Significant amendments to the Privacy Act 1988 to strengthen privacy protection were passed by Parliament on 29 November 2012 and received the Royal Assent on 12 December 2012.

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 commenced 12 March 2014. The changes have:

  • Created a single set of Australian Privacy Principles (APPs), which apply to both Australian Government agencies and businesses with a turnover of more than $3 million, or those trading in personal information, and all private health service providers. These principles have replaced the previous Information Privacy Principles and the National Privacy Principles.
  • Introduced more comprehensive credit reporting, improved privacy protections and more logical, consistent and simple language.
  • Strengthened the functions and powers of the Australian Information Commissioner to resolve complaints, use external dispute resolution services, conduct investigations and promote compliance.
  • Created new provisions on privacy codes and the credit reporting code, including codes that will be binding on specified agencies and organisations.

Changes to Australian Privacy Principles

The Privacy Amendment Act includes a set of new, harmonised, privacy principles that will regulate the handling of personal information by both Australian Government agencies and businesses. These principles are called the Australian Privacy Principles (APPs). They have replaced the previous Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to businesses.

Under the changes there are 13 new APPs, some of these are significantly different from the previous principles, so its important businesses are aware of them.

The Privacy Policies must now contain:

  1. The kinds of personal information that the business collects and holds.
  2. How the business collects and holds personal information.
  3. The purposes for which the business collects, holds, uses and discloses personal information.
  4. Details on how individuals can access personal information held by the business and seek correction of the information.
  5. Details on how individuals may complain about a breach of the Australian Privacy Principles, and how the complaint be dealt with.
  6. Statements around whether the business is likely to disclose personal information to overseas recipients, and how, if they do (and if practicable), the likely countries in question.

Businesses must also take reasonable steps to ensure their Privacy Policies is available free of charge and in an appropriate form.

The Office of the Australian Information Commissioner has released a set of APP guidelines which are available from the OAIC website: