27/02/2014

12 March 2014 is a red letter day in privacy matters. That’s the day when the Federal Government’s Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“PPA”) comes into force. PPA substantially amends the Privacy Act 1988.

Ho hum, I can almost hear you say! Just when you had some idea about privacy and the difference between NPPs and IPPs, in strides PPA.

Unfortunately many non-cash businesses and most professional service providers (including accountants, financial planners, architects, engineers, actuaries, lawyers and many others) are now credit providers under PPA and ignore the new law at their peril. 

Here’s the ‘drive-through’ version of PPA.

PPA introduces a code of practice for credit reporting (“CR Code”):

• If your business is an organisation (that is an individual, partnership, company, unincorporated association or trust) or a small business operator (that is a business with an annual turnover of $3 million or less), and your business gives credit in connection with the sale of goods or supply of services, and repayment is deferred for at least 7 days, the organisation is a credit provider under the CR Code.
• So, a firm of accountants which sends out invoices to clients each month requiring payment within 14 or 30 days is a credit provider and must comply with the CR Code.
• If you are a credit provider, you must have a “clearly expressed and up to date policy” about how you manage credit information- section 21(3) of PPA. Credit information about an individual is personal information that covers identification, consumer credit liability, repayment history, type of credit sought in the application and other related matters.
• Your policy under the CR Code must include (among other things) information about how you collect, hold, use and disclose credit information.
• You must take reasonable steps to ensure your credit policy is readily available free of charge eg on your website.
• PPA also introduces a code of practice on information privacy which covers personal information and how it can be collected, held and used. Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable.
• If your business is an APP entity, that is, an organisation (as defined above) which is not a small business operator, you need to comply with the Australian Privacy Principles (“APPs”) which cover management of personal information. There are 13 APPs, the details of which are on the website of the newly-named Australian Information Commissioner (www.oaic.gov.au) .
• Last but certainly not least, the Australian Information Commissioner, who previously had no power to enforce the old legislation can now impose penalties up to $1.7 million on PPA defaulters.

This article covers in a general way only a very small part of the Privacy Act changes. It is designed to alert you as to how PPA may apply to your business. This article is neither exhaustive nor a substitute for legal advice, which you should seek and rely on in every specific case.

If you need help further assistance with PPA or you simply want to know more about what happens after 12 March 2014, please contact Townsends Business & Corporate Lawyers on (02) 8296 6222.