If you are a business which collects and/or uses personal
information of customers and clients, then recent changes to the
Privacy Act 1988 mean you will need to review and update
What changes have been made to the Privacy Act?
Late last year the Senate passed amendments to the Privacy
Act 1988 implementing changes to Australian privacy law in a
number of areas. These changes included:
New information which must form part of your privacy
Increased liability for Australian businesses when transferring
or disclosing personal information overseas; and
Greater penalties and enforcement powers for the Australian
All businesses regulated by the Privacy Act must have a
existing obligations to clearly disclose the kind of personal
information which an entity collects, how that information is
collected, the purposes for which it is collected, and how it may
be used or disclosed. In addition it is now mandatory to include
how an individual may complain about a privacy breach, how the
entity will deal with such a complaint, whether or not personal
information is likely to be transferred overseas, and if possible
the countries to which it is likely that personal information will
How do the changes affect outsourcing of information management
and storage such as Cloud Computing?
Under existing laws, a business may only transfer personal
information overseas if the individual concerned consents, or if
the business has taken certain steps to ensure that the overseas
recipient will hold and use the information consistently with
Australian law. The amendments to the Privacy Act take
this a step further, so that even in circumstances where the
Australian business has taken such steps, a privacy breach by the
overseas recipient can be deemed to be a breach by the Australian
business, giving rise to liability for the Australian business
under local Australian law. Not only will this require businesses
to scrutinise the consent provisions of their privacy policies, it
also warrants careful consideration of contracts with out-sourced
IT service providers and cloud computing services.
What should you do now?
With increased penalties of up to $1,700,000 for corporations,
and the possibility of actions for misleading and deceptive conduct
under the Australian Consumer Law, businesses need to be
prepared for the effective start date of these new laws in March
2014 by reviewing their privacy policies, data collection and
handling policies, and third party IT and data management
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).