Privacy Law reform

Effective 12 March 2014, the Australian Privacy Principles (APPs) replaced the National Privacy Principles (NPPs).

Generally, the APPs will apply to all Commonwealth Government agencies and to all businesses provided that (subject to some limited exceptions) they have an annual turnover exceeding $3 million. It is best practice for all businesses to be compliant with the privacy law reform.

A number of the APPs differ significantly from the NPPs. It is important that businesses subject to the APP are compliant, not least because of the new penalties which can be imposed on persons and organisations found to be in breach of the APPs. The Australian Information Commissioner will be able to seek civil penalties of up to $340,000 against individuals and up to $1.7 million against corporations.

Businesses should consider taking the following steps to ensure compliance with the APPs:

1)         Review your privacy policy, practices, procedures and systems

Businesses must ensure that they have a clearly expressed, readily available, and up-to-date policy about the management of personal information.

2)         Consider whether it is feasible for individuals to remain anonymous or use pseudonyms

Whenever possible, individuals should be given the option of not identifying themselves, or of using a pseudonym (fictitious name).

3)         Consider whether the personal information collected by your business is really necessary

Businesses must refrain from collecting personal information unless the information is reasonably necessary.

4)         Consider how to deal with unsolicited personal information

If a business receives personal information about an individual which was not solicited, the business must, within a reasonable period, determine whether the business could have lawfully solicited the information. If not, the business must as soon as practicable, destroy or de-identify the information.

5)         Ensure systems are in place to notify individuals about the collection of personal information

Wherever practicable, businesses must inform individuals of the following matters at or before the time of collecting personal information:

a)      The identity and contact details of the business collecting the information.

b)      If the business collects personal information from sources other than the individual (e.g. a credit reporting agency), the business must disclose the fact that the business collects information from that other source, and the circumstances of the collection.

c)      The purposes for which the business collects the information.

d)      The consequences (if any) for the individual if all or some of the information is not collected.

e)      Details of any other entities, bodies or persons to which the business usually discloses personal information.

f)    That the privacy policy of the business contains information about how the individual may complain about a breach of the APPs and an applicable APP Code, and how the business will deal with such a complaint.

g)      Whether the business is likely to disclose personal information to overseas recipients and, if so, the countries in which such recipients are located.

6)         Consider how personal information is dealt with

Businesses should ensure that personal information collected for a particular purpose (the primary purpose) is not used or disclosed for another purpose (the secondary purpose) unless:

a)     The individual has consented to the use or disclosure of the information for the secondary purpose; or

b)    The individual would reasonably expect the business to use or disclose the information for the secondary purpose, and the secondary purpose is related to the primary purpose; or

c)     The secondary purpose is direct marketing and where certain conditions are satisfied.

7)         Review your marketing strategies

A business must not use or disclose personal information for the purpose of direct marketing unless:

a)     The business collected the information from the individual; and

b)    The individual would reasonably expect the business to use or disclose the information for direct marketing; and

c)     The business provides a simple means by which an individual may request to not receive direct marketing communications (e.g. an ‘opt-out’ link); and

d)    The individual has not requested that the business stop using their personal information for the purpose of direct marketing.

8)         Review your policies for sending personal information offshore

Before disclosing personal information about an individual to an overseas recipient, a business must take reasonable steps to ensure that the overseas recipient does not breach the APPs.

9)         Review your policies regarding government related identifiers

Businesses must not adopt, use or disclose government related identifiers (e.g. tax file numbers, Centrelink reference numbers, Medicare numbers, etc.) unless:

a)     The adoption by the business of a government related identifier of an individual is authorised by an Australian law or by a court or tribunal order; or

b)    The use or disclosure of a government related identifier is reasonably necessary in order to verify the identity of the individual, is reasonably necessary to fulfil the business’s obligations to a Commonwealth, State or Territory agency, or is authorised by law or a court or tribunal order.

10)       Review your policies regarding the integrity of and correction of personal information

A business must take reasonable steps to ensure that personal information collected, used or disclosed by the business is accurate, up-to-date, complete, relevant and not misleading.

11)       Ensure that personal information is stored securely and destroyed or de-identified once it is no longer required

Businesses must take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification or disclosure.

If the business no longer needs the personal information, and is not legally obliged to retain the information (e.g. for tax purposes), the business must take reasonable steps to ensure that the information is destroyed or de-identified.

12)       Review your policies regarding individual access to personal information

If a business holds personal information about an individual, the business must, upon request by the individual, give the individual access to the information.


Businesses which collect or store personal information regarding their employees, suppliers, clients and potential clients will be affected by the introduction of the APPs.

Businesses which are already complying with the requirements of the NPPs should have policies and systems in place, however these should be reviewed to determine the amendments or supplements required in order to accommodate the changes introduced by the APPs.

If you would like assistance complying with the APPs following the privacy law reform, please contact Ben McPherson by email at [email protected] or by telephone on (08) 6211 8600.