Privacy Act Reforms: Impact on Terms and Conditions of Trade

The Privacy Act changes commence in March 2014. 

If your credit application, privacy policy or terms and conditions of trade do not property take the new amendments into account, you may find yourself in danger of breaching the new Act. The changes have imposed new credit reporting provisions, and have given enforcement powers to the privacy Commissioner. 

The new principles are called the Australian Privacy Principles, and are intended to be harmonised across government and business.  They replace the existing Information Privacy Principles that apply to government, as well as the National Privacy Principles that currently apply to business.

The changes are quite broad.  The Privacy Commissioner, Timothy Pilgrim, suggests that businesses take a number of steps in the lead up to the new changes.  The Commissioner urges organisations to update their privacy policies, and notes that compliance practices will need to respond to the changes.  Clear systems and processes to handle complaints will be essential.

Credit reporting has undergone a significant review.  This is particularly significant for merchants and traders who provide credit to customers.  Both the privacy policy and T & Cs will require careful review to be brought up to date with the changing law, and to meet the challenges that the enhanced provisions and the increased powers of the Privacy Commissioner bring.

Enquiries into credit worthiness may become easier to make, but the way in which this information can be used is being tightened.  The new Part IIIA permits more comprehensive credit reporting and allows reporting of information on an individual’s current credit commitments and repayment history over the previous two years.  In addition, a new credit reporting code will be introduced in due course.  It is intended to be developed by industry subject to approval by the Privacy Commissioner.

The increase in widening credit reporting powers is constrained by new protections for individuals.  These include:

  • A simplified and enhanced correction and complaints process;
  • A prohibition on the reporting of credit-related information about children;
  • A prohibition on the reporting of defaults of less than $150;
  • The introduction of specific rules to deal with pre-screening of credit offers;
  • The introduction of specific provisions that allow an individual to freeze access to their credit related;
  • Personal information in cases of suspected identity theft or fraud; and
  • The introduction of civil penalties for breaches of certain credit reporting provisions.

Credit reporters will have already commenced collecting information on individual’s repayment history.  This information will be licensed to providers from March 2014. Another aspect is that new terminology is used under the changes. Credit Reporting Agencies will be known as Credit Reporting Bodies.

The new Australian Privacy Principles will apply to credit providers in some specific ways, with particular reference to credit information, credit eligibility information and information derived from a Credit Reporting Body.  Specific, enhanced provisions will apply to consumer credit.  There are specific rules dealing with the provision of repayment history information to a credit reporting body.  There are specific rules regarding the use or handling of information, known as “derived information”, which includes a credit score or risk assessment in relation to credit worthiness.

Increased Powers

Currently, the powers of the Privacy Commissioner are limited to making a determination that requires an apology, financial compensation or an undertaking to retrain.  If this is not effective, the Commissioner can take the matter to the Federal Court. 

Under the new provisions from March 2014 the Commissioner’s powers are greatly enhanced.  This will include not only the ability to make a determination, but also to obtain written undertakings regarding compliance with the right to enforce those undertakings in court.  Significantly, the Commissioner can seek fines up to $1,700,000 for serious or repeated breaches.

The Commissioner will have the right to undertake audits of private sector organisations if that seems appropriate.

Action required

The clear message from the Privacy Commissioner is that any business that is in the habit of providing credit should be reviewing its T&C’s, credit policies and its privacy policy.  For most organisations that give credit, the privacy policy and the terms and conditions of trade are intertwined.  Any changes to the company’s privacy policy must be reflected in the terms of trade to ensure there is no confusion between them.  Updating the privacy policy is a must, but so too is updating the company’s T&Cs.

Please contact Business, Corporate and Commercial Partner Tal Williams if you have any questions about the Privacy Act Reforms.


Recent Posts