Privacy Commissioner issues a reminder about the changes to the Privacy Act

January 13, 2014 |

In Know your privacy rights the Privacy Commissioner has posted a reminder of the upcoming changes to the Privacy Act.  Nothing new or dramatic in the notice but a good overview.  The real question is whether enough organisations are listening.

It provides:

On 12 March 2014, Australian privacy laws will change.

The changes mean that private-sector organisations and Australian Government agencies covered by the laws will need to be more transparent about how they handle your personal information. This will help you make more informed choices about how you want your personal information handled, and also help you decide whether you want to deal with the entity. You will be able to read an entity’s privacy policy and find out how your personal information will be handled, whether it is likely to be sent overseas and how to complain about a possible privacy breach.

The way in which your personal information can be used for direct marketing will also change. For the first time, you will have the right to ask a private-sector organisation to tell you where they got your personal information.  A private-sector organisation will also have to give you an easy way to opt-out of receiving direct marketing communications.

There are also changes to the credit reporting system. Five new kinds of credit-related personal information, including the repayment history on your home or car loan and your credit card, will be able to be collected by credit reporting bodies and passed onto lenders. It is also important to remember that you can request a copy of your credit report from a credit reporting body for free in most circumstances.

The new privacy laws will also give the Commissioner new powers to resolve privacy complaints and investigations, including the ability to impose a penalty of up to $1.7 million.

The Commissioner links to the Privacy Reform page (found here) which provides:

The Privacy Amendment (Enhancing Privacy Protection) Act 2012(Privacy Amendment Act) was introduced to Parliament on 23 May 2012 and was passed with amendments on 29 November 2012.

The Privacy Amendment Act is a part of the privacy law reform process that began in 2006. More information on the privacy law reform process is available on the History of the Privacy Act page.

The Privacy Amendment Act introduces many significant changes to the Privacy Act. While these changes will not commence until 12 March 2014, Australian Government agencies* and businesses should start preparing now.

The Privacy Regulation 2013, made under the Privacy Act, and to also commence on 12 March 2014 was registered on 17 December 2013.

Individuals should also be aware that from December 2012 if they fail to make loan or credit card payments on time, it may affect their ability to obtain credit in the future.

Watch the YouTube video of Australian Privacy Commissioner, Timothy Pilgrim speaking about the changes to the Privacy Act.

*(and the Norfolk Island Administration)

What’s changed?

Australian Privacy Principles

The Privacy Amendment Act includes a set of new, harmonised, privacy principles that will regulate the handling of personal information by both Australian government agencies and businesses. These new principles are called the Australian Privacy Principles (APPs). They will replace the existing Information Privacy Principles (IPPs) that currently apply to Australian Government agencies and the National Privacy Principles (NPPs) that currently apply to businesses.

Under the changes, there are 13 new APPs. A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of personal information for direct marketing, and APP 8 on cross-border disclosure of personal information.

The OAIC has released draft APP guidelines.

Enhanced powers for the Australian Information Commissioner

The Australian Information Commissioner (the Information Commissioner) will also have enhanced powers, which will generally be exercised by the Privacy Commissioner, including the ability to:

  • accept enforceable undertakings
  • seek civil penalties in the case of serious or repeated breaches of privacy
  • conduct assessments of privacy performance for both Australian government agencies and businesses.

Changes to credit reporting laws

Changes to credit reporting laws include:

  • the introduction of more comprehensive credit reporting, which will allow the reporting of information about an individual’s current credit commitments and their repayment history information over the previous two years
  • a simplified and enhanced correction and complaints process
  • a prohibition on the reporting of credit related information about children
  • a prohibition on the reporting of defaults of less than $150
  • the introduction of specific rules to deal with pre-screening of credit offers
  • the introduction of specific provisions that allow an individual to freeze access to their credit related personal information in cases of suspected identity theft or fraud
  • the introduction of civil penalties for breaches of certain credit reporting provisions
  • a requirement for credit providers to be a member of an EDR scheme, recognised under the Privacy Act, to be able to participate in the credit reporting system.

For a more detailed explanation of the credit changes see: Privacy business resource 3: Credit reporting — what has changed

A new credit reporting code under the amended Privacy Act has been developed and submitted to the OAIC for registration.

External Dispute Resolution

The Information Commissioner will have the power to recognise external dispute resolution (EDR) schemes to handle privacy-related complaints.

The OAIC has issued guidelines to provide guidance to EDR schemes on the matters the Commissioner must take into account in considering whether to recognise an EDR scheme and the steps EDR schemes should take to apply for recognition.

Importantly, from 12 March 2014, under Part IIIA of the Privacy Act, a credit provider must be a member of an EDR scheme recognised under the Privacy Act to be able to participate in the credit reporting system.

For further information on EDR schemes that have applied for recognition and schemes that have been recognised see our External dispute resolution webpage


The Privacy Amendment Act introduces new laws on codes of practice about information privacy (APP codes) and a code of practice for credit reporting (the CR code), including enabling the Information Commissioner to develop and register binding codes that are in the public interest.

The OAIC has released Code development guidelines to assist agencies and organisations considering developing a code under the Privacy Act.




Leave a Reply

Verified by MonsterInsights