privacy.


The CR Code will set out how one or more of the credit reporting provisions are to be applied or complied with. It will bind all credit reporting agencies A breach of the registered CR Code will be an interference with privacy for the purposes of section 13.


Other amendments to the Act


Schedule 4 reforms the functions and powers of the Commissioner, improving the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote compliance with privacy obligations.


Specifically, the Act provides the Commissioner with, amongst other things, the ability to assess an entity’s handling of personal information, recognise external dispute resolution schemes and deal with the conciliation of complaints.


Schedule 4 amends section 5B of the Act which deals with extra-territoriality, extending the extra-territorial operation of the Act to organisations and small businesses with an Australian link.


Schedule 4 also introduces civil penalty provisions that enable the Privacy Commissioner to apply to a court for an order that an entity who is alleged to have contravened a civil penalty provision to pay the Commonwealth a pecuniary penalty. The civil penalty provisions largely relate to the credit reporting provisions of the Act.




The substantive provisions of the Act will commence the day after the end of 15 months beginning on the day the Act receives Royal Assent.




For further information, please contact:


Gordon Hughes, Partner, Ashurst

[email protected] 


Sophie Dawson, Partner, Ashurst

[email protected]


Tim Brookes, Partner, Ashurst

[email protected]


Marlia Saunders, Ashurst

[email protected]



Comments are closed.