March 18, 2014

Major Changes to the Privacy Act Come Into Force

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed by the Australian parliament on 29 November 2012 (Bill).  The Bill effected major changes to the Privacy Act (1988) Cth (Act), and updates the “National Privacy Principles” to the “Australian Privacy Principles” (APPs).  The changes took effect on 12 March 2014.  This article will set out a (non-exhaustive list) of the things affected entities need to do to comply with the changes to the Act.

Entities Affected by the Changes

The Act applies to APP entities, which include governmental entities and “organisations”.  The term “organisation” does not include entities captured by the definition of “small business”.

Under the Act, an entity is a “small business” unless it turns over more than $3,000,000 per year, and does not:

    • provide a health service;
    • disclose personal information about an individual to a third party for “benefit, service or advantage”; or
    • provide a “benefit, service or advantage” to collect personal information about an individual from a third party.


In other words, if an entity turns over more than $3,000,000 per year or engages in any of the activities in the bullet points above, it is captured by the Act.

Privacy Compliance Program

Under the changes, entities need to implement a “Privacy Compliance Program”, the aim of which is to ensure that the entity complies with the APPs, and has a structured procedure in place to handle complaints about the entity’s compliance with the APPs.  The Privacy Compliance Program must be set out in a written document with specific types of information included.

Privacy Policy Changes

All references to “National Privacy Principles” should be changed to “Australian Privacy Principles”.

Entities also need to add to their Privacy Policies:

    • if they are likely to disclose personal information to recipients overseas, and if so, the countries where the recipients are located; and
    • a description on how an individual can complain about a breach of the APPs, and how the entity will deal with such privacy complaints.


Notices When Collecting Personal Information

Under the old regime, when an entity collected information from an individual, it was necessary to notify the individual of:

    • the collecting entity’s identity;
    • the purpose for which the information was collected; and
    • the individual’s right to see the information that an entity collects about them.


Under the revised Act, an entity needs to inform an individual:

    • if it is likely to disclose the personal information to recipients overseas (and where those recipients are located);
    • that the entity’s Privacy Policy has details on how to gain access to personal information and correct it; and
    • that the entity’s Privacy Policy includes details of how to complain about an APP breach and how the entity will deal with privacy complaints.


New Liabilities for Disclosing Data Offshore

Every entity subject to the revised Act should review its arrangements for offshore data storage and processing.

Under the Act, if an entity discloses personal information to an overseas recipient, it must take “reasonable steps” to ensure that the overseas recipient does not breach the APPs.  If the overseas recipient does breach the APPs, the entity that disclosed the information will be responsible for the breach as if the entity had itself committed the breach.

An exemption applies, however.  If an entity reasonably believes that the overseas recipient is subject to a law that provides for privacy protections substantially similar to the APPs, the entity will not be responsible for the breach.

If you have any concerns about your compliance with the Act, please contact Pat Brown or Matthew Rouse.