Does your business have an annual turnover of more than $3 million? Do you offer payment terms of seven days or more? If you answered yes to either of these questions, and you haven’t reviewed your privacy policy in the last 12 months, now is the time to act or you might face significant penalties.

This Thursday, 12 March 2015, marks the first anniversary of the most significant changes to Australia’s privacy laws in over 25 years. Amendments to the Privacy Act 1988 (Cth) included the introduction of a new set of Australian Privacy Principles (APPs) and credit information obligations that now regulate the handling of personal information and credit information by most businesses and government agencies.

The amendments also introduced significant penalties of up to $340,000 (for individuals) or $1.7 million (for corporations) for breaches of certain provisions of the APPs and the Privacy Act.

Australian Privacy Principles

The APPs apply to businesses with an annual turnover of more than $3 million.

Some key obligations for affected businesses include ensuring that your business:

  • has an up-to-date privacy policy that is easily accessible and contains information about a number of mandatory matters (if your privacy policy refers to the ‘National Privacy Principles’, it’s likely that your privacy policy has not been updated and is not APP compliant);
  • notifies individuals of certain privacy and information handling matters before collecting their personal information;
  • only collects personal information for permitted reasons and, once collected, deals with the personal information in accordance with the APPs;
  • doesn’t use personal information for direct marketing purposes unless an exception is satisfied; and
  • takes steps before disclosing information to overseas recipients to ensure they do not breach the APPs (e.g. outsourcing or cloud computing).

Credit reporting

The 2014 amendments to the Privacy Act also imposed new obligations on most businesses that defer payment for goods or services on terms of seven days or more regardless of annual turnover.

Some key obligations for affected businesses include:

  • ensuring that your business has an up-to-date policy on your handling of credit information and that the policy is easily accessible and contains information about a number of mandatory matters; and
  • notifying individuals of certain credit information handling matters before collecting their credit information.

Until last year, privacy compliance was seen by many businesses as a toothless tiger. However, given the significant penalties that are now on the cards for non-compliance, businesses should ensure that they are aware of their obligations under the Privacy Act and make positive steps towards complying with their obligations or face hefty penalties.