This article is more than 24 months old and is now archived. This article has not been updated to reflect any changes to the law.
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Amending Act) was passed on 12 December 2012, and takes effect on 12 March 2014. The Amending Act will bring significant changes to the Privacy Act 1988 (Cth) (Privacy Act) including:
The reforms will have a significant impact on private sector businesses and government agencies that handle private information. It is important for businesses to understand their obligations and rights in the lead up to the introduction of the new laws.
Tara Agoston and Mihilini Fernando, Maddocks LawyersCurrently, there are different sets of privacy principles that apply to businesses and to Australian Government Agencies. The Amending Act creates a single set of privacy principles by replacing the current National Privacy Principles (NPPs) with the APPs.
The APPs will regulate the handling of personal information by both Australian government agencies and certain private sector organisations, collectively known as 'APP entities'.[1] While the APPs apply to all APP entities, in some cases, they impose specific obligations that apply only to agencies or only to organisations.
The Amending Act also introduces what has been described as a more 'comprehensive'[2] credit reporting system, allowing credit reporting bodies to collect a more extensive list of data about individuals.
The changes to the Privacy Act will be supplemented by regulations and a credit reporting privacy code applying to all credit providers and credit reporting bodies.
Currently under the Privacy Act, small businesses (defined as businesses with an annual turnover of $3 million or less)[3] do not need to participate in the NPPs unless they opt in. This exemption will continue under the APPs. However, small businesses which meet this definition and are not exempt include:
Small businesses must comply with the new credit reporting requirements if they participate in the credit reporting system.
Given that the reforms will soon take effect, businesses must ensure that their privacy procedures comply with the new provisions.
Specifically, businesses should:
Most of the APPs are based on the existing NPPs. While some of the APPs are new, others expand on the existing NPPs. These changes are outlined below:
In addition to the APPs, the Amending Act will introduce a new Part IIIA into the Privacy Act, providing for more comprehensive credit reporting. Credit-related personal information will be grouped into new categories. The requirements relating to the new categories are determined by the type of entity that holds the information and the purpose for which the entity uses the information.
The credit regime will continue to regulate the collection, use and disclosure of personal information by credit providers and credit reporting bodies. The definition of credit provider has been expanded to also encompass an agency, organisation or small business that is prescribed by the regulations. A mandatory credit reporting privacy code will also apply to the credit reporting system.
Currently, credit reporting bodies can only handle personal information that could be adverse to an individual's creditworthiness (such as defaulting on a payment). From March, credit reporting bodies will be able, if they choose, to collect 'positive' data about individuals, namely:
If they collect this information, they will fall within the definition of a credit reporting body which operates in a credit reporting system and will be bound by the credit reporting privacy code.
Repayment history information (RHI) is probably the most important new type of information available for collection under the credit reforms. It includes information about whether an individual has made a payment on time or has missed a payment.
To balance the increased access to information, the Amending Act will also introduce new protections for individuals, including an improved complaint process and increased ability for individuals to correct their credit information.
Under the reforms, access to RHI is limited to credit providers who hold Australian credit licences and who are subject to responsible lending obligations under Chapter 3 of the National Consumer Protection Act 2009 (Cth).
For more information, contact Tara Agoston or Philippa Hore in the Maddocks Commercial Group on (03) 9258 3555.
You can read earlier ClearLaw articles concerning the privacy reforms and a wide range of other topics.
[1] The reforms will not apply to Australian Capital Territory government agencies so the existing Information Privacy Principles that currently apply to all Australian Government agencies will continue to apply to those agencies.
[2] Australian Government, Privacy Amendment (Amending Privacy Protection) Bill 2012, Explanatory Memorandum.
[3] See section 6D(1) Privacy Act 1988 (Cth).
[4] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
Qualifications: LLB, University of Sheffield, LLM(CL), University of British Columbia
Georgia is a member of Maddocks Commercial team and assists in a variety of commercial and corporate matters for private, public and not-for-profit clients.
Her expertise includes advising on general commercial law, wills and estates law, charities and not-for-profit law along with corporate law.
The legal information and commentary on this site is general only. Documents ordered through Cleardocs affect the user's legal rights and liabilities. To assess their suitability for the user, legal accounting and financial advice must be obtained.