Australian businesses must prepare for new privacy laws by March 2014


Many employers may not be aware that amendments were passed to Australia’s current privacy laws back in November 2012. The amendments, which form part of a larger reform process, will become effective from 12 March 2014. For those employers and businesses who will need to comply with the changes, there are less than four months to get ready.

Even if you are not a business owner or employer, the obligations are important ones which protect us all as individuals.

Privacy laws protect our personal information to ensure it is correct, it is handled appropriately and that we can amend it.

Without these laws, your personal information could be made available to anyone, the information may not even be correct and you may not have any redress.

Which businesses are affected?

In general only businesses with an annual turnover of more than $3million are obliged to comply with privacy laws.

Small businesses with an annual turnover of less than $3 million must also comply if they are:

  • A health service provider;
  • Trading in personal information;
  • Related to a business that is not a small business;
  • A contractor providing services under a Commonwealth contract;
  • A reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; or
  • An operator of a residential tenancy database[1].

Current privacy laws

Once you have determined whether you need to comply with the privacy laws, the next step is to understand your obligations and importantly how these will change in 2014. The current laws set out ten National Privacy Principles, referred to as the NPPs, which govern how private businesses must deal with personal information. Put simply, the NPPs establish minimum rules for how businesses (that are covered by the laws) must deal with personal and sensitive information. This includes the collection of information, its storage, individual access and communication of the business’ privacy policy.

Currently the NPPs apply to private business; separate information privacy principles (IPPs) apply to government agencies.

New laws

From March 2014 the amendments will create one set of Australian Privacy Principles (APPs). There will be 13 new APPs.  Importantly the new principles are, at least in some respects, different to the current NPPs. In line with the current NPPs, the new principles create obligations for how information is gathered, stored and amended. The main differences include the rules around the use of personal information for direct marketing, and cross-border disclosure.

Direct marketing is now covered in APP 7: organisations – including businesses – may only use personal information for direct marketing purposes where consent has been obtained, or there is a reasonable expectation that the information will be used for this purpose.

There are also specific requirements around opt-out mechanisms. APP 8 now requires a greater level of accountability where personal information is being transferred overseas. Businesses will need to take steps to find out whether the overseas recipient of the information meets Australian standards.

Other changes include how unsolicited personal information should be handled, use of pseudonyms, and when personal information should be corrected on request.   From a policy perspective APP1 contains more detailed requirements for privacy policy content, its availability and the implementation of privacy obligations.

What does this mean for employers?

The changes to the privacy laws and the creation of the new Australian Privacy Principles will impact many businesses. The principles create concrete obligations that those businesses must understand and implement.

Furthermore, recent public statements from the Information Commissioner indicate that a firm approach will be taken by his office and penalties will be applied to businesses which are not compliant from March 2014.

Businesses need to understand if they are required to comply with the privacy laws. If the answer is yes, then you will need to check that your privacy policy is compliant with the new APPs and that your practices and processes are meeting the standards in effect from March 2014.

Sarah Waterhouse, Solicitor, BlandsLaw


[1] (last accessed 8/11/13).

Image courtesy of smarnad at


Previous Post
Five things every growing business owner should know about employment law
Next Post
New year, new bullying laws