​Privacy law reforms: $1.7 million reasons for advisers to comply

by |
Law firm Cooper Grace Ward partner Belinda Winter and lawyer Alex Clifton-Jones explain to Wealth Professional readers what the new privacy laws will mean for advisers.

From 12 March, 2014, the Privacy Commissioner can impose penalties of up to $1.7 million for companies and $340,000 for individuals breaching the privacy obligations set out in the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

For advisers, there are two new important sets of obligations that have been introduced by the new legislation: obligations relating to individuals’ personal information and obligations relating to individuals’ credit information.

Privacy obligations under the Australian Privacy Principles (APPs):

The first set of obligations only relate to advisers if their annual turnover is more than $3 million. However, advisers who are not affected by these rules should still be aware of the obligations as they may be relevant to their clients.

Advisers and clients subject to the new privacy laws must take ‘reasonable steps’ to comply with each of the 13 APPs. The new obligations will require most businesses to:
  • Have a clearly expressed and up-to-date privacy policy that is easily accessible;
  • Issue privacy statements or read scripts containing mandatory privacy matters before collecting an individual’s personal information;
  • Follow strict procedures for dealing with unsolicited information;
  • Ensure that third parties (particularly overseas entities) who handle the clients’ personal information comply with the APPs;
  • Only collect and deal with personal information for the primary purpose for which it was collected, unless an exception applies; and
  • Cease using personal information for direct marketing purposes unless an exception applies.

Privacy obligations for credit providers:

The second set of obligations is imposed on advisers and their clients if they are deemed to be ‘credit providers’. Credit providers include entities that supply to individuals on credit or defer payment for goods or services for at least seven days (irrespective of turnover).

This means the new requirements will apply to most ‘non-cash’ businesses.
Entities that are ‘credit providers’ must:


  • Have a clearly expressed and up to date policy with mandatory information about how they manage credit related information;
  • Implement practices, procedures and systems to comply with their credit reporting obligations;
  • Be aware of the limitations if intending to disclose credit information to ‘credit reporting bodies’ (e.g. Veda, Dunn and Bradstreet, Tasmanian Collection Service);
  • Become a member of an external dispute resolution scheme if disclosing credit information to credit reporting bodies; and
  • Be aware of the requirements of the Credit Reporting Code of Conduct, which operates alongside the obligations under the Act.

The new privacy laws will apply to many advisers and their clients and advisers should take urgent action to ensure compliance. 

If you would like assistance to comply with the new privacy laws or would like some further information, please contact Belinda Winter on (07) 3231 2498 or Alex Clifton-Jones on (07) 3231 2932.