The Privacy Amendment (Enhancing Privacy Protection) Bill was introduced into Parliament on 23 May 2012, being the first stage of the long awaited reforms to the Privacy Act, 1988 (Cth).

Attorney-General Nicola Roxon said the changes represent the most significant developments in privacy reform since Labor introduced the Act in 1988.

The Bill has been referred to the Standing Committee on Social Policy and Legal Affairs. The Committee intends to hold a public hearing on 14 August 2012 and has announced it will table its report on the Bill by 21 September 2012. Deferred commencement provisions will provide a 9 month transition period for businesses to review and update their information-handling practices before the new regime comes into effect.

 The Bill amends the Act to:

  • Create a single set of Australian Privacy Principles, which will apply to both Commonwealth agencies and private sector organisations (replacing the existing National Privacy Principles and Information Privacy Principles);
  •  Introduce more comprehensive credit reporting with improved privacy protections; and
  • Clarify the functions and powers of the Commissioner and improve the Commissioner’s ability to resolve complaints, recognise and encourage the use of external dispute resolution services, conduct investigations and promote privacy compliance.


The new Australian Privacy Principles will replace the existing National Privacy Principles (which apply to private sector organisations) and Information Privacy Principles (which apply to Commonwealth public sector agencies). 

There are some significant differences between the Australian Privacy Principles and the existing National Privacy Principles which include:

  •  A new principle requiring entities to take reasonable steps to implement practices, procedures and systems to ensure they comply with the Australian Privacy Principles and can deal with inquiries or complaints about their compliance.

It is likely that this new principle will require businesses to take steps to establish new complaints-handling procedures and develop new information-handling policies and practices.

  •  Additional information that entities must include in their privacy policies, including how they handle privacy complaints and whether they disclose personal information to recipients out of Australia.

 In practice, businesses will need to review their privacy policies and make sure they contain all of the required information which will need to be made available free of charge and provided in an appropriate form (usually by posting the policy on its website).

  •  The rules for use of information for direct marketing will change with an opt-out requirement that will apply to all direct marketing communications.

 Whether businesses can use personal information for direct marketing will depend on how they collected the information (whether it was directly from the relevant individual or from a third party) and whether individuals would reasonably expect their information to be used for this purpose.


The new credit reporting provisions will overhaul the current credit reporting provisions in the Act, introducing a more comprehensive credit reporting system and improved privacy protections.

 The key reforms include:

  •  The introduction of positive credit reporting;
  •  Changes to data retention obligations;
  •  The introduction of specific rules relating to pre-screening of credit offers and freezing access to personal information where there has been fraud; and
  • Additional consumer protections relating to data quality, access, correction and complaints.


Currently, the Commissioner has relatively limited powers and functions to enforce the Act. The Commissioner can investigate a complaint that an entity has breached the Act and make a determination that can be enforced by a Court. It can also investigate a potential breach on its own motion, but has no power to take steps to enforce its findings.

There are currently no civil penalties for breaches of the Act and only limited criminal penalties for credit reporting and tax file number offences.

The Bill gives the Commissioner new powers and functions to resolve complaints, conduct investigations, and promote compliance with the Act including new civil penalty provision that apply if an entity engages in an act that is a serious interference with an individual’s privacy or if it repeatedly does an act that is an interference with one or more individual’s privacy. For a corporation, the maximum penalty that may be imposed is $1.1 million.


It is likely the reforms to the Act will impact the privacy and personal information handling practices and procedures of your business. There will be a 9 month transition period from the date the Bill is passed within which you will have to comply with the amendments to the Act.

In preparation for the new laws, you may consider reviewing the systems, practices and procedures your business has in place in relation to its collection, use and disclosure of personal information.

Noting that civil penalty provisions will apply in respect of breaches of the Act, your business may need to update (or implement) its privacy policy and collection notices to address the new Australian Privacy Principles requirements.

You should ensure your business has in place a system for handling enquiries and complaints from individuals about how your business uses and handles personal information.

You will need to ensure your business collects and uses personal information for direct marketing in accordance with the new laws, including the provision of an opt-out option on all direct marketing communications.

Over the coming months more information will be released regarding the proposed reforms including the Government’s second stage response and the Standing Committee’s report on the provisions of the Bill.

 If you have any questions about the reforms to the Act or would like assistance with your privacy practices and personal information handling procedures, please contact us on 8860 9477.


Author: Jo-Anne Chong

The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity and does not constitute specific legal advice.