On 12 March 2014 substantial changes were made to Australia’s existing privacy laws which saw the introduction of 13 Australian Privacy Principles (APPs). These new amendments affect agencies, partnerships, organisations and ‘not-for-profits’ with a turnover of $3 million or more. Organisations will now be required to have procedures, practices and systems integrated within their organisational framework, creating ‘privacy by design’. It is important to note that these changes apply in addition to the requirements of any State- based legislation.  

What do I need to do?

The new laws require the above organisations to have a Privacy Program. Essentially this will involve the organisation integrating procedures, practices and systems into their organisational framework and creating a policy which clearly outlines how the organisation will manage their privacy obligations and who is responsible within the organisation for ensuring these obligations are met. It is best practice to create policies that reflect the information life cycle. To do this it is essential that organisation’s consider the way in which they collect, use and disclose information.  The quality and security afforded to information, how it can be accessed by internal and external parties to the organisation and how it can be corrected, should also be considered. 
In order to prevent breaches organisations should engage key stakeholders and conduct a ‘Privacy Impact Assessment’ which analyses how the organisation gathers, holds, transports and amends any information they collect. If your organisation currently has a privacy policy it is vital to engage management and implement any changes which are necessary to ensure compliance. Devising this policy, issuing it to staff and publishing it on the organisation’s website is best practice in order to adhere to your obligations and minimise this risk of penalties.

It is vital to note that an effective privacy policy does not operate in isolation and organisations should ensure they have strict IT and human resources policies that cover surveillance, email, internet usage and social media. Underpinning all of this is an imperative to provide solid training to staff. It is also vital to note that obligations under workplace safety legislation to provide sufficient information to employees, contractors and other workers is unaffected, provided individuals are alerted that their personal information may be disclosed for WHS purposes. 
If you have any questions about your privacy obligations please do not hesitate to contact the AFEI Hotline on (02) 9264 2000.  

What about employee records and job applicant records?

The handling of personal information by a private sector employer is exempt from the Privacy Act 1988 (Cth) if it directly relates to an employee, current or former employment relationship or an employee record. Employee records include:

  • the engagement, training, disciplining or resignation of the employee;
  • the termination of the employment of the employee;
  • the terms and conditions of employment of the employee;
  • the employee’s personal and emergency contact;
  • the employee’s performance or conduct;
  • the employee’s hours of employment;
  • the employee’s salary or wages;
  • the employee’s membership of a professional or trade association;
  • the employee’s trade union membership;
  • the employee’s recreation, long service, sick, personal, maternity, parternity or other leave; and, 
  • the employee’s taxation, banking or superannuation affairs.

Employee records can continue to be retained by employers (please also CLICK HERE for you obligations in relation to record keeping).

Information held on unsuccesful job applicants is not exempt. If an organisation is retaining an applicant’s resume (or other application forms, records) on file in case of future job prospects, the organisation must receive consent from the applicant. If the organisation does not receive this consent it should destroy or return the resume.


The new laws enlist the Office of the Australian Information Commission (OAIC), Privacy Commissioners and Information Commissioners with the power to conduct a ‘performance assessment’ of an organisation and issue civil penalties of up to $1.7 million for organisations or $340,000 for individuals. Breaching the Privacy Act 1988 (Cth), apart from being extremely costly, can also expose your organisation to reputational risk which can create significant consequences for attracting future funding.