Bowen Buchbinder Vilensky

Key Amendments to the Privacy Act: How They Affect your Business

By Les Buchbinder, Director at Bowen Buchbinder Vilensky

16 January 2015

Amendments to the Privacy Act were made in March 2014.  Even though some time has passed since then, I am still often approached by client companies and their advisers asking what the amendments mean to them.

If your organisation has a turnover of $3 million or more, or is a Government agency, it is an Australian Privacy Principle entity (APP) to which the amendments apply

I hope you find the following summary of key amendments helpful.


Personal information must be handled in an open and transparent way.  Your organisation must have an up to date policy outlining management of personal information such as the kinds of information you collect and hold; how you hold it; what you use it for; how an individual may access Personal Identifying Information; and other such matters.

You must provide individuals with the option of dealing with your organisation anonymously or using a pseudonym.

Sensitive information must only be collected with an individual’s consent and if the collection is reasonably necessary for one or more of your organisation’s functions or activities.  Examples of sensitive information are: race or ethnic origin; political opinions; religious beliefs or affiliations; sexual orientation; health record; biometric information; and others.

Personal Identifying Information cannot be used or disclosed for any purpose other than the reason for which it was gathered, without the consent of the individual.  A company cannot, for example, gather information purportedly for a health survey, then use it to market products to people.


APP entities must notify individuals about the access, correction and complaints processes in their privacy policies.  These must include an opt-out mechanism in relation to direct marketing.

Individuals must be granted access to the personal information an organisation holds on them.  Where such information is incorrect, they should take reasonable steps to ensure it is accurate, up to date, complete, relevant and not misleading.


Organisations must take ‘reasonable steps’ to protect Personal Identifying Information from misuse, interference and loss and unauthorised access, modification or disclosure.  What are ‘reasonable steps’?  The kinds of issues that would be reviewed include how the information is stored (hard copy or electronically); the likely harm to the data subject if a breach occurred; and the size of an organisation.

Cloud computing

The increasing use of storage via cloud computing, often using providers based in foreign jurisdictions, also has implications for APP entities.  This is an important and highly relevant subject on which I’ve already published a blog earlier this week addressing this.


Changes to the Privacy Act have important implications for all Australian organisations which store personal information, and which have turnovers of more than $3 million, or  are Government agencies.  The information is this blog is necessarily general in nature.  For specific advice on how these amendments may affect your organisation, it is best to seek advice from a lawyer with specialist experience in this practice area.

Leave a comment


Leave a Reply

Please read the TERMS AND CONDITIONS before posting.

Current day month ye@r *