Since March 12th  2014, businesses with a turnover of over $3million per annum can be financially penalised up to $1.7 million for breaches of new privacy regulations if they collect any personal information. 

As part of the latest changes to the Privacy legislation, 13 new Australian Privacy Principles (APPs) have been introduced which will replace the National Privacy Principles and Information Privacy Principles that previously applied to private organisations and Government agencies.

The new APPs will specifically cover the way in which personal information (any information or opinions about an identified or identifiable individual, such as their name, address, date of birth, bank account details) is stored and used.

Businesses who collect such information must be aware of how the new APPs will affect their operations, and the potential implications of non-compliance!

Key points

Privacy Policies – You must now have an up-to-date privacy policy specifically tailored to your business, which is freely available to those dealing with you (eg online).  The Policy should detail:

  • what personal information you are collecting and why;
  • how you store  the information;
  • how an individual can access their information and how they may correct or complain about it; and,
  • whether you are likely to disclose that information overseas, and to whom.

Notice and consent – When you collect personal information, you must notify the individual of what you are collecting and why, and obtain their specific consent if you are going to use it for marketing to them.

Direct marketing – personal information cannot be used for direct marketing purposes without consent.  Furthermore, all direct marketing must contain a functional opt-out.

Overseas disclosure – If you store or disclose information overseas, then you are accountable for its use there.   Are your cloud computing arrangements and overseas data storage secure?

Small business exception – APPs are not applicable to small businesses – those with turnover of $3m or less.  However, APPs may still apply if your small business is involved in health or direct marketing.

Employee records – these are an exception to the APPs but if you use any of this information other than for strict HR purposes, for example, for marketing, the APPs will apply.

What do you need to do to comply?

  1. Create or amend your privacy policy – it needs to be tailored to your business and to the new APPs. Standard generic forms are no longer acceptable.
  2. Start using a collection notice to gain consent to your use of personal information and to bring your policies to the attention of those you gather the information from.
  3. Audit the personal information you collect and how it is stored – particularly if overseas.
  4. Appoint a privacy compliance officer who is responsible for dealing with any privacy complaints and concerns.

For more information on compliance with the privacy laws, or for  assistance with  auditing your processes and privacy policies, please contact Anna Stanley on

Download a print ready version of this article here.

By | Published On: 11th April, 2014 | Categories: Other legal services, Guides |