Changes to the Privacy Act - Ensuring the fine print is not forgotten

Most businesses will have standard form policies and procedures relating to privacy.  While these policies can be found on business websites and on documents handed out to customers and clients, they are too often left on the shelf collecting dust.  Invariably, business owners tick the regulatory box with the implementation of a privacy policy, and then continue to focus on the most important part of their business - doing business.

However, recent amendments to Australia’s privacy laws will require business owners to dust off their dated policies and renew them with some love and attention, ensuring that the privacy fine print is not forgotten.

As a result of these amendments, specifically in relation to privacy principles and credit information and enforcement, businesses with an annual turnover of $3million or more need to review their privacy policies prior to March 2014.

The current National Privacy Principles (NPP) (applicable to private entities) and Information Privacy Principles (applicable to government entities) are being replaced with the Australian Privacy Principles (APP) as a result of the introduction of the Privacy Amendments (Enhancing Privacy Protection) Act 2012 (Cth) (Amendment Act) (Amendment Act). These amendments relate to the collection of personal information by private entities.

In addition to this, the Amendment Act has also set guidelines for businesses in relation to credit information.

Personal Information

The Amendment Act requires private entities that collect personal information to ensure that their privacy policies comply with the APP by March 2014.

Outlined below are some of the most significant changes that businesses should be aware of:

1.      Open and transparent management of personal information

The APP places a higher onus on businesses to have practices, procedures and policies in place which relate to privacy. Businesses will need to have procedures in place to deal with inquiries regarding their compliance with the APP and further to this, privacy policies will need to cover the collection and management of personal information.  At a minimum, this requires the privacy policy to include:

  • specific descriptions of the kinds of personal information collected;
  • the purposes for collecting the information;
  • how an individual can access the information held by the business;
  • how a complaint can be made in relation to a business’s policies; and
  • whether the entity is likely to disclose personal information to overseas recipients and if so, where they are located.

2.      Anonymity and pseudonyms

Individuals cannot be required to disclose their identity and may use a pseudonym (previously there was only the requirement to provide the option of anonymity, the requirement to allow the use of pseudonyms is new).

3.      Unsolicited personal information

Where any entity receives personal information that it could not have obtained through solicited means, they must destroy the information.  Procedures to identify and deal with such information must be developed and implemented.

4.      Notification of collecting personal information

At the time of, or before collecting information, or as soon as possible after information is collected, the collecting entity must let the individual know that the information has been collected, the purpose of collection, the consequences for the individual if the information is not collected, the procedure to complain about or amend information, and to which third parties the information may be disclosed.

5.      Direct marketing

This requires entities to gain consent in relation to direct marketing.  Individuals must be able to easily request that they not receive direct marketing from the entity, or request that their information is not provided to third parties that will use it for direct marketing.

As the APP is more wide reaching than the previous privacy regime, it is important that business owners take action from a legal and practical perspective, to ensure they are compliant prior to March 2014.  This is particularly in relation to:

  • how the entity holds, collects and uses personal information;
  • the purposes of holding, collecting and using personal information; and
  • how the entity handles complaints in relation to its collection or use of personal information.

Credit information

The Amendment Act also makes a number of changes in relation to credit information policies, the collection and recording of information and the disclosure of information to overseas entities.

Similar to the new personal information regime, businesses need to ensure they are compliant with the new credit information rules by March 2014. The new credit information rules will affect the following businesses that fall within the definition of ‘credit providers’ in the Amendment Act:

  • businesses which are involved in the provision of credit;
  • suppliers of goods and services on credit / payment terms;
  • equipment lessors;
  • hire purchase credit providers;
  • banks; and
  • retail businesses that issue credit cards.

The changes businesses should be aware of are:

1.      Credit information policies

Credit providers (businesses that fall within the list outlined above) are required to have two separate privacy policies; one for the purposes of the APP discussed earlier and a separate credit reporting policy dealing with credit information.

2.      Collection and recording of credit information

Five new categories of credit information that may be collected have been introduced and include:

  • the type of consumer credit provided;
  • the date on which the consumer credit is entered into;
  • the maximum amount of credit available; and
  • the day on which the consumer credit is terminated.

In addition, a further new category has been introduced regarding repayment history information, which now allows for information to be collected regarding the timing of monthly payments, including when payments are due, whether the obligation has been met and the date on which the payment is made.


Download a PDF version of this article: Changes to the Privacy Act - Ensuring the fine print is not forgotten


For more information on the Australian Privacy Principles and the Amendment Act, please contact:

Meagan O'Connor
03 9611 0106