Privacy Amendment (Enhancing Privacy Protection) Act 2012

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 is an amending Act. It does not set up a separate, standalone privacy code for businesses. Instead, it changes the Privacy Act 1988 and also makes related amendments to a large number of other Commonwealth laws.

That matters in practice because if your business is checking its privacy obligations, you should not read this Act in isolation. The operative rules for most businesses sit in the Privacy Act 1988 as amended, including the Australian Privacy Principles, the credit reporting provisions and the privacy code framework.

The Act is structured through schedules. Schedule 1 deals with the Australian Privacy Principles. Schedule 2 deals with credit reporting. Schedule 3 deals with privacy codes. Schedule 4 makes other amendments to the Privacy Act 1988. Schedule 5 amends other Acts. Schedule 6 contains application, transitional and savings provisions.

The official text introduced the concept of an APP entity, defined as an agency or organisation, and states that an APP entity must not do an act or engage in a practice that breaches an Australian Privacy Principle. For businesses, the practical question is usually whether the business is an organisation regulated under the Privacy Act 1988.

Many businesses will already know they are covered because they are subject to the Privacy Act 1988 due to their size or activities. Common examples include larger businesses, health service providers, businesses involved in credit reporting, and businesses handling regulated categories of personal information. The Act also continues to interact with the existing small business operator framework in the Privacy Act 1988, so some smaller businesses may still be caught depending on what they do.

The official text also makes clear that the APPs do not apply to personal information handled by an individual only for personal, family or household affairs. That is a personal-use carve out, not a business exemption.

Because this Act amends an existing framework rather than restating all coverage rules in one place, businesses should confirm their status under the Privacy Act 1988 before relying on a simple turnover-based assumption.

The most important business change was the replacement of the previous privacy principle structure with the Australian Privacy Principles, or APPs. The official text expressly repealed references to the old Information Privacy Principles and National Privacy Principles and inserted the new APP framework into the Privacy Act 1988.

The Act also updated key definitions. For example, the definition of personal information was replaced so that it covers information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. The definition of sensitive information was also expanded to include biometric information used for automated biometric verification or biometric identification, and biometric templates.

Other changes included a new framework for privacy codes, a revised credit reporting regime, and amendments across many Commonwealth statutes so that the new APP language worked consistently across the federal legislative system.

For businesses, the practical effect was not just a terminology update. It required a review of collection notices, privacy policies, internal procedures, contracts with service providers, complaint handling processes and data governance settings to make sure they matched the amended Privacy Act 1988 from commencement.

The official text inserts section 15 into the Privacy Act 1988, which says an APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle. For businesses, that means the APPs became the central operating rules for handling personal information.

Although this amending Act is not the best place to restate every APP in full, the practical compliance areas businesses usually need to focus on include having an APP privacy policy, collecting information in a way that fits the APP rules, handling sensitive information carefully, managing use and disclosure, dealing properly with government-related identifiers, and responding to access and correction requests.

The official text also introduces concepts relevant to exceptions and operational decision-making, including permitted general situations and permitted health situations. These are not broad permissions to ignore privacy obligations. They are specific statutory pathways that apply only where the conditions in the Privacy Act 1988 are met.

The Act also updates concepts such as collection, holding, de-identified information, overseas recipient and government related identifier. Those definitions matter because privacy compliance often turns on whether your business is collecting information, merely receiving it, holding it through a service provider arrangement, or disclosing it offshore.

Schedule 2 of the Act deals with credit reporting. This is a major area of change for businesses involved in consumer or commercial credit ecosystems. If your business is a credit provider, credit reporting body or otherwise handles credit reporting information within the Privacy Act 1988 framework, you should treat this Act as a key historical source for the modern federal credit reporting regime.

The official text confirms that credit reporting was not a minor side issue. It is one of the core schedules of the Act, alongside the APP reforms and privacy code changes. Businesses in this area should not rely on general privacy summaries alone. They should check the amended Privacy Act 1988 provisions that apply specifically to credit information, disclosure pathways, correction rights and related compliance settings.

Even businesses that are not traditional lenders can be affected if they participate in arrangements involving credit checks, repayment history information, outsourced credit administration or data sharing with credit reporting bodies.

Because the Act changed both terminology and substance, businesses should review the documents and conduct that most often create privacy risk. The official text specifically introduced APP privacy policy terminology and updated core definitions used throughout the Privacy Act 1988.

In practice, that means checking your public privacy policy, collection statements, website and app forms, customer onboarding scripts, HR and contractor processes, data retention settings, complaint handling procedures, and supplier agreements. If you disclose information to an overseas recipient, that should be reviewed carefully against the amended framework.

Businesses should also check whether they still use old language such as National Privacy Principles or Information Privacy Principles in customer documents, procurement templates or internal manuals. Outdated wording can be a sign that the underlying process has not been updated since the 2014 commencement.

If your business handles health information, biometric information, government-related identifiers or credit information, the review should be more detailed because those categories often attract more specific rules under the amended Privacy Act 1988.

The Act received Royal Assent on 12 December 2012. Under the commencement table, sections 1 to 3 and some specified items commenced on Royal Assent. Most of the major business-facing changes, including Schedules 1 to 4 and most related Schedule 5 items, commenced on 12 March 2014, being the day after the end of the 15 month period beginning on Royal Assent.

That delayed commencement is important. It gave regulated entities time to move from the old privacy principle structure to the APP framework and to prepare for the new credit reporting and code arrangements.

The Act also contains Schedule 6, which deals with application, transitional and savings provisions. That means businesses dealing with older conduct, legacy records, pre-commencement policies or historical complaints may need to check whether transitional rules affect how the amended law applies.

If your business is reviewing old contracts, archived privacy notices or conduct that occurred around 2012 to 2014, do not assume the current wording applied at all times. Check the commencement date and any relevant transitional provisions before drawing conclusions.

It is easy to overstate what this Act introduced. One important clarification is that the Notifiable Data Breaches scheme was not created by this Act. Mandatory eligible data breach notification was introduced later, in 2018, through separate amendments.

That does not mean data security was irrelevant here. The APP framework is central to privacy compliance and includes obligations that affect how businesses protect and manage personal information. But if you are specifically looking for breach notification rules, you need to check the later amendments to the Privacy Act 1988 as well.

It is also important not to treat this Act as a complete restatement of all privacy obligations for every business. It is an amending law. The practical compliance position depends on the Privacy Act 1988 as amended, any later amendments, and the facts of your business model.