On 12 March 2014, the Privacy Act 1988 (Cth) was substantially amended, but the amendments only affect some businesses.
Who’s affected by the changes?
Businesses (including sole traders, companies, partnerships, unincorporated associations and trusts) with an annual turnover of more than $3,000,000.
Small businesses (with an annual turnover of $3,000,000 or less) are generally not affected unless they:
- provide a health service and hold health information (other than in an employee record);
- without consent or authorization at law, disclose personal information about another individual for a benefit, service or advantage, or provide a benefit, service or advantage to collect personal information about another individual from anyone else;
- are a contracted service provider for a Commonwealth contract.
However, a small business may be treated as though it is covered, if:
- it is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 – eg it receives a cash deposit of more than $10,000 in providing a ‘designated service’; or
- it opts in and chooses to be covered.
- 13 Australian Privacy Principles (APP’s) were introduced to replace:
- the Information Privacy Principles that applied to Australian Government Agencies; and
- the National Privacy Principles that applied to some private section organisations;
- A number of exceptions have been introduced:
- 7 general exceptions “permitted general situation”;
- 5 specific health exceptions “permitted health situations”;
- Organisations must implement practices, procedures and systems that will ensure compliance with the APPs and approved APP Codes;
- New credit reporting provisions and a new mandatory credit reporting Code have been introduced;
- Maximum fines have increased to:
- $1,700,000 for organisations;
- $340,000 for individuals,
- for serious or persistent breaches.
What should I do if I’m affected by the changes?
• Review your practices, procedures and systems to comply with the new provisions