The APPs Have Been Released.


The Office of the Information Commissioner has now released guidelines to the upcoming APP principles, which will be coming into force later this week. Time is running out. Our extensive work in the recruitment sphere has shown us that Recruitment is one of the few industries where Privacy Management is critical and compliance across the industry has not been high. So, let's cut out all the waffle, and jump straight into what you need to know.

You cannot avoid the changes

The National Privacy Principles (or Information Privacy Principles if you belong to a government agency) are being modified for a reason: they simply did not meet customer, client and employee satisfaction and they did not adequately protect personal information across many levels of business. So, fair warning: the new laws will compel your company to meet higher expectations and obligations of transparency. So what are the changes? These National Privacy Principles have been converted into 13 Australian Privacy Principles (APPs) that aim to "harmonise" the two sets of principles that currently apply to Australian government agencies and to private businesses. A more "comprehensive credit reporting system" is also being introduced, as well as a "simplified and enhanced correction and complaints process". But most importantly, the amendments provide the Australian Privacy Commissioner, Timothy Pilgrim, with enhanced powers to enforce and remedy complaints, conduct investigations and address breaches of privacy.

The Commissioner has significant new powers

What powers does the Information Commissioner already have under his belt? Well, he can:

  1. Review any complaint made and make any inquiries with any party that the Office considers necessary. The OAIC can also act as an impartial mediator and aid in reconciliation processes.
  1. If neither party can reach an agreement, the Information Commissioner can, once again, review material and make a formal determination against your company if he deems that your organisation did not enter into reasonable arrangements in negotiation. This determination will dictate what further actions your company must take, and it will be officially recorded.
  1. He can conduct investigations against a company and its actions of his own accord to determine whether it may be interfering with the privacy of an individual. This investigation is made into a report that is publicly listed on the OAIC website to serve warnings, tips and general information to other businesses.
  1. He is also empowered to audit Australian governmental agencies and certain private sector and state government organisations to establish an organisation's adherence to good privacy policies and legislative requirements. These audits too, are generally publicly listed on the OAIC website.

What new powers has he attained?

  1. In serious or repeated cases of privacy breaches, he can issue a penalty of up to $340,000 for individuals and up to $1.7 million for companies.
  1. He can now also accept a legally enforceable undertaking from any private or government agency
  1. Whilst he has always been able to audit a private sector organisation by invitation, Mr Pilgrim jokes that "organisations have been too shy to extend such an invitation up to now." He goes on to say that "from 12 March [he'll] be able to invite [him]self in." That is, he will have the power to conduct "Performance Assessment" audits of his own free will, irrespective of any request or lack of request by an organisation, and regardless of whether the company has committed a serious breach or not.

No "softly, softly" approach

Over the next 12 months, the Office of the Information Commissioner is aiming to assist companies and businesses to learn about these obligations (they have a vast array of resources on their website, for example). However, Mr. Pilgrim has made it very clear that he will not be employing a "softly, softly" approach after the reforms are implement. He has rejected taking a lenient approach for entities still designing processes and policies because he believes that: "The public sector have been working with the Act for nearly 25 years and the private sector for over 12 years, [and therefore] these concepts are not new." He reinforced that "Organisations have had 15 months to [he] will not shy away from taking action where it is appropriate or necessary to do so." Thus, the onus is on you to be aware of the extent and nuances of your obligations. The law will not excuse anyone on the basis that he/she "did not know" that the amendments would affect them.

What should you do?

How do you become aware and compliant of these changes? Firstly, if you haven't already thoroughly reviewed the materials on the OAIC website, do so now, and then review your current practices and procedures against the new obligations. But we understand. The information provided is copious, confusing, and a bit overwhelming. So, contact us to learn more about our Privacy Best Practice program held across Australia. The Privacy Best Practice program is an initiative of ITCRA, Information Technology Contract & Recruitment Association. The program is a unique combination of a training workshop and a review of records.


"Thank you to ITCRA for leading [in] providing such valuable training to all staff at Viiew. This is a major challenge for the industry and we have appreciated your support." Troy Thorne (Chief Executive Officer at Viiew)

Alicja Gibert