Privacy Act reform – significant changes ahead

Financial Services eBulletin - 11 December 2012


The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 has recently been passed by both houses of Parliament, and will introduce significant changes to privacy laws in Australia.

Quick links:




The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Bill) has recently been passed by both houses of Parliament and is now awaiting royal assent. The Bill, which represents the Government's first stage response to the Australian Law Reform Commission's (ALRC) 2008 report on Australia's privacy laws, implements a number of significant changes.

Two of the most significant changes introduced by the Bill relate to the creation of the Australian Privacy Principles and enhancing the powers of the Information Commissioner. It also introduces a civil penalty regime for breaches, with the maximum fine for serious and repeated interferences with privacy being $1.1 million.


Australian privacy principles

The Bill creates 13 Australian Privacy Principles (APPs), which will apply to both Commonwealth agencies and private sector organisations. The APPs outline standards, rights and obligations in relation to the collection, storage, use and disclosure of personal information. They replace the 10 National Privacy Principles (previously applying to the private sector) and the 11 Information Privacy Principles (previously applying to the public sector). 


Enhanced powers of the Information Commissioner

The Bill also significantly expands the functions and powers of the Information Commissioner. Under the Bill, the Commissioner has greater powers in terms of resolving complaints, conducting audits and investigations and promoting compliance with privacy obligations. These amendments allow the Commissioner to monitor organisations for the purpose of ensuring that any personal information held is not used or disclosed improperly. 

In particular, the Commissioner will be able to make inquiries of people other than the respondent to a complaint, and when making a determination, the Commissioner can make any order that is considered necessary or appropriate. In the event of a breach of the Privacy Act, the Commissioner will be able to accept an enforceable undertaking, which if breached, can be enforced in the Federal Court or Federal Magistrates' Court.

^ top

Bottom line

It is anticipated that the Bill will commence in approximately March 2014. Organisations should take this opportunity to review their procedures for collecting, using and disclosing personal information to ensure compliance with the new requirements.

These amendments represent only the first of a two-stage reform process, and organisations that hold a significant amount of personal information should continue to monitor developments in this area. 

If you would like further information about how the passage of the legislation will affect your business, please contact us.

Further information

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.