New privacy principles impact small business

“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” – Marlon Brando

In 2013, 13 Australian Privacy Principles (APPs) were enacted through the Privacy Amendment (Enhancing Privacy protection) Act 2012. These APPs apply to corporations and also businesses turning over less than $3 million annually.

The Act ensures individuals are provided adequate notice of the collection, use and disclosure of their personal information by government, private enterprise, credit reporting bodies and, particularly, small businesses (APP entities).

The APPs require businesses (APP entities) to implement robust consent and complaint procedures for individuals. Strong sanctions are imposed on APP entities for failing to comply with the APP. Civil penalties of up to $1.1 million can be sought by the Commissioner for breaches of credit reporting requirements.

Significant amendments also have been made to the credit reporting scheme, through new rules that regulate information disclosed to and by credit reporting bodies, credit providers and affected information recipients. Civil penalties replace the majority of the criminal offences with respect to non-compliance with the new rules, however, criminal offence provisions will still apply to false and misleading information.

Streeterlaw Principal Mr Mark Streeter said it’s important the new APPS aren’t ignored by small business. “It’s important that businesses implement privacy policies as non-compliance could result in bad publicity and damage to their corporate reputation,” he said. “We strongly recommend that corporate citizens comply and implement transparent privacy policies to ensure any privacy disputes can be resolved effectively.”

The Act has broadened the authority of the Office of the Australian Information Commissioner (OAIC), with the AIC now permitted to conduct assessments regarding APPs and make applications to the Federal Court or Federal Magistrates Court for an order, where there has been a breach of a civil penalty provision.

Key compliance issues to note with new 2014 amendments

On 12 March 2014, the Privacy Amendment to the Enhancing Privacy Protection Bill 2012 took effect. The new amendments add considerable compliance provisions, particularly:

  1. Part IIIA of the Privacy Act, dealing with credit reporting, is replaced in full by new credit information provisions.
  2. The APP 1 (privacy policy) and APP 5 (notification obligations) place a higher onus on businesses (APP entities) to institute practices, procedures and policies in relation to the protection of privacy.
  3. APP entities must ensure:   a. they can demonstrate that user consent had been obtained (when consent is at issue); and  b. they have effective procedures in place to deal with inquiries and complaints about their compliance.

Four new agencies emerge from 1 January 2015

From 1 January 2015, the Office of the Australian Information Commissioner (OAIC) will be disbanded and its current functions split between four agencies. These changes require legislative amendments. One of the major functions to be outsourced is the freedom of information (FOI) review work currently undertaken by the OAIC. The OAIC website published the following changes:

  • the Privacy Act 1988 will continue to be administered by the Privacy Commissioner and supporting staff from a new office based in Sydney.
  • Freedom Of Information (FOI) policy advice, guidance and annual statistics will be administered by the Attorney-General’s Department
  • the right to an external merits review of FOI decisions by government agencies and Ministers will be decided by with the Administrative Appeals Tribunal (AAT)
  • complaints about FOI administration by government agencies will be directed to the Commonwealth Ombudsmen
  • unresolved FOI review applications and complaints before the OAIC will be transferred to the AAT and the Commonwealth Ombudsman on 1 January 2015.

New rules for credit reporting bodies and providers

The Act provides for a stringent body of new rules for credit reporting bodies and credit providers. The intention of the Act is to balance the protection afforded to the individual and the credit provider’s access to reliable credit information about that individual.

Companies that promote their privacy policy are actually enhancing their business profile.

In our experience, a robust privacy policy is a positive marketing tool in attracting individuals who are concerned about the sanctity of their privacy. After all, “once you’ve lost your privacy, you realise you’ve lost an extremely valuable thing” (Billy Graham).

If your company is yet to update its privacy policy, it’s important you do so today. Contact Streeterlaw to arrange an appointment to discuss and get advice on:

  1. Your legal rights and obligations in relation to updating your business’s Privacy Policy and Company Procedures;
  2. How to review, update and/or create an external/employee APP compliant policy;
  3. How to review existing relationships and identify any privacy hot spots;
  4. How to review your-in-house training and complaint dispute mechanisms to resolve privacy complaints; and
  5. Assist you in resolving any outstanding privacy complaints efficiently and cost effectively.


For further information or advice, please contact Streeterlaw on 02 8197 0105 or email advice@streeterlaw.com.au

Found this article useful? Feel free to share it!