Jurisdiction - Australia
Reports and Analysis
Australia – Long Awaited Privacy Reforms Commence.

22 May, 2014


Legal News & Analysis – Asia Pacific – Australia – Regulatory & Compliance


Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

What You Need To Know


  • Significant reforms to the way that Commonwealth agencies and organisations handle personal information in their possession commenced on 12 March 2014. The changes include: 
    • new Australian Privacy Principles;
    • comprehensive credit reporting provisions;
    • a revised privacy and credit reporting code regime; and
    • new and increased enforcement powers for the Information Commissioner, along with new civil penalties.

What You Need To Do


  • Agencies and businesses need to ensure that they are compliant with the new requirements under the Privacy Act 1988 (Cth), by, among other things: 
    • reviewing and updating their privacy policy;
    • reviewing their collecting, notification and complaints processes; and
    • checking their overseas disclosure practices.

After almost a decade of deliberating, the long awaited reforms under the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) commenced on 12 March 2014.

What’s Changed?

The amendments to the Privacy Act 1988 (Cth) overhaul the existing privacy principles for Commonwealth agencies and organisations, introduce more comprehensive credit reporting provisions, increase the powers of the Information Commissioner to ensure compliance and introduce new civil penalties. This article focuses on the new Australian Privacy Principles.

Personal And Sensitive Information

The new law introduces a new, technology-neutral, definition for “personal information”, which is now defined as information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information or opinion is true or recorded in a material form.

The definition of “sensitive information” has also been amended slightly to extend to other forms of biometric information. Importantly, the restrictions on the collection and use of sensitive information are now binding on public sector agencies as well as organisations.

Privacy Policy

Organisations have since 2001 been obliged to have available a policy that sets out how they manage personal information, but under the reforms both agencies and organisations are required to have a clearly expressed and up to date privacy policy that contains the following information:


  • the kinds of personal information the entity collects and holds;
  • how it collects and holds personal information;
  • the purposes for collecting, holding, using and disclosing personal information;
  • how an individual can access information themselves, and seek corrections to this information;
  • how an individual can complain about a breach of an APP, and how the entity deals with such complaints;
  • whether the entity is likely to disclose personal information to overseas recipients; and
  • if so, the countries in which those recipients are likely to be located, if practicable.

Single Set Of Privacy Principles

The most significant change to the Privacy Act is the move to a single set of harmonised APPs that replace the two sets of principles that used to apply to agencies and to organisations. The new APPs now apply to both agencies and organisations (referred to as “APP entities“). While most of the requirements in the APPs are not new, they do provide for a much clearer and straight forward privacy protection framework.

Some of the key APPs are:


  • APP 1 sets up a new compliance framework for entities, requiring reasonable steps to be taken to implement practices, procedures and systems that ensure compliance with the APPs and any relevant binding code and enable entities to deal with inquiries or complaints. APP1 also sets out the requirements for a privacy policy, discussed above, and requires entities to take reasonable steps to make policies freely available. 
  • APP 2 requires entities to give individuals the clear option to deal either anonymously or pseudonymously when dealing with that entity. The obligation is much broader that it was previously. 
  • APP 3 sets out the requirements that entities must comply with when collecting personal information from individuals. Personal information should only be collected if it is reasonably necessary for one or more of the entity’s functions or activities and should only be collected by a lawful and fair means. If reasonable and practicable to do so, an entity must collect personal information about an individual only from that individual and must not collect sensitive information unless the individual has consented and it is reasonably necessary for one or more of its functions or activities. 
  • APP 4 sets out new requirements for the collection of unsolicited personal information. An entity must, within a reasonable period of receiving unsolicited information, determine whether it could have collected the information under APP 3. If it could have collected such information, then APP 3 applies as if the information was solicited. If not, then the entity must, as soon as it is practicable, but only if lawful and reasonable to do so, destroy or de-identify the information. 
  • APP 5 provides that an entity must take reasonable steps to notify an individual at the time of, before or as soon as practicable after collection, of a number of matters. The matters include some not previously covered, such as notifying individuals that the entity’s privacy policy explains the entity’s complaints, access and correction procedures, notifying individuals about likely disclosure to overseas recipients, and, where an entity collects unsolicited personal information, the fact and circumstances of collection. This last requirement may require entities to reconfigure their databases in order to record this information. 
  • APP 6 states that an entity must not use or disclose personal information for a purpose other than the primary purpose of collection, unless the individual has consented to the use or disclosure or an exception applies. A number of the exceptions that existed previously are now structured around “permitted general situations” that relate to specific circumstances in which the public interest outweighs individual privacy, such as where use or disclosure will prevent or lessen a serious threat to life, health or safety or where the entity suspects unlawful activity. 
  • APP 7 covers the use of personal information for direct marketing outside of that covered by the Spam Act 2003 (Cth) and Do Not Call Register Act 2006 (Cth), and is significantly different to the requirements that existed previously. An organisation may only use personal information for direct marketing where it has collected the information from the individual, the individual would reasonably expect use or disclosure for that purpose, the organisation provides a simple opting out facility and the individual has not opted out. If no reasonable expectation of a marketing purpose exists or information was collected from a third party, it canbe used for marketing where an opt out facility is provided, the marketing clearly states that the individual can opt out and the individual has not done so. 
  • APP 8, combined with a new section 16C, increases the accountability of entities by making them responsible in some circumstances for acts done by overseas recipients of personal information. Under APP 8, entities must take reasonable steps to ensure that overseas recipients do not breach the APPs, unless an exception applies. “Reasonable steps” may include entering into a contract with the overseas entity that requires it to comply with Australian privacy law. Exceptions include where an entity reasonably believes that the recipient is subject to a law or binding scheme that protects the information in a substantially similar way to the APPs and there are accessible enforcement mechanisms, and where an entity informs the individual that they will not be liable for the information once disclosed and receives consent on that basis.

What You Need To Do

The Office of the Australian Information Commissioner has stated that its focus over the next 12 months will be on working with agencies and organisations to ensure that the new requirements provided by the reforms are understood and that systems are in place to meet them.

In order to prepare for the changes, agencies and organisations should make sure that they have done the following:


  • Review your privacy policy and make sure that it is clearly updated to comply with the new minimum requirements and freely available to individuals, such as through your website; 
  • Review your complaints processes and ensure that it enables you to deal with inquiries and complaints about your compliance with the new APPs; 
  • Review your marketing consents and opt out statements and ensure that they comply with the requirements of the new direct marketing privacy principle; 
  • Check your overseas disclosure practices, decide on your approach to managing risk, whether it be through indemnities or informed consents, ensure that you have procedures for tracking personal information once disclosed overseas and review any outsourcing agreements; and 
  • Check your procedures for collecting personal information and make sure that these procedures cover the new notification requirements and provide systems for dealing with unsolicited information.


Ashurst Logo


For further information, please contact:


Tim Brookes, Partner, Ashurst 
[email protected] 

Sophie Dawson, Partner, Ashurst 
[email protected]


Leah Jessup, Ashurst 
[email protected]


Ashurst Regulatory & Compliance Practice Profile in Australia


Homegrown Regulatory & Compliance Law Firms in Australia


International Regulatory & Compliance Law Firms in Australia

Comments are closed.