• subs-bellGet the latest news! Subscribe to the ifa bulletin

Private practice

Changes to Australia’s privacy regime are on the way, and advisers, business owners and others need to be both informed and prepared

For advisers, keeping records and handling information on current, past and potential clients is a large part of the administrative side of the job. Many feel the burdens of disclosure and record maintenance – the cans and can’ts – are already excessive.

However, a series of legislative amendments passed in Canberra in late 2012 and slated for introduction in early 2014, will only add what some see as more red tape to tie up the way in which personal information is handled.

The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 makes a number of additions to the country’s privacy regime that advisers and all business owners and managers should be aware of. Specifically, the Bill will amend the Privacy Act by introducing 13 Australia Privacy Principles for the private and public sectors to live by.

Described as an “important milestone for privacy in Australia” by Information Commissioner Timothy Pilgrim, the principles cover greater restrictions on the information that can legally be collected and stored by businesses, restrictions on how information is transferred to others, especially for the purposes of marketing, and new requirements to destroy unsolicited personal information that a business receives.

In addition, the section of the Privacy Act relating to credit information has been completely re-written. Advisers will now have access to more comprehensive credit information on existing and prospective clients than they currently do, including more details about loans, loan balances and repayment history.

But with greater access comes greater responsibility.


The amendments also add new compliance obligations for those accessing credit information for business purposes. They boost the rights of individuals to seek corrections to and address complaints about their credit files and to manage how the information is being used and disseminated.
Given the challenge of generating leads that financial planners face, and the increasing importance of marketing within the industry, the direct marketing rules are also likely to be relevant.

“From March [2014] there will be a prohibition on information [being] used for direct marketing and online advertising purposes, which is a fundamental difference,” explains Anne Marie Allgrove, a privacy specialist at international law firm Baker & McKenzie’s Sydney office.

“There are also changes to the way you can legally receive and use information from a third party,” she says. “So if a financial planner receives a marketing list they must also receive undertakings from the provider that the people on the list have consented to receiving marketing materials.

Herbert Smith Freehills privacy lawyer Kaman Tsoi also suggests that for planners, “the direct marketing changes will be important”.

But while readers may baulk at the thought of yet more red tape, they will also be pleased to know that the small business exemption – which exempted businesses with a turnover of less than $3 million from having to comply with the existing privacy principles – has not been done away with.

Unfortunately, this does not mean all independent advisers with turnovers below the threshold are necessarily in the clear. Some planners may fall into a legal grey area when it comes to the exemption criteria.

“Small business operators that are connected with larger businesses may not qualify for the small business exemption,” Allgrove explains. “If they are in any way corporately connected with a larger business they might not meet the criteria; it would depend on the specific contractual arrangements in place between the entities.”

If your business is connected with a dealer group that turns over more than $3 million a year, you might want to have a closer look at your contracts and possibly seek legal advice about whether you qualify for the exemption.

Even if you do not satisfy the exemption criteria, however, according to Allgrove, it is “highly recommended [you] comply with the new amendments from a reputational and best practice point of view.”

With Future of Financial Advice (FOFA) just around the corner and several existing regulations already taking their toll, advisers might be tempted to bury their heads in the sand on privacy, considering the reforms don’t take effect until 2014.

Privacy lawyer Katherine Forrest of King & Wood Mallesons, who represents clients in the financial services sector, offers a warning: “Not all of the detail about the changes has been finalised yet; for example, regulations are still to be made under the Act, a new credit reporting code of conduct is still to be released, and updated guidance is expected from the Commissioner,” Forrest says.

“However, this should not be a reason to wait to start planning because 14 months is not a long time,” she adds. “Rather, businesses should be looking at, first, whether they can influence or lobby on the changes yet to come and, second, putting together a plan of action, with contingencies, to be in a good position to comply as well as compete even better.”

Sources also tell ifa there are murmurs that the government may seek to do away with the small business exemption, and pro-privacy campaigners are lobbying hard for this outcome. Allgrove explains that by international standards, Australia still lags behind other OECD countries on privacy protection, even with the new amendments.

With the new amendments set to come in early next year and with whispers of more changes to come, best to get on the front foot and get moving on those action plans.

Privacy panel

To help you get started on your action plan, a panel of leading privacy lawyers has offered a few pieces of advice to ensure you are ready for the new requirements:

  1. Make sure you are providing clear collection statements to anyone you collect information from about how exactly you intend to use their information
  2. Make clear who you are, and who you will be transferring the information to
  3. If you are transferring data to a third party, make sure you have contracts in place protecting the information and yourself
  4. Ensure you have a privacy policy in place and that your staff is trained in how to comply with the policy, including giving responsibility for privacy matters to a specific staff member or team
  5. Review your information and data security procedures
  6. Do a ‘gap analysis’ of what the new requirements are and your current privacy practices
  7. Get professional legal advice when drafting your internal privacy policy as this will ensure you don’t over-commit.

Source: Anne Marie Allgrove, Baker & McKenzie; Katherine Forrest, King & Wood Mallesons; Kaman Tsoi, Herbert Smith Freehills