Major changes to the Privacy Act 1988 (Cth) are taking effect on 12 March 2014 and businesses must take action right away to update their policies, practices and procedures to ensure they are compliant. Considerable penalties can apply for serious or repeated failures to comply with the Privacy Act.

What is changing?

The current National Privacy Principles and Information Privacy Principles are being replaced with a single set of privacy principles called the Australian Privacy Principles (APPs). The APPs are materially different to the old privacy principles in certain respects. In addition, the credit reporting provisions in Part IIIA of the act are being overhauled.

Who is affected?

Businesses which collect, use and disclose personal information about individuals must consider whether the new APPs and credit reporting provisions will apply to them.

The APPs will generally apply to businesses with an annual turnover of more than $3 million. Subject to some exceptions, small businesses with a turnover of less than $3 million will generally be exempt unless they provide a health service. 

The credit reporting provisions apply to credit reporting bodies and businesses (including small businesses) which are credit providers. Credit providers include not only lenders, but also businesses which provide goods/services on terms allowing payment to occur more than 7 days after the goods/services are provided.

What needs to be done?

Businesses must have adequate practices and procedures in place to ensure they are compliant with the APPs and the new Part IIIA (where applicable). Importantly, businesses need to immediately review and update their privacy policies (including their credit information privacy policies), their privacy statements/collection notices and privacy manuals to ensure that they remain compliant with the Privacy Act.


The APPs and the related guidelines require businesses which collect personal information to play a more proactive role in protecting the privacy of individuals. They require new matters to be expressly addressed in a privacy policy and specify a number of new matters that individuals need to be made aware of at the time their information is collected.

Credit reporting

The new credit reporting regime creates new categories of credit related information and, like the APPs, requires that specific matters be notified to individuals at the time their (credit) information is collected. It also contains new provisions dealing with how a complaint made by an individual is to be handled and requires consumer credit providers to join an approved dispute resolution scheme.

Consequences of non-compliance

The penalties for not complying with the Privacy Act have also increased. These include, but are not limited to, civil penalties (of up to $340,000 for individuals and $1.7 million for corporations) for serious and repeated breaches of privacy.