Key changes to privacy law explained: the impact on business

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amending Act) was passed on 12 December 2012, and takes effect on 12 March 2014. The Amending Act will bring significant changes to the Privacy Act 1988 (Cth) (Privacy Act) including:

  • new credit reporting provisions; and
  • a new and more cohesive set of privacy principles — the Australian Privacy Principles (APPs).

The reforms will have a significant impact on private sector businesses and government agencies that handle private information. It is important for businesses to understand their obligations and rights in the lead up to the introduction of the new laws.


Overview — privacy principles which govern business and government

Currently, there are different sets of privacy principles that apply to businesses and to Australian Government Agencies. The Amending Act creates a single set of privacy principles by replacing the current National Privacy Principles (NPPs) with the APPs.

The APPs will regulate the handling of personal information by both Australian government agencies and certain private sector organisations, collectively known as 'APP entities'.[1] While the APPs apply to all APP entities, in some cases, they impose specific obligations that apply only to agencies or only to organisations.

The Amending Act also introduces what has been described as a more 'comprehensive'[2] credit reporting system, allowing credit reporting bodies to collect a more extensive list of data about individuals.

The changes to the Privacy Act will be supplemented by regulations and a credit reporting privacy code applying to all credit providers and credit reporting bodies.

There is a conditional exemption for small businesses

Currently under the Privacy Act, small businesses (defined as businesses with an annual turnover of $3 million or less)[3] do not need to participate in the NPPs unless they opt in. This exemption will continue under the APPs. However, small businesses which meet this definition and are not exempt include:

  • health service providers;
  • organisations trading in personal information;
  • organisations related to a larger body corporate (which is not a small business);
  • contractors providing services under a Commonwealth contract;
  • reporting entities for the purposes of the AML Act[4]; and
  • operators of residential tenancy databases.

Small businesses must comply with the new credit reporting requirements if they participate in the credit reporting system.

Key messages for businesses

Given that the reforms will soon take effect, businesses must ensure that their privacy procedures comply with the new provisions.

Specifically, businesses should:

  • review and update their privacy policies in accordance with APP 1.3 (discussed below);
  • review all current practices for disclosing personal information to third parties located overseas (for example, outsourcing agreements, cloud computing or data arrangements and disclosures to related bodies corporate);
  • develop procedures for how they deal with unsolicited personal information they receive;
  • review and amend direct marketing procedures, which might require reconfiguring databases; and
  • if the business participates in the credit reporting system as a credit provider, and uses or collects personal information, then it must ensure that there are systems in place which comply with the new reporting regime.

Australian Privacy Principles

Most of the APPs are based on the existing NPPs. While some of the APPs are new, others expand on the existing NPPs. These changes are outlined below:

  • privacy policies — APP 1.3 imposes more rigid requirements for privacy policies than the existing requirements in the NPP. APP entities must have a clearly expressed and up to date policy about managing personal information;
  • personal information: APP 3 clarifies previous NPPs relating to the collection of sensitive information. An APP entity must not collect personal information unless it is reasonably necessary for one or more of the entity's functions or activities. APP 5 provides that if an APP entity collects personal information about an individual, then it must take steps to notify the individual that it has collected and holds personal information, as soon as practicable before or after it collects that information;
  • unsolicited personal information — APP 4 introduces a new privacy requirement regarding unsolicited information. If an APP entity receives unsolicited personal information then it must, within a reasonable period, determine whether or not it could have collected the information under APP 3 (collection of solicited personal information). If the entity determines that it could not have collected the information under APP 3 then it must, as soon as practicable, destroy or de-identify the information. De-identifying means stripping down the information so that you cannot identify the source of the data, that is, the individual it concerns;
  • direct marketing: APP 7 amends what was previously an exception in the NPP regarding the use and disclosure of personal information. APP 7 stipulates that personal information should not be used or disclosed for the purposes of direct marketing unless an exception applies. These exceptions distinguish between individuals who would reasonably expect to receive direct marketing material from the APP entity and those who would not. The exceptions also provide that the APP entity must have a simple way for the individual to opt out of such direct marketing communications; and
  • cross border disclosure of personal information — APP 8.1 introduces a new accountability approach to cross-border disclosure of personal information. It essentially provides that if an APP entity discloses personal information about an individual to an overseas recipient, then it must take reasonable steps to ensure that the overseas recipient does not breach the APPs. This requirement may not apply in certain circumstances.

How is the credit reporting system more comprehensive?

In addition to the APPs, the Amending Act will introduce a new Part IIIA into the Privacy Act, providing for more comprehensive credit reporting. Credit-related personal information will be grouped into new categories. The requirements relating to the new categories are determined by the type of entity that holds the information and the purpose for which the entity uses the information.

The credit regime will continue to regulate the collection, use and disclosure of personal information by credit providers and credit reporting bodies. The definition of credit provider has been expanded to also encompass an agency, organisation or small business that is prescribed by the regulations. A mandatory credit reporting privacy code will also apply to the credit reporting system.

New categories of information

Currently, credit reporting bodies can only handle personal information that could be adverse to an individual's creditworthiness (such as defaulting on a payment). From March, credit reporting bodies will be able, if they choose, to collect 'positive' data about individuals, namely:

  • the date a credit account was opened or closed;
  • the types of credit account opened (mortgage, credit card, personal loan etc.);
  • the current limit of each open credit account; and
  • repayment history information (discussed below).

If they collect this information, they will fall within the definition of a credit reporting body which operates in a credit reporting system and will be bound by the credit reporting privacy code.

Repayment history information

Repayment history information (RHI) is probably the most important new type of information available for collection under the credit reforms. It includes information about whether an individual has made a payment on time or has missed a payment.

To balance the increased access to information, the Amending Act will also introduce new protections for individuals, including an improved complaint process and increased ability for individuals to correct their credit information.

Under the reforms, access to RHI is limited to credit providers who hold Australian credit licences and who are subject to responsible lending obligations under Chapter 3 of the National Consumer Protection Act 2009 (Cth).

More Information from Maddocks

For more information, contact Tara Agoston or Philippa Hore in the Maddocks Commercial Group on (03) 9258 3555.

More Cleardocs information on related topics

You can read earlier ClearLaw articles concerning the privacy reforms and a wide range of other topics.

Order Cleardocs company packages

[1] The reforms will not apply to Australian Capital Territory government agencies so the existing Information Privacy Principles that currently apply to all Australian Government agencies will continue to apply to those agencies.

[2] Australian Government, Privacy Amendment (Amending Privacy Protection) Bill 2012, Explanatory Memorandum.

[3] See section 6D(1) Privacy Act 1988 (Cth).

[4] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).