The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) was introduced to Parliament on 23 May 2012 and was passed with amendments on 29 November 2012.
The Privacy Amendment Act is a part of the privacy law reform process that began in 2006. More information on the privacy law reform process is available on the History of the Privacy Act page.
The Privacy Amendment Act introduces many significant changes to the Privacy Act. While these changes will not commence until 12 March 2014, Australian Government agencies* and businesses should start preparing now.
Individuals should also be aware that from December 2012 if they fail to make loan or credit card payments on time, it may affect their ability to obtain credit in the future.
Watch the YouTube video of Australian Privacy Commissioner, Timothy Pilgrim speaking about the changes to the Privacy Act.
*(and the Norfolk Island Administration)
Australian Privacy Principles
The Privacy Amendment Act includes a set of new, harmonised, privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses. These new principles are called the Australian Privacy Principles (APPs). They will replace the existing Information Privacy Principles (IPPs) that currently apply to Australian Government agencies and the National Privacy Principles (NPPs) that currently apply to businesses.
Under the changes, there are 13 new APPs. A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.
The OAIC has released draft APP guidelines.
Enhanced powers for the Australian Information Commissioner
The Australian Information Commissioner (the Information Commissioner) will also have enhanced powers, which will generally be exercised by the Privacy Commissioner, including the ability to:
- accept enforceable undertakings
- seek civil penalties in the case of serious or repeated breaches of privacy
- conduct assessments of privacy performance for both Australian government agencies and businesses.
Changes to credit reporting laws
Changes to credit reporting laws include:
- the introduction of more comprehensive credit reporting, which will allow the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years
- a simplified and enhanced correction and complaints process
- a prohibition on the reporting of credit related information about children
- a prohibition on the reporting of defaults of less than $150
- the introduction of specific rules to deal with pre-screening of credit offers
- the introduction of specific provisions that allow an individual to freeze access to their credit related personal information in cases of suspected identity theft or fraud
- the introduction of civil penalties for breaches of certain credit reporting provisions.
For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed
External Dispute Resolution
The Information Commissioner will have the power to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints.
The OAIC has issued guidelines to provide guidance to EDR schemes on the matters the Commissioner must take into account in considering whether to recognise an EDR scheme and the steps EDR schemes should take to apply for recognition.
Importantly, from 12 March 2014, under Part IIIA of the Privacy Act, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.
For further information on EDR schemes that have applied for recognition and schemes that have been recognised see our External dispute resolution webpage
The Privacy Amendment Act introduces new laws on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code), including powers for the Information Commissioner or the Privacy Commissioner to develop and register binding codes that are in the public interest.
The OAIC has released Code development guidelines covering both APP codes and the CR code.
The OAIC has produced a number of resources both to assist agencies and organisations, and their staff, in preparing for the reforms and to assist individuals understand the changes:
- Australian Privacy Principles
- Draft APP guidelines NEW - APPs 12 and 13 out for consultation
- Code development guidelines
- EDR scheme recognition guidelines
- Frequently asked questions
- IPP/APP comparison guide
- NPP/APP comparison guide
- Checklist for APP entities (organisations)
- Checklist for APP entities (agencies)
- A privacy reform poster
- An APP quick reference tool (a 1 page summary of the APPs)
- Staff training presentations
- Credit reporting — what has changed
- Credit reporting: repayment history information
- Law reform guidance - expected publication schedule (updated 5 Sept 2013)
How can I get more information about the changes?
In 2013, the OAIC will be releasing a series of publications aimed at assisting Australian Government agencies, businesses and the general public to understand the changes.
The OAIC will be engaging with the media and peak bodies to ensure continuing education on the changes.
People can keep in touch with the OAIC by subscribing to: