- Australian Privacy Principles
- Enhanced powers for the OAIC
- Changes to credit reporting laws
- Recognising external dispute resolution schemes
- Privacy codes
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) made many significant changes to the Privacy Act 1988 (Privacy Act). These changes commenced on 12 March 2014.
The Privacy Regulation 2013, made under the Privacy Act, also commenced on 12 March 2014.
The Privacy Amendment Act is a part of a privacy law reform process that began in 2004. The ‘Previous Privacy Reviews’ section below, includes more information about that process.
The Privacy Act now includes a set of 13 new harmonised privacy principles that regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organisations. These principles are called the Australian Privacy Principles (APPs). They replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations.
A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for the purpose of direct marketing, and APP 8 on cross-border disclosure of personal information.
For more information on the APPs and the OAIC’s APP guidelines, see Australian Privacy Principles.
Australian Capital Territory public sector agencies continued to be covered by the Privacy Act, as in force on 1 July 1994 (and as modified by the Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (Cth)), until 1 September 2014 when the Information Privacy Act 2014 (ACT) came into force. For more information on the ACT privacy reforms see Australian Capital Territory Privacy.
The Privacy Act now includes enhanced powers for the OAIC which include:
- conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
- accepting enforceable undertakings
- seeking civil penalties in the case of serious or repeated breaches of privacy
The OAIC is developing a policy and guide (covering existing and new powers) that outline and explain the OAIC’s approach to using its privacy regulatory action powers.
For more information, see Applying privacy law.
The Privacy Act now includes new credit reporting provisions including:
- the introduction of more comprehensive credit reporting, a simplified and enhanced correction and complaints process
- the introduction of civil penalties for breaches of certain credit reporting provisions
- a requirement for credit providers to be a member of an external dispute resolution scheme, recognised under the Privacy Act, to be able to participate in the credit reporting system.
For a more detailed explanation of the credit changes see:
- Privacy business resource 3: Credit reporting — what has changed (for business)
- Privacy fact sheets 26 to 40: Credit reporting 'know your rights' series (for consumers)
The new mandatory Privacy (Credit Reporting) Code 2014 (CR code), developed by the Australian Retail Credit Association, can be found on the OAIC's Codes register.
For more information see Credit reporting.
The Privacy Act, now gives the OAIC the power to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints.
The OAIC has issued guidelines to provide guidance to EDR schemes applying for recognition.
For more information, including a list of EDR schemes that have been recognised, see Recognised EDR schemes.
The Privacy Act includes new provisions on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code), including enabling the Information Commissioner to develop and register binding codes that are in the public interest.
The OAIC has released Code development guidelines to assist agencies and organisations considering developing a code under the Privacy Act.
For more information, including Codes that have been registered , see Codes register.
The following resources will assist entities and individuals understand the privacy law that applies from 12 March 2014:
- Privacy Act 1988 compilation External link
- Privacy Regulation 2013 External link
- OAIC's privacy regulatory action policy (draft)
- Privacy fact sheet 24: How changes to privacy law affect you
The Australian Privacy Principles (APPs)
- APP guidelines
- APPs (a fact sheet listing the APPs)
- APP quick reference tool (Colour poster for the desktop)
- APP/NPP comparison guide (organisations)
- APP/IPP comparison guide (agencies)
- Checklist for APP entities (organisations)
- Checklist for APP entities (agencies)
Other key documents to assist implementing the APPs
- Guide to undertaking privacy impact assessments
- Data breach notification—A guide to handling personal information security breaches
- Guide to information security
- De-identification of data and information
- Privacy (Credit Reporting) Code 2014
- Privacy (Credit Related Research) Rule 2014
- Privacy business resource 3: credit reporting—what has changed
- Privacy fact sheet 25: Credit reporting in Australia – summary
- Privacy fact sheets 26 to 40: Credit reporting 'know your rights' series
- Credit FAQs (called Topics)
- Additionally, the Australian Retail Credit Association (ARCA) has developed an information website (CreditSmart) to help consumers understand the effects of the Privacy Act reforms on how credit reporting will operate in Australia.
External dispute resolution schemes
- Guidelines under s 95 of the Privacy Act (2014)
- Guidelines under s 95A of the Privacy Act (2014)
- Guidelines under s 95AA of the Privacy Act (2014)
- Privacy (Persons Reported as Missing) Rule 2014
- Guide to the Privacy (Persons Reported as Missing) Rule 2014
From 12 March 2014 many of the webpages on this website have been updated to reflect the amended Privacy Act.
On 12 June 2013, the Australian Law Reform Commission (ALRC) was given Terms of Reference for an inquiry into the protection of privacy in the digital era. The inquiry addresses both prevention and remedies for serious invasions of privacy.
An Issues Paper was released on 8 October 2013, signalling the first stage of public consultation for the Inquiry.
The OAIC made the following submission to the inquiry:
- Submission to the Australian Law Reform Commission — Serious Invasions of Privacy in the Digital Era (December 2013)
2010–11: Exposure Drafts of Australian Privacy Amendment Legislation
In June 2010, the Australian Government released Exposure Drafts of Australian Privacy Amendment Legislation (Exposure Draft Legislation) which reflected its response to the ALRC report. The Exposure Draft Legislation included draft APPs and credit reporting provisions. On 24 June 2010 the Senate referred the Exposure Draft Legislation to the Senate Finance and Public Administration Committee (Senate Finance Committee) for inquiry and report.
The OPC (and later the OAIC) made the following submissions on the Exposure Draft Legislation:
- Inquiry into Exposure Drafts of Australian Privacy Amendment Legislation (APPs); Submission to the Senate Finance and Public Administration Committee (August 2010)
- Credit Reporting Exposure Draft and Companion Guide; Submission to the Senate Finance and Public Administration Committee (March 2011)
The Exposure Draft Legislation, the Senate Finance Committee reports and other information can be found on the Senate Finance Committee inquiry webpage.
On 23 September 2011, the Australian Government released an issues paper on the right to sue for serious invasion of personal privacy, A Commonwealth statutory cause of action for serious invasion of privacy.
The paper invited comments to inform the Australian Government’s response to the ALRC Report which recommended the introduction of a statutory cause of action (a right to sue created by law) for serious invasions of privacy of natural persons.
In November 2011, the OAIC made a submission on the issues paper:
- Issues Paper — A Commonwealth statutory cause of action for serious invasion of privacy: Submission to the Attorney-General's Department (November 2011)
On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Reform Bill) was introduced into the Australian Parliament. The Reform Bill reflected elements of the Government’s first stage response to the ALRC Report.
The Reform Bill was referred to both the House Standing Committee on Social Policy and Legal Affairs (House Committee) and the Senate Legal and Constitutional Affairs Legislation Committee (Senate Committee) for inquiry and report.
The OAIC made the following submissions to the House Committee:
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Submission to the House of Representatives Standing Committee on Social Policy and Legal Affairs (July 2012)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012 — Supplementary submission to House of Representatives Standing Committee on Social Policy and Legal Affairs (August 2012)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Submission to the Senate Standing Committee on Legal and Constitutional Affairs (July 2012)
- Privacy Amendment (Enhancing Privacy Protection) Bill 2012: Supplementary submission to the Senate Standing Committee on Legal and Constitutional Affairs (August 2012)
- In August 2012, the Australian Government published a discussion paper, Proposed Regulations under the Privacy Amendment (Enhancing Privacy Protection) Bill.
- Proposed regulations under the Privacy Amendment (Enhancing Privacy Protection) Bill; Submission to the Attorney-General's Department (September 2012)
The Reform Bill passed through the Parliament with amendments on 29 November 2012 and received royal assent on 12 December 2012.
In October 2012, the Attorney-General's Department released Discussion Paper: Australian Privacy Breach Notification. The discussion paper was released in response to one of the ALRC’s recommendations that a mandatory data breach notification scheme be introduced.
The OAIC made a submission on the discussion paper:
- Discussion Paper: Australian Privacy Breach Notification — OAIC Submission to Attorney General's Department (November 2012)
2009: Australian Government response 'Enhancing National Privacy Protection'
On 14 October 2009, the Australian Government released Enhancing National Privacy Protection, the first stage of its response to the ALRC Report on 14 October 2009.
Given the large number of recommendations, the Government announced that it would respond to the ALRC Report in two stages. The Government’s first stage response addressed 197 of the ALRC’s 295 recommendations. Stage two of the Government’s response will consider the remaining 98 recommendations in the ALRC Report.
2006-08: The ALRC privacy inquiry
On 31 January 2006, the ALRC received Terms of Reference from the Australian Attorney-General for an inquiry into the extent to which the Privacy Act and related laws continue to provide an effective framework for the protection of privacy in Australia. This had been the primary recommendation of the OPC's review into the private sector provisions completed in 2005.
The ALRC Final Report, For Your Information - Australian Privacy Law and Practice (ALRC Report) was provided to the Australian Attorney-General on 30 May 2008 and was made publicly available on 11 August 2008.
The following submissions were made by the OPC in relation to the ALRC Inquiry:
- Submission to the Australian Law Reform Commission's Review of Privacy — Issues Paper 31 (February 2007)
- Submission to the Australian Law Reform Commission’s Review of Privacy — Issues Paper 32 Credit Reporting Provisions (April 2007)
- Submission to the Australian Law Reform Commission's Review of Privacy — Discussion Paper 72 (December 2007)
2004-05: OPC review of private sector provisions
On 13 August 2004 the Australian Attorney-General requested the Privacy Commissioner to undertake a review of the private sector provisions of the Privacy Act 1988. The report of that review, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988was submitted to the Attorney-General on 31 March 2005.