Australian Privacy Act

In November, 2012, the Australian Parliament passed amendments to the Privacy Act that will take effect in March 2014. The amendments represent the most significant changes to Australian privacy law since the Privacy Act was first enacted in 1988.  It requires that organisations operating within Australia – and collecting personal information – have an up-to-date privacy policy.  Until recently, having a privacy policy has been a voluntary course of action for Australian businesses. In separate legislative amendments passed, the Federal Parliament increased the value of a “penalty unit”.  Assuming no further amendments to the penalty unit by the time the Privacy Act civil provisions take effect, a civil penalty order may require an individual to pay up to  $370,000 and up to $1.7 million for companies. The evolving attitudes of the consumers demanding more protection of their Personally Identifiable Information (PII), along with cybercriminals developing more sophisticated business models that profit from stealing customer information means that the privacy landscape is changing and the risk of a data breach and the loss in privacy within Australian organisations has never been greater.

All government and private sector organisations with revenues in excess of $3 million are required to comply with the Australian Privacy Principles (APP) in the Privacy Act. An entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification, or disclosure.