Privacy Act reforms affect privacy policies and practices
– Bill tabled by Australian Government
The amendments represent the first of two stages of reforms and,
if passed, will come into effect nine months after the amendments
receive royal assent. The lengthy amendments (236 pages) in the
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 are the
Government's response to a detailed report by the Australian
Law Reform Commission which made nearly 300 recommendations.
The major amendments contained in the Bill are in four main
New Australian Privacy Principles
The existing National Privacy Principles (NPPs) covering the
private sector and the Information Privacy Principles (IPPs)
covering Commonwealth public sector agencies will be replaced by
single set of principles called the Australian Privacy Principles
(APPs). The number of principles for the private sector has
expanded from 10 to 13.
New requirements under the APPs include a longer list of matters
that should be dealt with in privacy policies. In addition, privacy
policies must be kept up-to-date and a guidance note in the Bill
suggests that privacy policies should be published on each
Since the APPs are at the core of privacy obligations, all
organisations will need to review the APPs with care.
New credit reporting provisions
The credit reporting provisions of the Privacy Act will
be entirely replaced and a new Credit Reporting Code will be
introduced (called the CR Code). The new provisions are based on
the APPs, with modifications intended to allow for necessary
activities of the credit reporting industry. The Government notes
that Australia's consumer credit totalled A$1.113 trillion in
2008 and that credit reporting is dominated by three main credit
reporting agencies, storing credit records on millions of
Credit reporting agencies will be allowed to deal with five new
kinds of personal information including the date on which a credit
account was open, the current limit of each credit account and the
individual's repayment history. Credit providers will therefore
have access to additional information with which to assess
customers and credit risks. This is balanced by amended obligations
relating to matters such as data quality, access and correction,
The Bill provides for the creation of new codes of practice
dealing with the APPs and a specific code dealing with credit
reporting. APP Codes are intended to supplement the APPs by
providing additional requirements about the management of personal
information. The Information Commissioner can request the
development of an APP Code (usually to apply to an industry sector
or group), and may impose an APP Code if that is not done. Once an
APP Code is registered, it becomes binding.
The CR Code will be created through a similar process. It will
bind all credit reporting agencies and set out which credit
providers should also be bound (typically an industry sector such
as mortgage insurers). When finalised, the CR Code will become
binding and a breach of the CR Code will be a breach of the
Enhanced powers of the Information
The powers of the Information Commissioner have been clarified
in some areas and increased in others. The Commissioner may now
conduct monitoring and assessment of information held by
organisations, particularly to check that information is not being
used or disclosed improperly.
The amendments also allow the Information Commissioner to
officially recognise particular external dispute resolution schemes
in order resolve complaints about interferences with privacy and
other practices. The intention is to streamline the resolution of
complaints, without requiring the involvement of either the
Information Commissioner or the courts. Of course, both remain
In respect of breaches of the Privacy Act, the Information
Commissioner can accept enforceable undertakings from
organisations. If those undertakings are breached, the Information
Commissioner can enforce them in the Federal Court or the Federal
Magistrates Court. These powers and procedures are similar to those
used by other regulators such as Australian Communications and
Media Authority (ACMA) under legislation such as the Spam
Act and the Do Not Call Register Act.
Once the amendments are passed, Australian organisations
– in both private and public sectors – will
have nine months to ensure that their privacy policies and privacy
practices comply with the changed requirements of the Privacy
Act. Organisations that hold substantial amounts of personal
information should monitor the progress of the Bill carefully in
order to plan the process of updating their policies and
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Middletons has been awarded a 2012 EOWA Employer of Choice for
Women citation acknowledging our commitment to workplace
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
There has been a range of recent legal developments that affect privacy, child abuse claims and workers compensation.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).