On 12 March 2014, the Privacy (Enhancing Privacy Protections)
Act 2012 (Cth) (the Amendments) came into effect and brought about
significant change to the Privacy Act 1988 (Cth) (the Act).
The Act regulates the collection, storage, use, and disclosure
of personal information. The Act will apply to independent schools
with an annual turnover of more than $3 million.
Schools need to be aware of the changes to the Act and ensure they
comply with the new requirements. Specifically, schools need to be
proactive in ensuring that they have and implement practices,
policies and procedures that comply with the Australian Privacy
The key change brought about by the Amendments is that the
National Privacy Principles (NPPs) are replaced by the APPs.
Other changes included:
the Australian Information Commission (AIC) was given greater
power to enforce privacy laws (including penalty orders of up to
$1.7 million for corporations);
amendments to credit reporting provisions;
amendments to definitions; and
allowing for new privacy and credit reporting codes to bind
A summary of the APPs is below.
APP 1: Open and Transparent Management of Personal
A school must take reasonable steps to implement practices,
procedures and systems relating to the school's functions that
ensure the school complies with the APPs and will enable the school
to deal with inquiries or complaints.
requirements as set out in APP 1.
APP 2: Anonymity and Pseudonymity
A school must provide individuals with the option of being
dealt with anonymously; this will not apply if it is
APP 3: Collection of Solicited Personal
Schools can only collect information where it is
Sensitive information can only be collected with consent,
unless an exception applies or it is reasonably necessary for one
of the school's functions or activities.
APP 4: Dealing with Unsolicited Personal
If a school receives unsolicited personal information they must
consider whether they were allowed to collect it under APP 3; if
not, the information will generally need to be destroyed or
APP 5: Notification of the Collection of Personal
Most schools use a standard collection notice to notify an
individual of the collection of personal information. A school must
notify an individual about how they can access, correct, make a
complaint, and if the school disclose information overseas, to
APP 6: Use or Disclosure of Personal
Additional exceptions apply for where a school can use or
disclose personal information, i.e. to assist in finding a missing
APP 7: Direct Marketing
A school can only use personal information if an individual has
consented to it, or reasonably expects that their information will
be used for direct marketing.
Schools must provide an "opt-out' option.
APP 8: Cross-Border Disclosure of Personal
A school must take all steps reasonable to ensure an overseas
recipient does not breach the APPs.
APP 9: Adoption, Use or Disclosure of Government
A school must not disclose a government related identifier of
an individual unless an exception applies.
APP 10: Quality of Personal Information
A school must ensure that the personal information they use or
disclose is accurate, up to date and complete.
APP 11: Security of Personal Information
A school must take steps to protect information from misuse,
interference, loss, unauthorised access, modification and
If the school no longer uses information, they must destroy and
de-identify information in accordance with the APPs.
APP 12: Access to Personal Information
A school must deal with access to personal information,
requests for access, charges for access and refusal for access in
accordance with APP 12.
APP 13: Correction of Personal
A school must take reasonable steps to ensure that the
information they hold is correct.
Given these changes schools should, at an absolute minimum,
its policies comply with APP 1; and
its practices and procedures that govern collection, storage,
use and disclosure of personal information comply with the
Privacy is a difficult area of law to navigate. It is important
that your school take steps to ensure compliance as failure to do
so can have expensive consequences.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).