Kathie Sadler

Amendments to Privacy Act 1988 (Cth) – Will your business be compliant in time?

Kathie Sadler

30 July 2013

Confidentiality and Privacy Legislation Updates



1. Who will be affected?


From 12 March 2014, the amendments to the Privacy Act 1988 (Cth) (Privacy Act) introduced in December 2012 will become effective.


The fact that the Government has given businesses over a year before the amendments come into effect should be taken as a clear indication that compliance will be expected from 12 March 2014 and the significant penalties included in the amendments may be imposed if there are breaches of the new obligations.


While there has been discussion about the impacts on credit providers and credit reporting body, the amendments in fact impact upon businesses at all levels.


2. What should you be doing?


Over six months have now lapsed since the amendments were passed. The changes within an organisation which are required to comply with the Privacy Act are not simply a quick amendment to the privacy policy and changing a few definitions. More fundamental work needs to be undertaken to ascertain how information is collected, stored, used and disclosed both internally and externally. Often this differs within different parts of an organisation, even though the Privacy Policy is the same. As outlined below, ‘information mapping’ needs to be done, after which the company can identify what changes need to be made to the processes for compliance, update policies and procedures and the Privacy Policy and then ensure staff are aware of the changes and compliance obligations. This will not only involve ‘front line’ staff who deal with clients and customers, but also those involved in administration, record keeping and information technology.


3. What are the key impacts?


3.1  Penalties


Substantial financial penalties may be imposed for breaches of the Privacy Act.  Depending on the situation, these may be civil or criminal financial penalties.


3.2  Privacy Principles


The 10 National Privacy Principles (NPPs) which business is so familiar with will be replaced by 13 Australian Privacy Principles (APPs). While the underlying principles of confidentiality remain the same, the new APPs are generally more prescriptive with greater emphasis on the processes which must be undertaken when collecting, using, storing and providing personal information.


The amendments also include new and amended definitions under the Privacy Act and principles.


3.3  Direct marketing


While there have always been obligations in respect to direct marketing, including opt out provisions, a new privacy principle has been introduced to regulate the use of personal and sensitive information for direct marketing purposes.


3.4  Cross-border disclosure


(a) While the NPPs have always regulated transborder data flows (NPP 9), additional obligations are now being imposed. For example, the provider of the information is now required to ‘ensure’ that the overseas recipient does not breach the APPs.

(b) In some circumstances a breach by the overseas recipient will be deemed to be a breach by the Australian provider. This has implications in respect to the new offences provisions and the penalties a court can order or the compensation a court can award.

(c) It is essential that business protocols are updated to ensure the obligations under the APPs are complied with.


3.5  Complaints


(a) Specific provisions have been included in the Privacy Act to deal with making and handling of complaints about credit information and credit eligibility information.

(b) If an individual is not satisfied with the manner in which a complaint has been handled, the matter may be referred to an external dispute resolution scheme or the Privacy Commissioner.

(c) The Privacy Commission also has powers to investigate an act or practice that may be an interference with an individual’s privacy without waiting for a formal complaint.


3.6  Credit Reporting


(a) A new division has been inserted into the Privacy Act to deal with credit reporting. In many cases the provisions of the APPs are replaced with specific obligations under the new sections.

(b) In short, new compliance procedures will need to be put in place and specific privacy policies enacted to deal with credit reporting activities. These include a number of restrictions in relation to individuals under 18 years and fraud prevention.

(c) There are also positive obligations of notification where previously disclosed information is found to be incorrect.

(d) Limitations have been imposed on how Credit Information about an individual can be used and disclosed.


3.7 Credit Providers


(a) The definition of ‘credit provider’ has not changed. However, a new division has been inserted into the Act setting out privacy and disclosure obligations to be imposed on credit providers.

(b) Similar to the obligations on credit reporting bodies, limitations have been imposed on how Credit Information about an individual can be used and disclosed.

(c) There is now a positive obligation imposed on Credit Provider to notify if any information it discloses is later found to be incorrect.


3.8 Mortgage Insurers and Trade Insurers


(a) New obligations have been imposed on mortgage and trade insurers, particularly in relation to ‘Regulated Information’ (a new concept introduced into the Privacy Act).

(b) Mortgage and trade insurers must have an up to date policy to specifically deal with the management of Regulated Information. The Act on this point is prescriptive, mandating the requirements in the amendments.


4. What needs to be done to comply?


(a) The first task is to map data flows within the organisation, specifically to identify (amongst other things):


(i) how information is received and who from;

(ii) what processes are in place and whether they are being complied with to notify individuals when personal information is collected from someone other than the individual;

(iii) how information is disclosed and to whom;

(iv) whether the disclosure, in practice, correlates exactly with what is in the Privacy Policy;

(v) whether information is provided to or accessed by persons outside Australia (e.g. consultants, IT software or service providers) and, if so, whether the processes under the Privacy Act have been complied with; and

(vi) how information is stored, for example, does the organisation use cloud computing and, if so, whether sensitive information is stored in this way.


(b) The next step is to update the policies and procedures of the organisation (not just the organisation’s Privacy Policy) to ensure that appropriate protocols and safeguards are in place to protect the privacy of the individual’s information and the organisation.


(c) Web-based collection methods, terms and conditions and privacy policies need to be reviewed and updated.


(d) Staff must be trained on the amendments to the Act and the updated protocols and policies of the organisation to ensure they understand their role and act in a way which complies with the organisation’s obligations.


(e) Agreements need to be reviewed and, where necessary updated (especially pro forma agreements and the organisation’s standard terms and conditions. Depending on the organisation, the relevant agreements will include:


(i) personal information collection documentation;

(ii) confidentiality agreements;

(iii) agreements with call centres;

(iv) supplier agreements;

(v) IT service provider agreements;

(vi) human resources documentation;

(vii) financial services documentation; and

(viii) credit reference and credit provider documentation.


(f) Agreements between credit reporting bodies and their clients (e.g. credit providers) and credit providers and their customers will also need to be amended to ensure compliance with the new obligations. For example, a credit reporting body will be required to include in an agreement with a credit provider:


(i) obligations to protect credit reporting information from misuse, interference and loss and from unauthorised access, modification or disclosure;

(ii) arrangements for independent audits to ensure agreements are being complied with; and

(iii) protocols for identifying and dealing with suspected breaches of the agreements.


The information is this document is not exhaustive. It is not intended as and does not constitute legal advice. The information is provided to give the recipient some guidance on the breadth and application of the amendments to the Privacy Act.