Jurisdiction - Australia
Australia – Long Awaited Privacy Reforms Commence.

12 March, 2014



What You Need To Know

Significant reforms to the way that Commonwealth agencies and organisations handle personal information in their possession commence from today. The changes include:


  • new Australian Privacy Principles;
  • comprehensive credit reporting provisions;
  • a revised privacy and credit reporting code regime; and
  • new and increased enforcement powers for the Information Commissioner, along with new civil penalties.

What You Need To Do

Agencies and businesses need to ensure that they are ready for these changes and are compliant with the new requirements under the Privacy Act 1988 (Cth)
After almost a decade of deliberating, the long awaited reforms under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) commence today. The amendments to the Privacy Act 1988 (Cth) overhaul the existing privacy principles for Commonwealth agencies and organisations, introduce more comprehensive credit reporting provisions, increase the powers of the Information Commissioner to ensure compliance and introduce new civil penalties that are likely to force many businesses to sit up and pay greater attention to privacy regulation. Here we explain the changes and provide you with a check list to ensure you’re on the right track for day one.

1. What You Need To Do

The Commissioner has stated that its focus over the next 12 months will be on working with agencies and organisations to ensure that the new requirements provided by the reforms are understood and that systems are in place to meet them. When checking compliance, the Commissioner will be considering steps that have been taken to genuinely prepare for these changes and so it is important that agencies and organisations be able to demonstrate that they are working hard to implement the reforms.

In order to prepare for the changes, agencies and organisations should make sure that they have done the following:


  • Review your privacy policy and make sure that it is clearly updated to comply with the new minimum requirements and freely available to individuals, such as through your website;
  • Review your complaints processes and ensure that it enables you to deal with inquiries and complaints about your compliance with the new Australian Privacy Principles (APPs);
  • Review your marketing consents and opt out statements and ensure that they comply with the requirements of the new direct marketing privacy principle;
  • Check your overseas disclosure practices, decide on your approach to managing risk, whether it be through indemnities or informed consents, ensure that you have procedures for tracking personal information once disclosed overseas and review any outsourcing agreements;
  • Check your procedures for collecting personal information and make sure that these procedures cover the new notification requirements and provide systems for dealing with unsolicited information;
  • Review your practices and procedures for correcting personal information and/or responding to requests for access and correction, including timeframes for responding, the manner in which access is provided and the provision of written reasons and charges;
  • Consider creating a document that outlines your privacy procedures and clearly demonstrates your compliance with the reforms.

The reforms provide agencies and organisations with a good opportunity to conduct a full review of the ways in which they handle personal information in their possession.

A discussion of the new requirements introduced by the reforms is set out below.

2. Key Concepts

Personal And Sensitive Information

The Privacy Act regulates “personal information” of individuals. The new law introduces a new,technology-neutral, definition for “personal information”, which will now be defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in a material form or not.

The definition of “sensitive information”, a sub category of personal information that is afforded greater protection, has also been amended slightly to extend to other forms of biometric information. Importantly, the restrictions on the collection and use of sensitive information will now be binding on public sector agencies as well as organisations.

Privacy Policy

Organisations have always been obligated to have available a policy that sets out how they manage personal information, but under the reforms both agencies and organisations will be required to have a clearly expressed and up to date privacy policy that contains the following information:


  • the kinds of personal information the entity collects and holds;
  • how it collects and holds personal information;
  • the purposes for collecting, holding, using and disclosing personal information;
  • how an individual can access information themselves, and seek corrections to this information;
  • how an individual can to complain about a breach of an APP, and how the entity deals with such complaints;
  • whether the entity is likely to disclose personal information to overseas recipients; and
  • if so, the countries in which those recipients are likely to be located, if practicable.

Ensuring that a privacy policy is up to date and complies with the new requirements under the APPs is one of the key things that entities can do from day one to demonstrate their implementation of the changes.

In its guidelines to the APPs, the Commissioner, has provided no recommendations as to form that a privacy policy should take, but has rather stated that a policy should be tailored to the specific information handling practices of an entity and suggested that if made available online, entities may consider providing a condensed version of the policy with links to the more detailed information in the full policy.

Single Set Of Privacy Principles

The most significant change to the Privacy Act introduced by the reforms is the move to a single set of harmonised APPs that replace the two sets of principles that used to apply to Commonwealth agencies and to organisations. The new APPs now apply to both agencies and organisations (referred to as “APP entities” under the Privacy Act). While most of the requirements in the APPs are not new, they do provide for a much clearer and straight forward privacy protection framework.


A summary of the APPs is provided below:


  • APP 1 sets up a new compliance framework for entities, requiring reasonable steps to be taken to implement practices, procedures and systems that ensure compliance with the APPs and any relevant binding code and enable entities to deal with inquiries or complaints. APP1 also sets out the requirements for a privacy policy, discussed above, and requires entities to take reasonable steps to make their policies freely available.
  • APP 2 requires entities to give individuals the clear option to deal either anonymously (by not identifying themselves) or pseudonymously (by identifying themselves with a pseudonym) when dealing (or interacting) with that entity. The obligation is must broader that it was previously.
  • APP 3 sets out the requirements that entities must comply with when collecting personal information from individuals that has been solicited, invited or requested. Essentially:
    • Personal information should only be collected if it is reasonably necessary for one or more of the entity’s functions or activities.
    • Personal information should only be collected by a lawful and fair means.
    • If it is reasonable and practicable to do so, an entity must collect personal information about an individual only from that individual.
    • An entity must not collect sensitive information unless the individual has consented and the information is reasonably necessary for one or more of its functions or activities.
  • APP 4 sets out new requirements for the collection of unsolicited personal information. An entity must, within a reasonable period of receiving unsolicited information, determine whether it could have collected the information under APP 3. If it could have collected such information, then APP 3 applies as if the information was collected as solicited personal information. If not, then the entity must, as soon as it is practicable, but only if lawful and reasonable to do so, destroy or de-identify the information.
  • APP 5 provides that an entity must take reasonable steps to notify an individual at the time of, before or as soon as practicable after collection, of a number of matters. The notification requirement covers some new matters not previously covered under the old privacy principles, such as notifying individuals that the entity’s privacy policy explains the entity’s complaints procedure and how individuals can access and seek corrections to their personal information, notifying individuals about whether the entity is likely to disclose the information to overseas recipients and, if so, the countries in which such overseas recipients are located, if practicable, and, where an entity collects personal information from someone other than the individual or without the individual being aware of the collection, the fact that the entity has collected certain information, and the circumstances of collection. This requirement to provide notification of the circumstances of collection is new, and may require entities to reconfigure their databases in order to record this information.
  • APP 6 states that an entity must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection, unless the individual has consented to the use or disclosure or an exception applies. The exceptions include cases where the purpose is a secondary purpose related (or directed related in the case of sensitive information) to the primary purpose and the individual would reasonably expect the entity to use or disclose the information for that purpose, and where the use or disclosure is required or authorised by or under law. A number of the exceptions that existed previously are now structured around “permitted general situations”, that relate to specific circumstances in which the public interest outweighs individual privacy, such as where use or disclosure is required to prevent or lessen a serious threat to life, health or safety or where the entity suspects that unlawful activity has been engaged in.
  • APP 7 covers the use of personal information for direct marketing and is significantly different to the requirements that existed for this type of use under the old principles. An organisation may only use an individual’s personal information for direct marketing purposes where it meets certain requirements. An organisation can use information for this purpose where it has collected the information from the individual, the individual would reasonably expect use or disclosure for that purpose, the organisation provides a simple means of opting out and the individual has not made an opt out request. If an organisation has collected information in circumstances where there is no reasonable expectation of a marketing purpose or it was collected from a third party, it can be used for that purpose where an opt out facility is provided, the organisation clearly states in the marketing that the individual can opt out and no such opt out request has been made.
  • APP7 recognises that an organisation may also be subject to obligations under the Spam Act 2003 (Cth) when they send direct marketing, and the Do Not Call Register Act 2006 (Cth).
  • APP 8, combined with a new section 16C, increases the accountability of entities by making them responsible in some circumstances for acts done by overseas recipients of personal information. Under APP 8, entities must take reasonable steps to ensure that overseas recipients do not breach the APPs in relation to that information, unless an exception applies. These “reasonable steps” may include entering into a contract with the overseas entity that requires it to comply with Australian privacy law.
  • The exceptions to the requirement include where an entity reasonably believes that the recipient is subject to a law or binding scheme that protects the information in a substantially similar way to the APPs and there are accessible mechanisms for enforcement, and where an entity informs the individual that they will not be liable for the information once disclosed and gets the consent of the individual on that basis.
  • APP 9 restricts the use of government related identifiers by the private sector.
  • APP 10 requires entities to take reasonable steps to ensure that the personal information which it collects is accurate, up-to-date and complete and that the personal information which it uses or discloses is, accurate, up-to-date, complete and relevant, in light of the purpose of the use or disclosure.
  • APP 11 requires entities to take reasonable steps to protect the personal information they hold from misuse, interference, loss and unauthorised access, modification or disclosure. APP 11 also requires entities to take reasonable steps to destroy or de-identify personal information if it is no longer needed for the purpose for which it was collected.
  • APP 12 requires entities to provide an individual with access to his or her personal information on request by the individual, unless certain exceptions for agencies and organisations apply. If the entity charges the individual for making such a request, the charge must not be excessive and must not apply to the making of the request.
  • APP 13 states that where an individual is able to establish, or the entity suspects, that personal information is not accurate, complete or up-todate, the entity must take reasonable steps to correct the information. Organisations must respond to a request to correct information within a reasonable time, and must not charge the individual for making a request or correcting the information. If the entity corrects personal information that it has disclosed to a third party, then it must take reasonable steps to notify the third party of the correction if requested to do so by the individual, unless it is impracticable or unlawful to do so.

Credit Reporting

The reforms introduce new credit reporting provisions that provide for more comprehensive credit reporting and a simplified and strengthened correction and complaints process. Under the new Part IIIA, a limited number of new types of information can now be
incorporated into credit reports, including the date a credit account was open, the type of account, the date it was closed, the current limit of each open account and repayment performance history. The new provisions are supported by regulations and a new credit reporting code of practice that will bind all credit reporting bodies and any specified credit providers and affected information recipients. The provisions link obligations and rights to new categories of credit related personal information, rather than to credit information files and reports as occurred previously. New obligations are provided in relation to access and corrections and a new three stage process for complaints handling is also established.

Increased Powers And Penalties

The reforms provide the Commissioner with significantly enhanced powers, including the ability to:


  • Conduct assessments of privacy compliance for agencies and some organisations;
  • Make determinations that include declarations that an act or practice not be repeated or continued, that a respondent should redress any loss or damage suffered by a complainant or that a respondent pay compensation to the complainant;
  • Accept enforceable undertakings; and
  • Seek civil penalties in cases of serious or repeated privacy breaches.

A new section 13G also creates a new significant penalty of $220,000 for entities that commit serious or repeated acts or practices that interfere with an individual’s privacy.



A new Part IIIB deals with codes of practice about information privacy (APP Codes) and credit reporting (the CR Code).

An APP Code may be developed by an entity which can then seek registration of the code by the Commissioner. The Commissioner can also develop and register an APP Code if an entity has failed to comply with a request to develop one or if the Commissioner has declined to register a requested code. The APP Codes supplement, rather than replace, the APPs and a breach of a registered APP Code is deemed to be an interference with privacy.

3. Keen To Delve Further?

The Commissioner has released APP guidelines to help entities covered by the Act to assess their compliance with the new laws and provide practical examples of best practice. The guidelines are available on the Commissioner’s website.


Ashurst Logo



For further information, please contact:


Tim Brookes, Ashurst
[email protected]

Sophie Dawson, Partner, Ashurst
[email protected]

Gordon Hughes, Partner, Ashurst
[email protected]

Amanda Ludlow, Partner, Ashurst
[email protected]

Leah Jessup, Ashurst
[email protected]


Ashurst Regulatory & Compliance Practice Profile in Australia


Homegrown Regulatory & Compliance Law Firms in Australia


International Regulatory & Compliance Law Firms in Australia

Comments are closed.