Executive Summary

Significant changes to Australian privacy law will take effect in March 2014. In this Focus Paper, we take a look at what these reforms mean for your company.

A new set of mandatory privacy principles, known as the Australian Privacy Principles (or APPs),will combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988 (Cth).

The new APPs apply to all direct selling organisations with a minimum annual turnover of $3 million which must, by 12 March 2014, amongst other matters:

  • have a privacy policy tailored to meet the requirements of the APPs;
  • not use or disclose any information they may hold about an individual for direct marketing, subject to specific exceptions;
  • take certain steps before providing an overseas organisation (including related companies) with personal information;
  • have in place an adequate scheme allowing access to personal information and a complaint handling process; and
  • comply with requirements regarding unsolicited information.

The Privacy Act amendments also give the Australian Privacy Commissioner greater enforcement powers. The Commissioner will be able to apply to a court for a civil penalty order against organisations and individuals for serious and repeated breaches of the Privacy Act. Maximum penalties will be $340,000 (for individuals) and $1.7 million (for companies).

Accordingly, direct selling organisations should become familiar with their obligations under the

Privacy Act and take steps to become compliant.

We have previously addressed some of the key privacy law changes for direct selling companies in our Focus Paper published in March 2013.1

Changes to Privacy Regulation

So how will this impact upon your direct selling company? Set out below in the next paragraph is a summary of those matters which you must consider now to ensure you comply fully by March 2014. A fuller summary is available on request to cate.sendall@addisonslawyers.com.au.

How might these changes impact on your business?

If you have not already, you should as soon as possible:

  • conduct a privacy audit;
  • revise your privacy policy and collection notices to ensure compliance with the mandatory requirements set out in the Privacy Act;
  • when direct marketing, provide a clear and simple method that allows targeted consumers to opt out;
  • keep more detailed, accurate and current records as to how personal information is obtained as individuals will be able to request details of how you obtained their personal information;
  • arrange for relevant employees to have privacy training;
  • ensure you have complaint handling processes in place;
  • nominate a staff member to be the “Privacy Officer” to handle complaints;
  • set up a specific email address to which privacy queries and complaints may be sent, such as privacy@directsellingcompany.com.au”; and
  • take steps to ensure appropriate measures are in place where personal information is likely to be sent overseas. Given your company could be liable for any breach by an overseas recipient, you should take steps to ensure that, if personal information is sent overseas, the recipient complies with stringent obligations in connection with the protection of privacy.

Given your company must comply fully by 12 March 2014, you should be taking these steps now.