Recent changes to the Australian Privacy Act 1988 (Cth) will have an impact on all Australian businesses that collect personal information. If you maintain names, addresses, phone numbers and other information about your customers, you will need to be aware of the changes and how they affect you.

The Amendments

The amendments require that all businesses conducting operations in Australia and collecting personal information, have a clearly expressed and up-to-date privacy policy. Until recently, having a privacy policy has been a voluntary, albeit advisable, course of action.

The changes to the Privacy Act also:

  • create a new set of Australian Privacy Principles (APPs), that apply to both the private sector and the Commonwealth public sector;
  • create new rules around direct marketing, requiring greater consent from consumers;
  • require that businesses develop and document a privacy compliance program that ensures compliance with the APPs, and adequate privacy complaints handling mechanisms;
  • impose full liability directly on Australian businesses for breaches of the APPs by their offshore data storage contractors; and
  • allow for civil penalty orders of up to A$220,000 for individuals and up to A$1.1 million for companies that breach privacy laws.

When do you need to start complying?

The main changes to the Privacy Act will come into effect in March 2014, but businesses should start reviewing their policies and procedures straight away in preparation.

How does this affect you?

The proposed changes mean that businesses collecting personal information about customers or any other person, that do not have a privacy policy, will need to develop formal policies which govern the way they deal with personal information.

  • If you don’t currently have a privacy policy, you should start preparing one that meets the requirements of the amended Privacy Act.
  • If you already have a privacy policy, chances are it is now out of date and you will need to both update the policy, and make sure that it is clearly expressed.

In order to be ready for March 2014, businesses should start thinking about these issues now, so they can be factored into future business decisions and to ensure that staff are effectively trained in the businesses’ new/amended privacy policy.