Privacy law reform

On this page:

• Introduction
• Latest news
• What's changed
• Where to get more information

---

Introduction

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) passed through the Australian Parliament on 29 November 2012 and received royal assent on 12 December 2012.

The privacy law reform process began in 2006, almost 20 years after the Privacy Act was first introduced in 1988.

While these changes will not commence until March 2014, Australian Government agencies and businesses are advised to start preparing now.

Individuals should also be aware that if they fail to make loan or credit card payments on time from December 2012, it may affect their ability to obtain credit in the future. See Privacy fact sheet 16 about this.

Watch the video of Australian Privacy Commissioner, Timothy Pilgrim speaking about the reforms (on YouTube).

Read the answers to frequently asked questions on the privacy law reform changes.

Latest news

9 May 2013: New resources

During Privacy Awareness Week, as well as the checklists below, the OAIC released a number of new resources that will assist agencies and organisations, and their staff, in preparing for the reforms. Those resources included:

• A privacy reform poster
• An APP quick reference tool (a 1 page summary of the APPs)
• Staff training presentations

3 May 2013: Business and agency resource: Privacy Act reforms Checklist for APP entities (agencies and organisations)

The OAIC has published a Privacy Act reforms compliance checklist for APP entities (agencies and organisations):

• Privacy Business Resource 2: Privacy Act reforms—Checklist for APP entities (organisations) (PDF)
• Privacy Agency Resource 2: Privacy Act reforms—Checklist for APP entities (agencies) (PDF)

29 April 2013: Guide to information security: ‘reasonable steps’ to protect personal information

The OAIC has published a Guide to information security: ‘reasonable steps’ to protect personal information to assist organisations and agencies meet their Privacy Act obligations in relation to personal information security.

16 April 2013: Two comparison guides published to assist agencies and businesses

The OAIC has published two comparison guides to assist agencies and businesses understand the differences between the new APPs and the existing IPPs and NPPs.

5 April 2013: Draft Credit Reporting Code of Conduct – public consultation by Australasian Retail Credit Association

ARCA has released a draft version of the new credit reporting code for public consultation. 

3 April 2013: Increase in penalty amounts

On 28 December 2012, section 4AA of the Crimes Act 1914 was amended to increase the amount of a penalty unit from $110 to $170. This means that, under the reforms to the Privacy Act due to commence on 12 March 2014, the maximum penalty amount for a serious or repeated interference with the privacy of an individual will be $340,000 for individuals and $1.7 million for entities.

11 March 2013

Release of a consultation draft of Guidelines for developing codes. Comments are due by Friday 12 April 2013.

7 March 2013

On 1 March 2013, the Privacy Commissioner exercised his power under s 26P(3)(b) in Schedule 3 of the Reform Act to extend the period within which ARCA must comply with his earlier request to develop a CR code and apply to have that code registered:

• Letter advising of extension of period within which ARCA must comply with the request to develop a CR code and apply to have that code registered (March 2013)

20 December 2012

Under the new Part IIIA of the Reform Act the Commissioner may request a code developer to develop a code of practice about credit reporting, called a CR code, to supplement the new credit reporting provisions. On 20 December 2012 the Privacy Commissioner, Mr Timothy Pilgrim, excercised this power and made a request to the Australasian Retail Credit Association (ARCA).

---

What's changed?

Australian Privacy Principles

The Reform Act includes a set of new, harmonised, privacy principles for both the public and private sector, called the Australian Privacy Principles (APPs). These new principles will replace the existing Information Privacy Principles (IPPs) that currently apply to the public sector and the National Privacy Principles (NPPs) that currently apply to the private sector.

Under the reforms, there will be 13 new APPs. A number of the APPs are significantly different from the existing principles, including APP 1 on the open and transparent management of personal information, APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information (see Privacy fact sheet 17 for the text of the 13 APPs and the APP quick reference tool).

Comparison guides

Two comparison guides are available to assist agencies and businesses understand the differences between the APPs and the IPPs and NPPs:

• For agencies: Australian Privacy Principles and Information Privacy Principles – Comparison Guide
• For businesses: Australian Privacy Principles and National Privacy Principles – Comparison Guide

Enhanced powers for the Commissioner

The Commissioner will have enhanced powers, including the ability to:

• accept enforceable undertakings
• seek civil penalties in the case of serious or repeated breaches of privacy
• conduct assessments of privacy performance for both Australian government agencies and businesses.

Changes to credit reporting laws

Changes to credit reporting laws include:

• the introduction of more comprehensive credit reporting, which will allow the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years (see Privacy fact sheet 16 about this) 
• a simplified and enhanced correction and complaints process
• a prohibition on the reporting of credit related information about children
• a prohibition on the reporting of defaults of less than $150

• the introduction of specific rules to deal with pre-screening of credit offers
• the introduction of specific provisions that allow an individual to freeze access to their credit related personal information in cases of suspected identity theft or fraud
• the introduction of civil penalties for breaches of certain credit reporting provisions.

---

How can I get more information about the changes?

In 2013, the Office of the Australian Information Commissioner (OAIC) will be releasing a series of publications aimed at assisting Australian Government agencies, businesses and the general public to understand the changes.

The OAIC will be engaging with the media and peak bodies to ensure continuing education on the changes.

People can keep in touch with the OAIC by subscribing to:

• OAICnet — a mailing list for general updates about the OAIC’s activities
• Privacy Connections — a network for private sector privacy contact officers
• Information Contact Officer Network (ICON) — a network for public sector privacy (and FOI) contact officers.
• Privacy law reform RSS feed — for immediate updates on the release of privacy law reform guidance material from the OAIC.