Call us now on 1300 786 756

ARTICLE Business TipsMarch 14, 2014

Are you complying with the new Australian privacy legislation?


The amendments to the Privacy Act came into effect on 12 March 2014. It affects the way most organisations collect, handle and store and disclose personal information. We find out what it means for your business.

Australia’s privacy legislation has been overhauled to bring it up to speed with today’s data-rich business environment. The changes of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 are incorporated within the Privacy Act 1988. This includes a revised set of privacy principles called the Australian Privacy Principles (APPs). The 13 APPs are new and cover the breadth of the data life cycle, including the use and disclosure of personal information for multi-channel marketing.

Businesses are required to comply with the new legislation, and while it might appear to be complex, there are some simple steps businesses can take to ensure they are operating within the law.

Daad Soufi, Director – Legal and Regulatory Affairs at the Association for Data-driven Marketing & Advertising (ADMA), explains about the changes and how you can ensure you are complying.

Why is the new legislation being introduced?

Organisations collect data in very sophisticated ways. The technology has moved faster than the laws, which were developed some 20 years ago. The legislation is being changed to ensure the law and the ways organisations are using data are more aligned.

What is the new law designed to do?

It is aimed at giving individuals more control over personal information that organisations collect about them and how that data can be used.

What's changing?

Previously, your privacy policy was required to cover “management of personal information”. Now, it will be required to be more specific and:

- Specify the personal information you are collecting
- Explain the purposes of collection
- Provide people with access to the data you have about them
- Allow people to request to correct their personal information
- Explain how an individual can make a complaint
- State the countries that any data is sent to.

What does that mean for businesses?

You need to let people know you are collecting data, why you are collecting it, how you plan to use it and where they can go to opt out.

Doesn't the Spam Act already cover this?

The Spam Act and the Privacy Act are separate pieces of legislation but have some overlap.

The Privacy Act deals with collecting personal, sensitive information, and the Spam Act oversees specific marketing channels – like email marketing.

Before an organisation can use an email address, which is bound by the requirements of the Spam Act, it needs to make sure it collected the information in accordance with the privacy legislation.

What do I need to do to comply?

Businesses need to put a risk management process in place and check off these 10 points:
1. Conduct a data audit, so you know what databases you have and where the data comes from.
2. Ring-fence personal data, so it can’t be cross-referenced with other databases you may hold.
3. Review and update your privacy policy.
4. Inform customers of the changes.
5. Draft your notification statement and work out when it is going to be used.
6. Draft opt-out statements.
7. Develop a preference centre, where people can manage their opt-outs.
8. Determine if your data goes overseas.
9. Document your privacy practices and training.
10. Articulate your data breach response plan.

What is cross-border disclosure?

Under the new Australian law, if an organisation collects data and sends it overseas, it is still responsible for the data, and the consumer protection offered by the privacy legislation still attaches to the data.

How does the Australian privacy legislation affect social media?

There are two ways that businesses use social media: they can engage with consumers within the platform or they can lift data from the platform.

If you are operating within a social media platform itself, that engagement is subject to the privacy terms and conditions of that particular platform.

If you lift the data from that platform to use for another type of activity, that would be deemed to be a third-party use of data. You would need to let individuals know where you got the data from and how they can unsubscribe.

Do the changes affect cookies and remarketing?

The privacy legislation only affects cookies on websites where the cookies are used in a way that identifies an individual. In many cases, it will depend on the types of cookies that are being used. Where the cookies are used to identify an individual, the data set would be personal information and would be subject to the privacy legislation.

How does the new law affect existing data lists?

The legislation doesn’t have retrospective application, so you aren’t obliged to revisit compliance for all historic databases. Individuals who have previously signed up to a mailing list don’t need to re-sign up. You do, however, need to let those consumers know that your privacy policy has changed and direct them to where they can find out more information about your privacy practices.

Related articles

Marketing Cookies and remarketing: What you need to know about privacy laws

Marketing Email series, part 1: How to set up an e-newsletter

Marketing Email series, part 2: How to set manage structure and content