Privacy law changes start on 12 March 2014

31 January 2014

Australia’s major privacy law reforms commence on 12 March 2014.

These reforms to the Privacy Act 1988 (Cth) have been well publicised and Australian private sector and Commonwealth public sector organisations are required to be fully compliant by 12 March – the transition period is coming to an end.

From 12 March the Privacy Commissioner will have much stronger powers, including the ability to seek a civil penalty of up to $1.7 million for a serious or repeated privacy breach. The Privacy Commissioner has said he “will not shy away” from using these new powers.

Many organisations have spent months preparing for the changes and will be ready for them.

Others are aware of the changes but haven’t yet taken action. If you’re in that category, what should you do now to reduce your risk? Here are our “Top 5” tips.

1. Update your privacy policy

As your privacy policy is usually on your website, it’s highly visible. Don’t let it betray that you’re not compliant with the new regime. Changes you will probably need to make to your privacy policy include:

  • Referring to the Australian Privacy Principles (APPs) not the National Privacy Principles.
  • Stating how an individual can complain about a breach of the APPs and how you’ll deal with such a complaint.
  • Stating whether you’re likely to disclose personal information overseas, and if so the countries where the recipients are likely to be located.

2. Update your privacy statements

These are the statements you must provide to individuals when (or as soon as practical after) you collect personal information about them. For example, if your website allows users to enter a competition or to request information from you, you should use a privacy statement on the website. Changes you will probably need to make in your privacy statements include:

  • Stating that your privacy policy includes information about how an individual can complain about a breach of the APPs and how you’ll deal with such a complaint.
  • Stating whether you’re likely to disclose personal information overseas, and if so the countries where the recipients are likely to be located.

3. Prepare an internal privacy compliance guide

The APPs require organisations to take reasonable steps to put procedures and systems in place to ensure compliance with the APPs. A key part of your compliance program should be an internal privacy compliance guide that sets out, amongst other things:

  • A very high level summary of the practical requirements of privacy law for your organisation and some information about why privacy compliance is important.
  • Rules about how your organisation will collect, store, use and disclose personal information.
  • Details of how your organisation will deal with a privacy complaint, a request by an individual for access to their data or a privacy breach.
  • Guidance on tricky issues, such as entering agreements that will involve your organisation disclosing personal information overseas.
  • Details of who is responsible for privacy compliance within your organisation.

4. Train key staff

Another vital part of your compliance program is to train staff who handle personal information, about the changes to the law. There are some basic training materials on the Privacy Commissioner’s website – or we can assist you to prepare some tailored, practical training for your organisation.

5. Conduct a Privacy Act and Spam Act audit

In conjunction with doing all of the above, or as soon as practical afterwards, conduct an audit of how your organisation collects, stores, uses and discloses personal information, to check compliance with the APPs and (since it’s very closely related) the Spam Act 2003 (Cth). Some areas of increased risk under the new APPs are:

  • If your organisation discloses personal information overseas, in many circumstances your organisation will be responsible for any breach of the APPs by the overseas recipient.
  • When you conduct direct marketing you will need to provide a simple “opt out” mechanism (similar to what is currently required for email and SMS marketing under the Spam Act). In some cases you won’t be legally obliged to draw this “opt out” mechanism to the individual’s attention, however for the sake of simplicity and good practice it may be best to include an “opt out” statement in all of your direct marketing materials.

If your audit identifies compliance gaps, you should work to close the gaps as soon as practical.

Following our “Top 5” tips doesn’t guarantee you’ll be fully compliant with the new privacy regime (which is quite complex) but at least you will reduce the chance that the first privacy complaint under the new regime is against you!

The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

Related Content


Helen Clarke

Partner. Brisbane
+61 7 3228 9818


Philip Catania

Partner. Melbourne
+61 3 9672 3333