18.02 2014

Australian Privacy Principles – privacy update

Commencing from 12 March 2014, the new Australian Privacy Principles (APP) will replace the National Privacy Principles and Information Privacy Principles.  The 13 APPs apply to both private and public sector entities that are currently required to comply with the existing privacy principles.  There are a number of important changes which have been made, including:


  • changes to what you must disclose to individuals before collection of personal information;
  • changes to requirements around privacy policies, as well as a new requirement to take reasonable steps to implement practices, procedures and systems;
  • new obligations around unsolicited personal information;
  • additional obligations relating to disclosure of personal information to overseas recipients. For examples, an organisation can now be held liable for an act done by an overseas recipient that would breach the APPs; and
  • changes around using personal information for direct marketing.


The above list is not comprehensive; therefore we encourage you to review the APPs.  The changes are complex and can significantly impact upon the way your organisation operates.  As such, we strongly recommend that you take the steps outlined below to ensure that your organisation is ready for 12 March 2014:


1. Conduct a privacy audit – some of the things to consider include determining:
  • what personal information is being collected and how it is being used;
  • whether personal information is being disclosed overseas;
  • how personal information is being stored and what security measures are currently in  place;
  • what changes are required to comply with the APPs;


2. Update your privacy policy – APP 1 lists a number of items which a privacy policy must include, such as:
  •  the kind of personal information you collect;
  • how an individual may complain about a breach of the APPs;
  • whether your organisation is likely to disclose to overseas recipients and if so, to what countries;


3. Update/implement a compliance program – APP 1 introduces an obligation to take reasonable steps to implement practices, procedures and ….systems to ensure compliance with the APPs. This should include:
  • establishing a complaint resolution process;
  • conducting training programs for staff to ensure they understand your organisation’s obligations under the APPs;
  • establishing procedures to continuously identify and manage compliance issues;


4. Review existing practices – an action list would have been identified from the privacy audit, which should include reviewing and updating:
  • any notifications to individuals before collecting personal information (which may be as part of any “terms and conditions”).  This will need to be updated under the APPs to include:

……..– whether you are likely to disclose the personal information to overseas recipients and where they are likely to be located;

……..– a notice that the privacy policy includes details of how to seek access and correct any personal information stored by you;

……..– a notice that the privacy policy includes details of your complaint process;

  • arrangements with overseas recipients of personal information – this has significant impact under the APPs as organisations can be held vicariously liable for breaches by overseas recipients.  In particular, be sure to look at any cloud computing arrangements (which we have written about previously here) and any data storage arrangements;
  • marketing practices – the APPs apply in addition to requirements under the Spam Act 2003 (Cth).  You will need to know when you are legally entitled to send marketing information to individuals who have provided you with personal or sensitive information.  Additionally, all marketing information (including any hardcopies and not just electronic copies) must:

……..– have a functional, simple means of requesting not to receive further marketing messages;

……..– include a prominent statement that the recipient may make a request not to receive the information.


Also ensure that you keep a database of the source of any personal information, as APP 7.6(e) now allows the individual to request an organisation to provide this information.


If you have any queries or require advice in relation to the new privacy law changes, please do not hesitate to contact us.


Share on LinkedInShare on Google+Tweet about this on TwitterShare on Facebook

  • GRT Transactions GRT Transactions

    Our global experience, together with our highly qualified te ..

  • GRT Expertise GRT Expertise

    The team at GRT Lawyers has successfully managed large and c ..

  • GRT News GRT News

    Click here to read our newsletter, 'The Specialist E-Ne ..


Australia GRT Lawyers, Level 2, 400 Queen Street, Brisbane, QLD 4000