The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) made many significant changes to the Privacy Act 1988 (Privacy Act). These changes commenced on 12 March 2014.
The Privacy Regulation 2013, made under the Privacy Act, also commenced on 12 March 2014
Watch the YouTube video of Australian Privacy Commissioner, Timothy Pilgrim speaking about the changes to the Privacy Act.
The Privacy Amendment Act is a part of a privacy law reform process that began in 2004. The ‘Previous Privacy Reviews’ section below, includes more information about that process.
Australian Privacy Principles
The Privacy Act now includes a set of 13 new harmonised privacy principles that regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organisations. These principles are called the Australian Privacy Principles (APPs). They replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations.
A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for the purpose of direct marketing, and APP 8 on cross-border disclosure of personal information.
For more information on the APPs and the OAIC’s APP guidelines, see Australian Privacy Principles. The 2014 reforms do not apply to Australian Capital Territory government agencies. Instead, the Privacy Act, as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth)), continues to apply to those agencies.
Enhanced powers for the OAIC
The Privacy Act now includes enhanced powers for the OAIC which include:
- conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
- accepting enforceable undertakings
- seeking civil penalties in the case of serious or repeated breaches of privacy
The OAIC is developing guidance documents (covering existing and new powers) that outline and explain the OAIC’s approach to using its privacy regulatory action powers.
For more information, see Applying privacy law.
Changes to credit reporting laws
The Privacy Act now includes new credit reporting provisions including:
- the introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
- the introduction of civil penalties for breaches of certain credit reporting provisions
- a requirement for credit providers to be a member of an external dispute resolution scheme, recognised under the Privacy Act, to be able to participate in the credit reporting system.
For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed
A new mandatory credit reporting privacy code (CR code), developed by the Australian Retail Credit Association, found on the OAIC's Codes Register also commenced on 12 March 2014.
For more information see Credit reporting.
External Dispute Resolution Schemes
The Privacy Act, now gives the OAICthe power to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints.
The OAIC has issued guidelines to provide guidance to EDR schemes applying for recognition.
For more information, including a list of EDR schemes that have been recognised, see External dispute resolution.
The Privacy Act includes new provisions on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code), including enabling the Information Commissioner to develop and register binding codes that are in the public interest.
The OAIC has released Code development guidelines to assist agencies and organisations considering developing a code under the Privacy Act.
For more information, including Codes that have been registered , see Codes Register.
The OAIC has published a number of resources to assist entities and individuals understand the March 2014 changes:
- Australian Privacy Principles
- APP guidelines
- An APP quick reference tool (a 1 page summary of the APPs)
- IPP/APP comparison guide
- NPP/APP comparison guide
- Checklist for APP entities (organisations)
- Checklist for APP entities (agencies)
- Code development guidelines
- Credit reporting — what has changed
- Credit reporting: repayment history information
- EDR scheme recognition guidelines
- Frequently asked questions
- Staff training presentations
- A privacy reform poster
Current privacy reviews and inquiries
On 12 June 2013, the Australian Law Reform Commission (ALRC) was given Terms of Reference for an inquiry into the protection of privacy in the digital era. The inquiry addresses both prevention and remedies for serious invasions of privacy.
An Issues Paper was released on 8 October 2013, signalling the first stage of public consultation for the Inquiry.
The OAIC made the following submission to the inquiry:
- Submission to the Australian Law Reform Commission — Serious Invasions of Privacy in the Digital Era (December 2013)
Previous privacy reviews and inquiries
2010–11: Exposure Drafts of Australian Privacy Amendment Legislation
In June 2010, the Australian Government released Exposure Drafts of Australian Privacy Amendment Legislation (Exposure Draft Legislation) which reflected its response to the ALRC report. The Exposure Draft Legislation included draft APPs and credit reporting provisions. On 24 June 2010 the Senate referred the Exposure Draft Legislation to the Senate Finance and Public Administration Committee (Senate Finance Committee) for inquiry and report.
The OPC (and later the OAIC) made the following submissions on the Exposure Draft Legislation:
- Inquiry into Exposure Drafts of Australian Privacy Amendment Legislation (APPs); Submission to the Senate Finance and Public Administration Committee (August 2010)
- Credit Reporting Exposure Draft and Companion Guide; Submission to the Senate Finance and Public Administration Committee (March 2011)
The Exposure Draft Legislation, the Senate Finance Committee reports and other information can be found on the Senate Finance Committee inquiry webpage.
On 23 September 2011, the Australian Government released an issues paper on the right to sue for serious invasion of personal privacy, A Commonwealth statutory cause of action for serious invasion of privacy.
The paper invited comments to inform the Australian Government’s response to the ALRC Report which recommended the introduction of a statutory cause of action (a right to sue created by law) for serious invasions of privacy of natural persons.
In November 2011, the OAIC made a submission on the issues paper:
- Issues Paper — A Commonwealth statutory cause of action for serious invasion of privacy: Submission to the Attorney-General's Department (November 2011)
On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Reform Bill) was introduced into the Australian Parliament. The Reform Bill reflected elements of the Government’s first stage response to the ALRC Report.
The Reform Bill was referred to both the House Standing Committee on Social Policy and Legal Affairs (House Committee) and the Senate Legal and Constitutional Affairs Legislation Committee (Senate Committee) for inquiry and report.
The OAIC made the following submissions to the House Committee:
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Submission to the House of Representatives Standing Committee on Social Policy and Legal Affairs (July 2012)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012 — Supplementary submission to House of Representatives Standing Committee on Social Policy and Legal Affairs (August 2012)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Submission to the Senate Standing Committee on Legal and Constitutional Affairs (July 2012)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Supplementary submission to the Senate Standing Committee on Legal and Constitutional Affairs (August 2012)
- In August 2012, the Australian Government published a discussion paper, Proposed Regulations under the Privacy Amendment (Enhancing Privacy Protection) Bill.
- Proposed regulations under the Privacy Amendment (Enhancing Privacy Protection) Bill; Submission to the Attorney-General's Department (September 2012)
The Reform Bill passed through the Parliament with amendments on 29 November 2012 and received royal assent on 12 December 2012.
In October 2012, the Attorney-General's Department released Discussion Paper: Australian Privacy Breach Notification. The discussion paper was released in response to one of the ALRC’s recommendations that a mandatory data breach notification scheme be introduced.
The OAIC made a submission on the discussion paper:
- Discussion Paper: Australian Privacy Breach Notification — OAIC Submission to Attorney General's Department (November 2012)
2009: Australian Government response 'Enhancing National Privacy Protection'
On 14 October 2009, the Australian Government released Enhancing National Privacy Protection, the first stage of its response to the ALRC Report on 14 October 2009.
Given the large number of recommendations, the Government announced that it would respond to the ALRC Report in two stages. The Government’s first stage response addressed 197 of the ALRC’s 295 recommendations. Stage two of the Government’s response will consider the remaining 98 recommendations in the ALRC Report.
2006-08: The ALRC privacy inquiry
On 31 January 2006, the ALRC received Terms of Reference from the Australian Attorney-General for an inquiry into the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia. This had been the primary recommendation of the OPC's review into the private sector provisions completed in 2005.
The ALRC Final Report, For Your Information - Australian Privacy Law and Practice (ALRC Report) was provided to the Australian Attorney-General on 30 May 2008 and was made publicly available on 11 August 2008.
The following submissions were made by the OPC in relation to the ALRC Inquiry:
- Submission to the Australian Law Reform Commission's Review of Privacy — Issues Paper 31 (February 2007)
- Submission to the Australian Law Reform Commission’s Review of Privacy — Issues Paper 32 Credit Reporting Provisions (April 2007)
- Submission to the Australian Law Reform Commission's Review of Privacy — Discussion Paper 72 (December 2007)
2004-05: OPC review of private sector provisions
On 13 August 2004 the Australian Attorney-General requested the Privacy Commissioner to undertake a review of the private sector provisions of the Privacy Act 1988. The report of that review, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988was submitted to the Attorney-General on 31 March 2005.