Tech & Sourcing @ Morgan Lewis


Australian businesses and agencies should take note of amendments to Australia’s Privacy Act, which regulates how organizations collect, handle, and disclose personal information within Australia. The new amendments, which took effect on March 12, are described below.

Who is covered under the amended act?

The Privacy Act applies to any private sector business that has a turnover of greater than AUD3 million (USD2.7 million) or that handles personal information for a benefit, service, or advantage or any entity that handles health or other sensitive information.

What are the key changes in the amendments?

The amended Privacy Act will implement the Australian Privacy Principles (APPs)—new regulatory principles that require entities governed by the Privacy Act to have and maintain an up-to-date privacy policy as well as to implement practices, procedures, and systems that ensure compliance with the APPs. The Office of the Australian Information Commissioner has released APP guidelines that provide guidance for entities that are, and will be, subject to the Privacy Act as of March 12.

Under the amended Privacy Act, the Australian Information Commissioner will have expanded powers, including the ability to seek civil penalties for serious repeated breaches of privacy and the ability to conduct assessments of privacy performance for Australian government agencies and businesses. The Information Commissioner will also have the power to impose penalties for repeated and aggravated breaches of the amended Privacy Act’s obligations (up to AUD1.7 million [USD1.5 million] for businesses and AUD340,000 [USD310,000] for individuals). Credit reporting laws will also be overhauled under the amended act to, among other things, allow for more comprehensive and positive credit reporting and greater control for individuals over their credit-related personal information.

How does this affect Australian businesses?

In order to avoid significant monetary penalties for noncompliance, entities should immediately conduct an assessment of current privacy and information protection policies to evaluate whether the entity complies with the requirements of the amended Privacy Act. If the entity does not have an adequate policy in place, it should start preparing one that satisfies the obligations of the amended Privacy Act.