Call Us (02) 9749-9337

Privacy Laws Explained

What Are The Changes To The Australian Privacy Act? 

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) made many significant changes to the Privacy Act 1988 (Privacy Act). These changes commenced on 12 March 2014. The Privacy Regulation 2013, made under the Privacy Act, also commenced on 12 March 2014.

The Privacy Act and all related reforms are managed by a federal body called the Office of the Australian information Commissioner (OAIC). If any privacy related complaints made against a government organisation or business, the OAIC is the body that will investigate the complaint and inflict any potential penalties. The new Privacy Regulation also clarifies the importance and protection of what is defined as sensitive information - this includes the identification of a person's religious beliefs, race, political memberships and so on.

At the core of the new privacy amendment, is what is known as the Australian Privacy Principles or APPs. The APPs are legally binding principles which are the cornerstone of the privacy protection framework in the Privacy Act. The APPs set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. They apply to most Australian Government (and Norfolk Island Government) agencies and private sector organisations with a minimum turnover of $3 Million dollars PA - collectively referred to as APP entities. The APPs are also technology neutral, applying equally to paper-based and digital environments. This last part is especially important, as it enforces the fact that personal information can be stored on a computer or can be stored on paper and documents. Download the APP guidelines here.

What do these Changes Mean for Me?

If a privacy breach occurs, an organisation or business faces a daunting federal investigation and potential hefty fines, therefore it is crucial to enact a Privacy Impact Assessment (PIA) to ensure you have security measures and processes in place. The guide to Undertaking PIAs has been released by the Information Commissioner and can be downloaded here. In summary there are several steps you can take to ensure you are abiding by the core Privacy Principles:

  • governance

ICT security

  • data breaches

  • physical security

  • personnel security and training

workplace policies

the information life cycle


  • regular monitoring and review

The OAIC also stress that separate to the requirement to protect personal information, it makes good commercial sense to protect business data, especially information that may be ‘commercial in confidence’. Once you conduct a PIA, you can then make informed choices about your security and privacy arrangements and which third party providers you will choose to undertake important work.

Two factors that are critical in your Privacy protocols are therefore the handling and destruction of paper and computer based data, and internal training of your employees and staff as to how they handle the issues of privacy.

Destruction of Personal Data and What You Can Do

It is critical that your organisation uses a third party provider who can guarantee that your documents and hard drives will be destroyed in a way that protects you and ensures you abide by the Privacy Act. In Australia there is only one class of provider who can protect you and that is a NAID AAA rated company. NAID is the National Association for Information Destruction, and is a global body that requires all members to provide the strongest possible data security for their clients, and the AAA rating is the top class of NAID certification - the ‘Gold Standard’. AAA-rated document destruction companies face unannounced audits plus an array of measures that they have to satisfy to keep their AAA rating. These measures include closed circuit TV security of premises and vans, security cleared staff, disposal protocols and many other measures.

There are many document destruction companies in the market, but many of them do not abide by NAID AAA standards, and therefore place your security and privacy standards at risk. These non compliant companies generally can be identified because they:

  • Do not allow you to witness any security shredding through "Witnessed Destruction"

  • Use other companies to do the actual destruction and therefore cannot maintain privacy control

  • Do not provide a Certificate of Destruction

There are a few questions you can ask when interviewing potential Document Destruction providers before giving them your business - ask them the following:

  • Do you provide a Certificate of Destruction?

  • Do you do all shredding yourself?

  • Can I come in and witness the documents/data being being destroyed?

If they answer No or obfuscate, then do not use them. 

Only use a NAID AAA-rated data destruction company like SDDC.

Training of Staff and Employees

It is important that your staff are trained in proper document and data security. We provide you with a training DVD, and associated documents, so that your staff are fully trained and abide by privacy principles. We provide this training DVD to you free of charge. Register for your free privacy training DVD here.

If you have any further questions about the privacy principles or any other issues related to your document and data destruction requirements, please contact us by completing our contact form.