Changes to Privacy Laws

Substantial changes to the Privacy Act 1988 (Act) (Privacy Act) came into effect on 12 March 2014, which will require all businesses to review the way they collect and use personal information. Businesses will also need to amend their privacy policy and to put in place additional processes. Existing privacy policies and practices (which were compliant prior to 12 March 2014) will not be adequate to deal with the changes. In particular, organisations with a turnover of more than $3 million must comply with the Act. Organisations with less than $3 million in turnover are exempt in most cases although some exceptions do apply and those entities may choose to opt-in.

The amendments to the Privacy Act, are focused on ensuring privacy laws keep up with our ever changing technological and social environment and to reflect community expectations that organisations will keep secure and correctly use an individuals’ personal information.


The changes bring both businesses and government under the same umbrella, whereas previously different rules applied to each. There are four central themes to the changes:

You will only be able to collect personal information (from an individual or entity if it is reasonably necessary to your organisation’s functions or activities. If you receive personal information that is unsolicited, generally you will need to dispose of or de-identify the information.
When collecting personal information, you must make individuals aware of a number of matters including the purpose of collecting the information, who will use the information and how the individual can access and correct their privacy information which you hold about them. You should provide collection notices to individuals. If your organisation engages in outsourcing to offshore entities and personal information is being shared, or if there is a risk that it may be, you will need to alert individuals of this and tell them which agents or entities will have access to their information. In a number of instances you may need to receive consent from an individual before disclosing their personal information.

You will need to ensure that adequate security measures are taken to securely store personal information. If you provide information to any offshore entity (such as a web host) you must take steps to ensure that they treat the information appropriately.

3. USE
You will not be able to use personal information for direct marketing, unless you fall under an exception in the Privacy Act. The exceptions include where an individual has a reasonable expectation that their personal information will be used for direct marketing, or if they have consented to their personal information being used for this purpose. Even if an individual consents, you must comply with the SPAM Act and the material must contain a prominent opt-out statement.

Individuals will have greater access to their personal information including to require organisations to maintain their records and ensure they are current. Individuals may also require businesses to disclose the source of their information, which will mean many businesses will need to review and update their collection practices.

Credit Information
The changes also require businesses to consider how they handle an individual’s credit information and in many cases organisations will be deemed to be credit providers (particularly where customers are allowed more than seven days to pay for goods/services). If so, then the business will need to have a clearly stated and available credit information policy (which may be incorporated into the privacy policy).

To ensure your organisation complies with the legislative changes, you should:
Amend your privacy policy and make changes
You will need to review your privacy policy and make amendments to it to bring it in line with the changes in the Privacy Act. Your old privacy policy will be insufficient. You should also consider whether it is necessary to review you terms and conditions and other points of contact with customers, suppliers and others to ensure they comply.
Review your practices and make changes
You should consider how you collect personal information, what you do with personal information and how privacy operates within your business. For example, if you use personal information to assist in compiling marketing lists, store personal information in your company records or give any other entity or individual information that contains personal information, it is likely you will need to amend your practices to ensure you comply with the Privacy Act, including identifying the source of the information and whether the individual consented to the use of their information for other purposes (including marketing).

All staff members who come into contact with personal information will need to be briefed on the legislative changes and the procedures that your business intends to put in place to comply with the updated Privacy Act.

Organisations who fail to comply with the new Act may be investigated by the Australian Information Commissioner, whose powers have been expanded by the legislative changes. The Commissioner may investigate companies of its own accord, without having received a complaint. Serious or repeated breaches of personal privacy may attract prosecution with penalties of up to $1.7 million for corporations and $340,000 for non-corporate entities.


Andrew Nicholson, Partner.
T +61 7 3224 0261