Privacy Act 1988
No. 119, 1988 as amended
Compilation
start date: 1 July
2013
Includes
amendments up to: Act
No. 13, 2013
About this compilation
The compiled Act
This is a compilation of the Privacy Act 1988 as
amended and in force on 1 July 2013. It includes any amendment affecting
the compiled Act to that date.
This compilation was prepared on
30 August 2013.
The notes at the end of this
compilation (the endnotes) include information about amending
Acts and instruments and the amendment history of each amended provision.
Uncommenced provisions and amendments
If a provision of the compiled
Act is affected by an uncommenced amendment, the text of the uncommenced
amendment is set out in the endnotes.
Application, saving and transitional provisions for
amendments
If the operation of an amendment
is affected by an application, saving or transitional provision, the provision
is identified in the endnotes.
Modifications
If a provision of the compiled
Act is affected by a textual modification that is in force, the text of the
modifying provision is set out in the endnotes.
Provisions ceasing to have effect
If a provision of the compiled
Act has expired or otherwise ceased to have effect in accordance with a
provision of the Act, details of the provision are set out in the endnotes.
Contents
Part I—Preliminary 2
1............ Short title............................................................................................. 2
2............ Commencement................................................................................... 2
3............ Saving of certain State and Territory laws........................................... 2
3A......... Application of the Criminal Code....................................................... 2
4............ Act to bind the Crown......................................................................... 2
5............ Interpretation of Information Privacy Principles................................. 3
5A......... Extension to external Territories.......................................................... 3
5B......... Extra‑territorial operation of Act......................................................... 3
Part II—Interpretation 5
6............ Interpretation....................................................................................... 5
6A......... Breach of a National Privacy Principle.............................................. 23
6B......... Breach of an approved privacy code................................................. 24
6C......... Organisations.................................................................................... 25
6D......... Small business and small business operators.................................... 27
6DA...... What is the annual turnover of a business?...................................... 29
6E.......... Small business operator treated as organisation................................ 30
6EA....... Small business operators choosing to be treated as
organisations..... 32
6F.......... State instrumentalities etc. treated as
organisations............................ 33
7............ Acts and practices of agencies, organisations
etc.............................. 34
7A......... Acts of certain agencies treated as acts of
organisation..................... 38
7B......... Exempt acts and exempt practices of organisations........................... 39
7C......... Political acts and practices are exempt............................................... 40
8............ Acts and practices of, and disclosure of
information to, staff of agency, organisation etc. 42
9............ Collectors.......................................................................................... 44
10.......... Record‑keepers................................................................................. 45
11.......... File number recipients....................................................................... 46
11A....... Credit reporting agencies................................................................... 47
11B....... Credit providers................................................................................ 47
12.......... Application of Information Privacy Principles to
agency in possession 50
12A....... Act not to apply in relation to State banking or
insurance within that State 50
12B....... Severability: additional effect of Act in relation
to organisations....... 50
Part III—Information privacy 52
Division 1—Interferences with privacy 52
13.......... Interferences with privacy................................................................. 52
13A....... Interferences with privacy by organisations...................................... 53
13B....... Related bodies corporate................................................................... 54
13C....... Change in partnership because of change in partners........................ 55
13D....... Overseas act required by foreign law................................................ 56
13E........ Effect on section 13 of sections 13B,
13C and 13D.......................... 56
13F........ Act or practice not covered by section 13 or
section 13A is not an interference with privacy 56
Division 2—Information Privacy Principles 57
14.......... Information Privacy Principles.......................................................... 57
15.......... Application of Information Privacy Principles.................................. 63
15B....... Special provision relating to the application of
the Information Privacy Principles in relation to Norfolk Island 63
16.......... Agencies to comply with Information Privacy
Principles................. 63
Division 3—Approved privacy codes and the National
Privacy Principles 64
16A....... Organisations to comply with approved privacy codes
or National Privacy Principles 64
16B....... Personal information in records........................................................ 64
16C....... Application of National Privacy Principles....................................... 65
16D....... Delayed application of National Privacy Principles
to small business 65
16E........ Personal, family or household affairs................................................ 66
16F........ Information under Commonwealth contract not to be
used for direct marketing 66
Division 4—Tax file number information 68
17.......... Guidelines relating to tax file number
information............................ 68
18.......... File number recipients to comply with guidelines............................. 68
Division 5—Credit information 69
18A....... Code of Conduct relating to credit information
files and credit reports 69
18B....... Credit reporting agencies and credit providers to
comply with Code of Conduct 69
Part IIIAA—Privacy codes 70
18BA.... Application for approval of privacy code.......................................... 70
18BAA. Privacy codes may cover exempt acts or practices............................ 70
18BB..... Commissioner may approve privacy code......................................... 70
18BC..... When approval takes effect............................................................... 73
18BD.... Varying an approved privacy code.................................................... 73
18BE..... Revoking the approval of an approved privacy code......................... 74
18BF..... Guidelines about privacy codes......................................................... 74
18BG.... Register of approved privacy codes.................................................. 75
18BH.... Review of operation of approved privacy code................................. 75
18BI...... Review of adjudicator’s decision under approved
privacy code........ 76
Part IIIA—Credit reporting 77
18C....... Certain credit reporting only to be undertaken by
corporations......... 77
18D....... Personal information not to be given to certain
persons carrying on credit reporting 77
18E........ Permitted contents of credit information files.................................... 78
18F........ Deletion of information from credit information
files........................ 81
18G....... Accuracy and security of credit information files
and credit reports.. 83
18H....... Access to credit information files and credit
reports.......................... 84
18J........ Alteration of credit information files and credit
reports..................... 84
18K....... Limits on disclosure of personal information by
credit reporting agencies 85
18L........ Limits on use by credit providers of personal
information contained in credit reports etc. 89
18M...... Information to be given if an individual’s
application for credit is refused 92
18N....... Limits on disclosure by credit providers of
personal information contained in reports relating to credit worthiness etc........................................................................................................... 93
18NA.... Disclosure by credit providers to certain persons who
gave indemnities 101
18P........ Limits on use or disclosure by mortgage insurers
or trade insurers of personal information contained in credit reports........................................................................................................ 101
18Q....... Limits on use by certain persons of personal information
obtained from credit providers 103
18R....... False or misleading credit reports.................................................... 105
18S........ Unauthorised access to credit information files or
credit reports..... 106
18T........ Obtaining access to credit information files or
credit reports by false pretences 106
18U....... Application of section 4B of Crimes Act........................................ 106
18V....... Application of this Part................................................................... 107
Part IV—Functions of the Information Commissioner 108
Division 2—Functions of Commissioner 108
27.......... Functions of Commissioner in relation to
interferences with privacy 108
27A....... Functions of Commissioner in relation to healthcare
identifiers...... 111
28.......... Functions of Commissioner in relation to tax file
numbers............. 111
28A....... Functions of Commissioner in relation to credit
reporting.............. 112
28B....... Functions of Commissioner in relation to personal
property securities 114
29.......... Commissioner to have regard to certain matters.............................. 114
Division 3—Reports by Commissioner 116
30.......... Reports following investigation of act or
practice........................... 116
31.......... Report following examination of proposed
enactment.................... 118
32.......... Report following monitoring of certain activities............................ 118
33.......... Exclusion of certain matters from reports........................................ 119
33B....... Copies of certain reports to be given to the
Norfolk Island Justice Minister 120
Division 4—Miscellaneous 121
34.......... Provisions relating to documents exempt under the
Freedom of Information Act 1982 121
35.......... Direction where refusal or failure to amend
exempt document........ 121
Part V—Investigations 123
Division 1—Investigation of complaints and investigations
on the Commissioner’s initiative 123
36.......... Complaints...................................................................................... 123
37.......... Principal executive of agency.......................................................... 124
38.......... Conditions for making a representative complaint........................... 126
38A....... Commissioner may determine that a complaint is not
to continue as a representative complaint 126
38B....... Additional rules applying to the determination of
representative complaints 127
38C....... Amendment of representative complaints........................................ 128
39.......... Class member for representative complaint not
entitled to lodge individual complaint 128
40.......... Investigations.................................................................................. 128
40A....... Referring complaint about act under Commonwealth
contract........ 129
41.......... Circumstances in which Commissioner may decide
not to investigate or may defer investigation 130
42.......... Preliminary inquiries....................................................................... 131
43.......... Conduct of investigations................................................................ 131
44.......... Power to obtain information and documents................................... 133
45.......... Power to examine witnesses........................................................... 134
46.......... Directions to persons to attend compulsory
conference.................. 134
47.......... Conduct of compulsory conference................................................. 135
48.......... Complainant and certain other persons to be
informed of various matters 136
49.......... Investigation under section 40 to cease if
certain offences may have been committed 136
49A....... Investigation under section 40 to cease if
civil penalty provision under Personal Property Securities Act 2009 may
have been contravened............................................................................. 137
50.......... Reference of matters to other authorities......................................... 138
50A....... Substitution of respondent to complaint.......................................... 140
51.......... Effect of investigation by Auditor‑General..................................... 141
Division 2—Determinations following investigation of
complaints 142
52.......... Determination of the Commissioner................................................ 142
53.......... Determination must identify the class members who
are to be affected by the determination 144
53A....... Notice to be given to outsourcing agency........................................ 144
53B....... Substituting respondent to determination........................................ 145
Division 3—Enforcement 146
54.......... Application of Division................................................................... 146
55.......... Obligations of respondent organisation........................................... 146
55A....... Proceedings in the Federal Court or Federal Circuit
Court to enforce a determination 147
55B....... Evidentiary certificate...................................................................... 148
Division 4—Review and enforcement of determinations
involving Commonwealth agencies 150
57.......... Application of Division................................................................... 150
58.......... Obligations of respondent agency................................................... 150
59.......... Obligations of principal executive of agency................................... 150
60.......... Compensation and expenses........................................................... 151
61.......... Review of determinations regarding compensation
and expenses... 151
62.......... Enforcement of determination against an agency............................. 151
Division 5—Miscellaneous 153
63.......... Legal assistance............................................................................... 153
64.......... Commissioner etc. not to be sued.................................................... 154
65.......... Failure to attend etc. before Commissioner..................................... 154
66.......... Failure to give information etc......................................................... 155
67.......... Protection from civil actions............................................................ 158
68.......... Power to enter premises.................................................................. 158
68A....... Identity cards................................................................................... 160
69.......... Restrictions on Commissioner obtaining personal
information and documents 160
70.......... Certain documents and information not required to
be disclosed.... 162
70A....... Application of Part to organisations that are not
legal persons........ 164
70B....... Application of this Part to former organisations.............................. 164
Part VI—Public interest determinations and temporary
public interest determinations 166
Division 1—Public interest determinations 166
71.......... Interpretation................................................................................... 166
72.......... Power to make, and effect of, determinations.................................. 166
73.......... Application by agency or organisation............................................ 167
74.......... Publication of application................................................................ 168
75.......... Draft determination......................................................................... 168
76.......... Conference...................................................................................... 169
77.......... Conduct of conference.................................................................... 169
78.......... Determination of application........................................................... 170
79.......... Making of determination................................................................. 170
80.......... Determinations disallowable........................................................... 170
Division 2—Temporary public interest determinations 171
80A....... Temporary public interest determinations........................................ 171
80B....... Effect of temporary public interest determination............................ 171
80C....... Determinations disallowable........................................................... 172
80D....... Commissioner may continue to consider application....................... 172
Division 3—Register of determinations 173
80E........ Register of determinations............................................................... 173
Part VIA—Dealing with personal information in emergencies
and disasters 174
Division 1—Object and interpretation 174
80F........ Object.............................................................................................. 174
80G....... Interpretation................................................................................... 174
80H....... Meaning of permitted purpose........................................................ 175
Division 2—Declaration of emergency 176
80J........ Declaration of emergency—events of national
significance............ 176
80K....... Declaration of emergency—events outside Australia...................... 176
80L........ Form of declarations....................................................................... 177
80M...... When declarations take effect.......................................................... 177
80N....... When declarations cease to have effect............................................ 177
Division 3—Provisions dealing with the use and disclosure
of personal information 178
80P........ Authorisation of collection, use and disclosure of
personal information 178
Division 4—Other matters 181
80Q....... Disclosure of information—offence................................................ 181
80R....... Operation of Part............................................................................. 182
80S........ Severability—additional effect of Part............................................. 182
80T........ Compensation for acquisition of
property—constitutional safety net 183
Part VII—Privacy Advisory Committee 185
81.......... Interpretation................................................................................... 185
82.......... Establishment and membership....................................................... 185
83.......... Functions........................................................................................ 186
84.......... Leave of absence............................................................................. 186
85.......... Removal and resignation of members............................................. 187
86.......... Disclosure of interests of members................................................. 187
87.......... Meetings of Advisory Committee................................................... 187
88.......... Travel allowance............................................................................. 188
Part VIII—Obligations of confidence 189
89.......... Obligations of confidence to which Part applies............................. 189
90.......... Application of Part.......................................................................... 189
91.......... Effect of Part on other laws............................................................. 189
92.......... Extension of certain obligations of confidence................................ 190
93.......... Relief for breach etc. of certain obligations of
confidence............... 190
94.......... Jurisdiction of courts....................................................................... 190
Part IX—Miscellaneous 191
95.......... Medical research guidelines............................................................ 191
95A....... Guidelines for National Privacy Principles about
health information 191
95AA.... Guidelines for National Privacy Principles about
genetic information 193
95B....... Requirements for Commonwealth contracts.................................... 193
95C....... Disclosure of certain provisions of Commonwealth
contracts........ 194
98.......... Injunctions...................................................................................... 194
99A....... Conduct of directors, employees and agents................................... 196
100........ Regulations..................................................................................... 197
Part X—Amendments of other Acts 199
101........ Amendments of other Acts............................................................. 199
Schedule 1—Amendments of other Acts 200
Freedom of Information Act 1982 200
Human Rights and Equal Opportunity Commission Act 1986 202
Merit Protection (Australian Government Employees) Act 1984 204
Ombudsman Act 1976 205
Schedule 3—National Privacy Principles 207
1............ Collection........................................................................................ 207
2............ Use and disclosure.......................................................................... 208
3............ Data quality..................................................................................... 212
4............ Data security................................................................................... 213
5............ Openness........................................................................................ 213
6............ Access and correction..................................................................... 213
7............ Identifiers........................................................................................ 215
8............ Anonymity...................................................................................... 216
9............ Transborder data flows................................................................... 216
10.......... Sensitive information...................................................................... 217
Endnotes 220
Endnote 1—Legislation history 220
Endnote 2—Amendment history 235
Endnote 3—Uncommenced amendments 246
Endnote 4—Misdescribed amendments 454
Endnote 5—Modifications 455
An Act to make provision to protect the
privacy of individuals, and for related purposes
WHEREAS Australia
is a party to the International Covenant on Civil and Political Rights, the
English text of which is set out in Schedule 2 to the Australian Human
Rights Commission Act 1986:
AND WHEREAS, by
that Covenant, Australia has undertaken to adopt such legislative measures as
may be necessary to give effect to the right of persons not to be subjected to
arbitrary or unlawful interference with their privacy, family, home or
correspondence:
AND WHEREAS Australia is a member of the Organisation for Economic Co‑operation and Development:
AND WHEREAS the
Council of that Organisation has recommended that member countries take into
account in their domestic legislation the principles concerning the protection
of privacy and individual liberties set forth in Guidelines annexed to the
recommendation:
AND WHEREAS Australia has informed that Organisation that it will participate in the recommendation
concerning those Guidelines:
BE IT THEREFORE
ENACTED by the Queen, and the Senate and the House of Representatives of the
Commonwealth of Australia, as follows:
Part I—Preliminary
1
Short title
This Act may be cited as the Privacy
Act 1988.
2
Commencement
This Act commences on a day to be fixed
by Proclamation.
3
Saving of certain State and Territory laws
It is the intention of the Parliament
that this Act is not to affect the operation of a law of a State or of a
Territory that makes provision with respect to the collection, holding, use,
correction, disclosure or transfer of personal information (including such a
law relating to credit reporting or the use of information held in connection
with credit reporting) and is capable of operating concurrently with this Act.
Note: Such a law can have effect for the purposes of
the provisions of the National Privacy Principles that regulate the handling of
personal information by organisations by reference to the effect of other laws.
3A
Application of the Criminal Code
Chapter 2 of the Criminal Code
(except Part 2.5) applies to all offences against this Act.
Note: Chapter 2 of the Criminal Code
sets out the general principles of criminal responsibility.
4 Act
to bind the Crown
(1) This Act binds the Crown in right of the
Commonwealth, of each of the States, of the Australian Capital Territory, of
the Northern Territory and of Norfolk Island.
(2) Nothing in this Act renders the Crown in
right of the Commonwealth, of a State, of the Australian Capital Territory, of
the Northern Territory or of Norfolk Island liable to be prosecuted for an
offence.
(3) Nothing in this Act shall be taken to
have the effect of making the Crown in right of a State, of the Australian Capital Territory, of the Northern Territory or of Norfolk Island an agency for
the purposes of this Act.
5
Interpretation of Information Privacy Principles
For the purposes of the interpretation
of the Information Privacy Principles, each Information Privacy Principle shall
be treated as if it were a section of this Act.
5A
Extension to external Territories
This Act extends to all external
Territories.
5B
Extra‑territorial operation of Act
Application to overseas acts and practices of
organisations
(1) This Act (except Divisions 4 and 5
of Part III and Part IIIA) and approved privacy codes extend to an
act done, or practice engaged in, outside Australia and the external
Territories by an organisation if:
(a) subject to subsection (1A),
the act or practice relates to personal information about an Australian citizen
or a person whose continued presence in Australia is not subject to a
limitation as to time imposed by law; and
(b) the requirements of subsection (2)
or (3) are met.
Note: The act or practice overseas will not breach a
National Privacy Principle or approved privacy code or be an interference with
the privacy of an individual if the act or practice is required by an
applicable foreign law. See sections 6A, 6B and 13A.
(1A) Paragraph (1)(a) does not apply in
relation to National Privacy Principle 9.
Note: Because of subsection (1A), the extra‑territorial
application of National Privacy Principle 9 is not limited by the
citizenship etc. requirement of paragraph (1)(a).
Organisational link with Australia
(2) The organisation must be:
(a) an Australian citizen; or
(b) a person whose continued presence
in Australia is not subject to a limitation as to time imposed by law; or
(c) a partnership formed in Australia or an external Territory; or
(d) a trust created in Australia or an external Territory; or
(e) a body corporate incorporated in Australia or an external Territory; or
(f) an unincorporated association
that has its central management and control in Australia or an external
Territory.
Other link with Australia
(3) All of the following conditions must be
met:
(a) the organisation is not described
in subsection (2);
(b) the organisation carries on
business in Australia or an external Territory;
(c) the personal information was
collected or held by the organisation in Australia or an external Territory,
either before or at the time of the act or practice.
Power to deal with complaints about overseas acts and
practices
(4) Part V of this Act has extra‑territorial
operation so far as that Part relates to complaints and investigation
concerning acts and practices to which this Act extends because of subsection (1).
Note: This lets the Commissioner take action
overseas to investigate complaints and lets the ancillary provisions of Part V
operate in that context.
Part II—Interpretation
6
Interpretation
(1) In this Act, unless the contrary
intention appears:
ACC means the Australian Crime Commission.
ACT enactment has the same meaning as enactment
has in the Australian Capital Territory (Self‑Government) Act 1988.
agency means:
(a) a Minister; or
(b) a Department; or
(c) a body (whether incorporated or
not), or a tribunal, established or appointed for a public purpose by or under
a Commonwealth enactment, not being:
(i) an incorporated
company, society or association; or
(ii) an organisation that
is registered under the Fair Work (Registered Organisations) Act 2009 or
a branch of such an organisation; or
(d) a body established or appointed by
the Governor‑General, or by a Minister, otherwise than by or under a
Commonwealth enactment; or
(e) a person holding or performing the
duties of an office established by or under, or an appointment made under, a
Commonwealth enactment, other than a person who, by virtue of holding that
office, is the Secretary of a Department; or
(f) a person holding or performing
the duties of an appointment, being an appointment made by the Governor‑General,
or by a Minister, otherwise than under a Commonwealth enactment; or
(g) a federal court; or
(h) the Australian Federal Police; or
(ha) a Norfolk Island agency; or
(i) an eligible case manager; or
(j) the nominated AGHS company; or
(k) an eligible hearing service
provider; or
(l) the service operator under the Healthcare
Identifiers Act 2010.
annual turnover of a business has the meaning
given by section 6DA.
approved privacy code means:
(a) a privacy code approved by the
Commissioner under section 18BB; or
(b) a privacy code approved by the
Commissioner under section 18BB with variations approved by the
Commissioner under section 18BD.
authorised agent of a reporting entity means
a person authorised to act on behalf of the reporting entity as mentioned in
section 37 of the Anti‑Money Laundering and Counter‑Terrorism Financing
Act 2006.
bank means:
(a) the Reserve Bank of Australia; or
(b) a body corporate that is an ADI
(authorised deposit‑taking institution) for the purposes of the Banking Act
1959; or
(c) a person who carries on State
banking within the meaning of paragraph 51(xiii) of the Constitution.
Board of the ACC means the Board of the
Australian Crime Commission established under section 7B of the Australian
Crime Commission Act 2002.
breach an approved privacy code has the
meaning given by section 6B.
breach an Information Privacy Principle has a
meaning affected by subsection 6(2).
breach a National Privacy Principle has the
meaning given by section 6A.
Cabinet, in relation to Norfolk Island, means
a body that:
(a) consists of Norfolk Island Ministers;
and
(b) corresponds to the Cabinet.
class member, in relation to a representative
complaint, means any of the persons on whose behalf the complaint was lodged,
but does not include a person who has withdrawn under section 38B.
code complaint means a complaint about an act
or practice that, if established, would be an interference with the privacy of
the complainant because it breached an approved privacy code.
Code of Conduct means the Code of Conduct
issued under section 18A.
commercial credit means a loan sought or
obtained by a person, other than a loan of a kind referred to in the definition
of credit in this subsection.
Commissioner means the Information
Commissioner within the meaning of the Australian Information Commissioner
Act 2010.
Commissioner of Police means the Commissioner
of Police appointed under the Australian Federal Police Act 1979.
Commission of inquiry means:
(a) the Commission of inquiry within
the meaning of the Quarantine Act 1908; or
(b) a Commission of inquiry within the
meaning of the Offshore Petroleum and Greenhouse Gas Storage Act 2006.
Commonwealth contract means a contract, to
which the Commonwealth, Norfolk Island or an agency is or was a party, under
which services are to be, or were to be, provided to an agency.
Note: See also subsection (9) about provision
of services to an agency.
Commonwealth enactment means:
(a) an Act other than:
(i) the Northern
Territory (Self‑Government) Act 1978; or
(ii) an Act providing for
the administration or government of an external Territory; or
(iii) the Australian
Capital Territory (Self‑Government) Act 1988;
(b) an Ordinance of the Australian Capital Territory;
(c) an instrument (including rules,
regulations or by‑laws) made under an Act to which paragraph (a) applies or
under an Ordinance to which paragraph (b) applies; or
(d) any other legislation that applies
as a law of the Commonwealth (other than legislation in so far as it is applied
by an Act referred to in subparagraph (a)(i) or (ii)) or as a law of the
Australian Capital Territory, to the extent that it operates as such a law.
Commonwealth officer means a person who holds
office under, or is employed by, the Commonwealth, and includes:
(a) a person appointed or engaged
under the Public Service Act 1999;
(b) a person (other than a person
referred to in paragraph (a)) permanently or temporarily employed by, or
in the service of, an agency;
(c) a member of the Defence Force; and
(d) a member, staff member or special
member of the Australian Federal Police;
but does not include a person permanently or temporarily
employed in the Australian Capital Territory Government Service or in the
Public Service of the Northern Territory or of Norfolk Island.
consent means express consent or implied
consent.
contracted service provider, for a government
contract, means:
(a) an organisation that is or was a
party to the government contract and that is or was responsible for the
provision of services to an agency or a State or Territory authority under the
government contract; or
(b) a subcontractor for the government
contract.
corporation means a body corporate that:
(a) is a foreign corporation;
(b) is a trading corporation formed
within the limits of Australia or is a financial corporation so formed; or
(c) is incorporated in a Territory,
other than the Northern Territory.
credit means a loan sought or obtained by an
individual from a credit provider in the course of the credit provider carrying
on a business or undertaking as a credit provider, being a loan that is intended
to be used wholly or primarily for domestic, family or household purposes.
credit card means any article of a kind
commonly known as a credit card, charge card or any similar article intended
for use in obtaining cash, goods or services by means of loans, and includes
any article of a kind commonly issued by persons carrying on business to
customers or prospective customers of those persons for use in obtaining goods
or services from those persons by means of loans.
credit enhancement, in relation to a loan,
means:
(a) the process of insuring risk
associated with purchasing or funding the loan by means of a securitisation
arrangement; or
(b) any other similar process related
to purchasing or funding the loan by those means.
credit information file, in relation to an
individual, means any record that contains information relating to the
individual and is kept by a credit reporting agency in the course of carrying
on a credit reporting business (whether or not the record is a copy of the
whole or part of, or was prepared using, a record kept by another credit
reporting agency or any other person).
credit provider has the meaning given by
section 11B, and, for the purposes of sections 7 and 8 and Parts III,
IV and V, is taken to include a mortgage insurer and a trade insurer.
credit report means any record or
information, whether in a written, oral or other form, that:
(a) is being or has been prepared by a
credit reporting agency; and
(b) has any bearing on an
individual’s:
(i) eligibility to be
provided with credit; or
(ii) history in relation to
credit; or
(iii) capacity to repay
credit; and
(c) is used, has been used or has the
capacity to be used for the purpose of serving as a factor in establishing an
individual’s eligibility for credit.
credit reporting agency has the meaning given
by section 11A.
credit reporting business means a business or
undertaking (other than a business or undertaking of a kind in respect of which
regulations made for the purposes of subsection (5C) are in force) that
involves the preparation or maintenance of records containing personal
information relating to individuals (other than records in which the only
personal information relating to individuals is publicly available
information), for the purpose of, or for purposes that include as the dominant
purpose the purpose of, providing to other persons (whether for profit or
reward or otherwise) information on an individual’s:
(a) eligibility to be provided with
credit; or
(b) history in relation to credit; or
(c) capacity to repay credit;
whether or not the information is provided or intended to
be provided for the purposes of assessing applications for credit.
credit reporting complaint means a complaint
about an act or practice that, if established, would be an interference with
the privacy of the complainant because:
(a) it breached the Code of Conduct;
or
(b) it breached a provision of Part IIIA.
credit reporting
infringement means:
(a) a breach of the Code of Conduct;
or
(b) a breach of a provision of Part IIIA.
current credit provider, in relation to an
individual, means a credit provider who has given, to the individual, credit
that has not yet been fully repaid or otherwise fully discharged.
Defence Force includes the Australian Navy
Cadets, the Australian Army Cadets and the Australian Air Force Cadets.
Department means an Agency within the meaning
of the Public Service Act 1999.
eligible case manager means an entity (within
the meaning of the Employment Services Act 1994):
(a) that is, or has at any time been,
a contracted case manager within the meaning of that Act; and
(b) that is not covered by paragraph (a),
(b), (c), (d), (e), (f), (g) or (h) of the definition of agency.
eligible communications service means a
postal, telegraphic, telephonic or other like service, within the meaning of
paragraph 51(v) of the Constitution.
eligible hearing service provider means an
entity (within the meaning of the Hearing Services Administration Act 1997):
(a) that is, or has at any time been,
engaged under Part 3 of the Hearing Services Administration Act 1997
to provide hearing services; and
(b) that is not covered by paragraph (a),
(b), (c), (d), (e), (f), (g), (h) or (j) of the definition of agency.
employee record, in relation to an employee,
means a record of personal information relating to the employment of the
employee. Examples of personal information relating to the employment of the
employee are health information about the employee and personal information
about all or any of the following:
(a) the engagement, training,
disciplining or resignation of the employee;
(b) the termination of the employment
of the employee;
(c) the terms and conditions of
employment of the employee;
(d) the employee’s personal and
emergency contact details;
(e) the employee’s performance or
conduct;
(f) the employee’s hours of
employment;
(g) the employee’s salary or wages;
(h) the employee’s membership of a
professional or trade association;
(i) the employee’s trade union
membership;
(j) the employee’s recreation, long
service, sick, personal, maternity, paternity or other leave;
(k) the employee’s taxation, banking
or superannuation affairs.
enactment includes a Norfolk Island
enactment.
enforcement body means:
(a) the Australian Federal Police; or
(aa) the Integrity Commissioner; or
(b) the ACC; or
(c) Customs; or
(d) the Australian Prudential
Regulation Authority; or
(e) the Australian Securities and
Investments Commission; or
(f) another agency, to the extent
that it is responsible for administering, or performing a function under, a law
that imposes a penalty or sanction or a prescribed law; or
(g) another agency, to the extent that
it is responsible for administering a law relating to the protection of the
public revenue; or
(h) a police force or service of a
State or a Territory; or
(i) the New South Wales Crime
Commission; or
(j) the Independent Commission
Against Corruption of New South Wales; or
(k) the Police Integrity Commission of
New South Wales; or
(ka) the Independent Broad‑based Anti‑corruption
Commission of Victoria; or
(l) the Crime and Misconduct
Commission of Queensland; or
(m) another prescribed authority or
body that is established under a law of a State or Territory to conduct
criminal investigations or inquiries; or
(n) a State or Territory authority, to
the extent that it is responsible for administering, or performing a function
under, a law that imposes a penalty or sanction or a prescribed law; or
(o) a State or Territory authority, to
the extent that it is responsible for administering a law relating to the
protection of the public revenue.
Federal Circuit Court means the Federal
Circuit Court of Australia.
Federal Court means the Federal Court of
Australia.
file number complaint means a complaint about
an act or practice that, if established, would be an interference with the
privacy of the complainant:
(a) because it breached a guideline
issued under section 17; or
(b) because it involved an
unauthorised requirement or request for disclosure of a tax file number.
financial corporation means a financial
corporation within the meaning of paragraph 51(xx) of the Constitution.
foreign corporation means a foreign
corporation within the meaning of paragraph 51(xx) of the Constitution.
Freedom of Information Act means the Freedom
of Information Act 1982.
generally available publication means a
magazine, book, newspaper or other publication (however published) that is or
will be generally available to members of the public.
genetic relative of an individual (the first
individual) means another individual who is related to the first
individual by blood, including but not limited to a sibling, a parent or a
descendant of the first individual.
government contract means a Commonwealth
contract or a State contract.
guarantee includes an indemnity given against
the default of a borrower in making a payment in respect of a loan.
healthcare identifier has the meaning given
by the Healthcare Identifiers Act 2010.
healthcare identifier offence means:
(a) an offence against section 26
of the Healthcare Identifiers Act 2010; or
(b) an offence against section 6
of the Crimes Act 1914 that relates to an offence mentioned in paragraph (a)
of this definition.
Note: For ancillary offences, see section 11.6
of the Criminal Code.
health information means:
(a) information or an opinion about:
(i) the health or a
disability (at any time) of an individual; or
(ii) an individual’s
expressed wishes about the future provision of health services to him or her;
or
(iii) a health service
provided, or to be provided, to an individual;
that is also personal
information; or
(b) other personal information
collected to provide, or in providing, a health service; or
(c) other personal information about
an individual collected in connection with the donation, or intended donation,
by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an
individual in a form that is, or could be, predictive of the health of
the individual or a genetic relative of the individual.
health service means:
(a) an activity performed in relation
to an individual that is intended or claimed (expressly or otherwise) by the
individual or the person performing it:
(i) to assess, record,
maintain or improve the individual’s health; or
(ii) to diagnose the
individual’s illness or disability; or
(iii) to treat the
individual’s illness or disability or suspected illness or disability; or
(b) the dispensing on prescription of
a drug or medicinal preparation by a pharmacist.
hearing services has the same meaning as in
the Hearing Services Administration Act 1997.
individual means a natural person.
individual concerned, in relation to personal
information or a record of personal information, means the individual to whom
the information relates.
Information Privacy Principle means any of
the Information Privacy Principles set out in section 14.
Integrity Commissioner has the same meaning
as in the Law Enforcement Integrity Commissioner Act 2006.
intelligence agency means:
(a) the Australian Security
Intelligence Organisation;
(b) the Australian Secret Intelligence
Service; or
(c) the Office of National
Assessments.
IPP complaint means a complaint about an act
or practice that, if established, would be an interference with the privacy of
the complainant because it breached an Information Privacy Principle.
loan means a contract, arrangement or
understanding under which a person is permitted to defer payment of a debt, or
to incur a debt and defer its payment, and includes:
(a) a hire‑purchase agreement; and
(b) such a contract, arrangement or
understanding for the hire, lease or renting of goods or services, other than a
contract, arrangement or understanding under which:
(i) full payment is made
before, or at the same time as, the goods or services are provided; and
(ii) in the case of a
hiring, leasing or renting of goods—an amount greater than or equal to the
value of the goods is paid as a deposit for the return of the goods.
media organisation means an organisation
whose activities consist of or include the collection, preparation for
dissemination or dissemination of the following material for the purpose of
making it available to the public:
(a) material having the character of
news, current affairs, information or a documentary;
(b) material consisting of commentary
or opinion on, or analysis of, news, current affairs, information or a
documentary.
medical research includes epidemiological
research.
mortgage credit means credit provided in
connection with the acquisition, maintenance or improvement of real property,
being credit in respect of which the real property is security.
mortgage insurer means a corporation that
carries on a business or undertaking (whether for profit, reward or otherwise)
that involves providing insurance to credit providers in respect of mortgage
credit given by credit providers to other persons.
National Privacy Principle means a clause of
Schedule 3. A reference in this Act to a National Privacy Principle by
number is a reference to the clause of Schedule 3 with that number.
nominated AGHS company
means a company that:
(a) is the nominated company (within
the meaning of Part 2 of the Hearing Services and AGHS Reform Act 1997);
and
(b) is
either:
(i) Commonwealth‑owned
(within the meaning of that Part); or
(ii) a corporation.
Norfolk Island agency
means:
(a) a Norfolk Island Minister; or
(b) a public sector agency (within the
meaning of the Public Sector Management Act 2000 of Norfolk Island); or
(c) a body (whether incorporated or
not), or a tribunal, established for a public purpose by or under a Norfolk
Island enactment, other than a body established or registered under:
(i) the Companies Act
1985 of Norfolk Island; or
(ii) the Associations
Incorporation Act 2005 of Norfolk Island; or
(d) a body established or appointed
by:
(i) the Administrator of
Norfolk Island; or
(ii) a Norfolk Island
Minister;
otherwise than by or under a
Norfolk Island enactment; or
(e) a person holding or performing the
duties of:
(i) an office established
by or under a Norfolk Island enactment; or
(ii) an appointment made
under a Norfolk Island enactment; or
(f) a person holding or performing
the duties of an appointment, where the appointment was made by:
(i) the Administrator of
Norfolk Island; or
(ii) a Norfolk Island
Minister;
otherwise than under a Norfolk
Island enactment; or
(g) a court of Norfolk Island.
Norfolk Island enactment means:
(a) an enactment (within the meaning
of the Norfolk Island Act 1979); or
(b) an instrument (including rules,
regulations or by‑laws) made under such an enactment;
and includes a Norfolk Island enactment as amended by
another Norfolk Island enactment.
Norfolk Island Justice Minister means the
Norfolk Island Minister who is responsible, or principally responsible, for the
administration of the Interpretation Act
1979 of Norfolk Island.
Norfolk Island Minister means a Minister of
Norfolk Island.
NPP complaint means a complaint about an act
or practice that, if established, would be an interference with the privacy of
the complainant because it breached a National Privacy Principle.
Ombudsman means the Commonwealth Ombudsman.
organisation has the meaning given by section 6C.
personal information means information or an
opinion (including information or an opinion forming part of a database),
whether true or not, and whether recorded in a material form or not, about an
individual whose identity is apparent, or can reasonably be ascertained, from
the information or opinion.
principal executive, of an agency, has a
meaning affected by section 37.
privacy code means a written code regulating
acts and practices that affect privacy.
record means:
(a) a document; or
(b) a database (however kept); or
(c) a photograph or other pictorial
representation of a person;
but does not include:
(d) a generally available publication;
or
(e) anything kept in a library, art
gallery or museum for the purposes of reference, study or exhibition; or
(f) Commonwealth records as defined
by subsection 3(1) of the Archives Act 1983 that are in the open
access period for the purposes of that Act; or
(fa) records (as defined in the Archives
Act 1983) in the care (as defined in that Act) of the National Archives of
Australia in relation to which the Archives has entered into arrangements with
a person other than a Commonwealth institution (as defined in that Act)
providing for the extent to which the Archives or other persons are to have
access to the records; or
(g) documents placed by or on behalf
of a person (other than an agency) in the memorial collection within the
meaning of the Australian War Memorial Act 1980; or
(h) letters or other articles in the
course of transmission by post.
registered political party means a political
party registered under Part XI of the Commonwealth Electoral Act 1918.
reporting entity has the same meaning as in
the Anti‑Money Laundering and Counter‑Terrorism Financing Act 2006.
representative complaint means a complaint
where the persons on whose behalf the complaint was made include persons other
than the complainant, but does not include a complaint that the Commissioner
has determined should no longer be continued as a representative complaint.
Secretary means an Agency Head within the
meaning of the Public Service Act 1999.
securitisation
arrangement means an arrangement:
(a) involving the funding, or proposed
funding, of:
(i) loans that have been,
or are to be, provided by a credit provider; or
(ii) the purchase of loans
by a credit provider;
by issuing instruments or
entitlements to investors; and
(b) under which payments to investors
in respect of such instruments or entitlements are principally derived,
directly or indirectly, from such loans.
sensitive information means:
(a) information or an opinion about an
individual’s:
(i) racial or ethnic
origin; or
(ii) political opinions; or
(iii) membership of a
political association; or
(iv) religious beliefs or
affiliations; or
(v) philosophical
beliefs; or
(vi) membership of a
professional or trade association; or
(vii) membership of a trade
union; or
(viii) sexual preferences or
practices; or
(ix) criminal record;
that is also personal
information; or
(b) health information about an individual;
or
(c) genetic information about an
individual that is not otherwise health information.
serious credit
infringement means an act done by a person:
(a) that involves fraudulently
obtaining credit, or attempting fraudulently to obtain credit; or
(b) that involves fraudulently evading
the person’s obligations in relation to credit, or attempting fraudulently to
evade those obligations; or
(c) that a reasonable person would
consider indicates an intention, on the part of the first‑mentioned person, no
longer to comply with the first‑mentioned person’s obligations in relation to
credit.
small business has the meaning given by
section 6D.
small business operator has the meaning given
by section 6D.
solicit, in relation to personal information,
means request a person to provide that information, or a kind of information in
which that information is included.
staff of the Ombudsman means the persons
appointed or employed for the purposes of section 31 of the Ombudsman
Act 1976.
State includes the Australian Capital
Territory and the Northern Territory.
State contract means a contract, to which a
State or Territory or State or Territory authority is or was a party, under
which services are to be, or were to be, provided to a State or Territory
authority.
Note: See also subsection (9) about provision
of services to a State or Territory authority.
State or Territory authority has the meaning
given by section 6C.
subcontractor, for a government contract,
means an organisation:
(a) that is or was a party to a
contract (the subcontract):
(i) with a contracted
service provider for the government contract (within the meaning of paragraph (a)
of the definition of contracted service provider); or
(ii) with a subcontractor
for the government contract (under a previous application of this definition);
and
(b) that is or was responsible under
the subcontract for the provision of services to an agency or a State or
Territory authority, or to a contracted service provider for the government
contract, for the purposes (whether direct or indirect) of the government
contract.
tax file number means a tax file number as
defined in Part VA of the Income Tax Assessment Act 1936.
tax file number information means information
(including information forming part of a database), whether compiled lawfully
or unlawfully, and whether recorded in a material form or not, that records the
tax file number of a person in a manner connecting it with the person’s
identity.
temporary public interest determination means
a determination made under section 80A.
trade insurer means a corporation that
carries on a business or undertaking (whether for profit, reward or otherwise)
that involves providing insurance to credit providers in respect of commercial
credit given by credit providers to other persons.
trading corporation means a trading
corporation within the meaning of paragraph 51(xx) of the Constitution.
use, in relation to information, does not
include mere disclosure of the information, but does include the inclusion of
the information in a publication.
(1A) In order to avoid doubt, it is declared
that an ACT enactment is not a Commonwealth enactment for the purposes of this
Act.
(2) For the purposes of this Act, an act or
practice breaches an Information Privacy Principle if, and only if, it is
contrary to, or inconsistent with, that Information Privacy Principle.
(3) For the purposes of this Act, an act or
practice breaches a guideline issued under section 17 if, and only if, it
is contrary to, or inconsistent with, the guideline.
(3A) For the purposes of this Act, an act or
practice breaches the Code of Conduct if, and only if, it is contrary to, or
inconsistent with, the Code of Conduct.
(4) The definition of individual
in subsection (1) shall not be taken to imply that references to persons
do not include persons other than natural persons.
(5) For the purposes of this Act, a person
shall not be taken to be an agency merely because the person is the holder of,
or performs the duties of:
(a) a prescribed office; or
(b) an office prescribed by
regulations made for the purposes of subparagraph 4(3)(b)(i) of the Freedom
of Information Act 1982; or
(c) an office established by or under
a Commonwealth enactment for the purposes of an agency; or
(ca) an office established by or under
a Norfolk Island enactment for the purposes of a Norfolk Island agency; or
(d) a judicial office or of an office
of magistrate; or
(e) an office of member of a tribunal
that is established by or under a law of the Commonwealth and that is
prescribed for the purposes of this paragraph; or
(f) an office of member of a tribunal
that is established by or under a Norfolk Island enactment and that is
prescribed for the purposes of this paragraph.
(5A) For the purposes of the definition of credit
reporting business in subsection (1), information concerning
commercial transactions engaged in by or on behalf of an individual is not to
be taken to be information relating to an individual’s:
(a) eligibility to be provided with
credit; or
(b) history in relation to credit; or
(c) capacity to repay credit.
(5B) In considering whether a business or
undertaking, carried on by a credit provider that is a corporation, is a credit
reporting business within the meaning of this Act, the provision of information
by the credit provider to corporations related to it is to be disregarded.
(5C) The regulations may provide that businesses
or undertakings of a specified kind are not credit reporting businesses within
the meaning of this Act.
(5D) A reference in this Act to the purchase of
a loan includes a reference to the purchase of rights to receive payments under
the loan.
(6) For the purposes of this Act, the
Department of Defence shall be taken to include the Defence Force.
(7) Nothing in this Act prevents a complaint
from:
(a) being both a file number complaint
and an IPP complaint; or
(b) being both a file number complaint
and a credit reporting complaint; or
(c) being both a file number complaint
and a code complaint; or
(d) being both a file number complaint
and an NPP complaint; or
(e) being both a code complaint and a
credit reporting complaint; or
(f) being both an NPP complaint and a
credit reporting complaint.
(8) For the purposes of this Act, the
question whether bodies corporate are related to each other is determined in
the manner in which that question is determined under the Corporations Act
2001.
(9) To avoid doubt, for the purposes of this
Act, services provided to an agency or a State or Territory
authority include services that consist of the provision of services to other
persons in connection with the performance of the functions of the agency or
State or Territory authority.
(10) For the purposes of this Act, a reference
to family in the definition of credit in subsection 6(1),
and in sections 6D and 16E, in relation to any individual is taken to
include the following (without limitation):
(a) a de facto partner
of the individual (within the meaning of the Acts Interpretation Act 1901);
(b) someone who is the child of the
person, or of whom the person is the child, because of the definition of child
in subsection (11);
(c) anyone else who would be a member
of the individual’s family if someone mentioned in paragraph (a) or (b) is
taken to be a member of the individual’s family.
(10A) For the purposes of this Act, the Supreme
Court of Norfolk Island is taken not to be a federal court.
(11) In this section:
child: without limiting who is a child of a
person for the purposes of subsection (10), someone is the child
of a person if he or she is a child of the person within the meaning of the Family
Law Act 1975.
6A
Breach of a National Privacy Principle
Breach if contrary to, or inconsistent with, Principle
(1) For the purposes of this Act, an act or
practice breaches a National Privacy Principle if, and only if,
it is contrary to, or inconsistent with, that National Privacy Principle.
No breach—contracted service provider
(2) An act or practice does not breach
a National Privacy Principle if:
(a) the act is done, or the practice
is engaged in:
(i) by an organisation
that is a contracted service provider for a Commonwealth contract (whether or
not the organisation is a party to the contract); and
(ii) for the purposes of
meeting (directly or indirectly) an obligation under the contract; and
(b) the act or practice is authorised
by a provision of the contract that is inconsistent with the Principle.
No breach—disclosure to the National Archives of Australia
(3) An act or practice does not breach
a National Privacy Principle if the act or practice involves the disclosure by
an organisation of personal information in a record (as defined in the Archives
Act 1983) solely for the purposes of enabling the National Archives of
Australia to decide whether to accept, or to arrange, care (as defined in that
Act) of the record.
No breach—act or practice outside Australia
(4) An act or
practice does not breach a National Privacy Principle if:
(a) the act is done, or the practice
is engaged in, outside Australia and the external Territories; and
(b) the act or practice is required by
an applicable law of a foreign country.
Effect despite subsection (1)
(5) Subsections (2), (3) and (4) have
effect despite subsection (1).
6B
Breach of an approved privacy code
Breach if contrary to, or inconsistent with, code
(1) For the purposes of this Act, an act or
practice breaches an approved privacy code if, and only if, it is
contrary to, or inconsistent with, the code.
No breach—contracted service provider
(2) An act or practice does not breach
an approved privacy code if:
(a) the act is done, or the practice
is engaged in:
(i) by an organisation
that is a contracted service provider for a Commonwealth contract (whether or
not the organisation is a party to the contract); and
(ii) for the purposes of
meeting (directly or indirectly) an obligation under the contract; and
(b) the act or practice is authorised
by a provision of the contract that is inconsistent with the code.
No breach—disclosure to the National Archives of Australia
(3) An act or practice does not breach
an approved privacy code if the act or practice involves the disclosure by an
organisation of personal information in a record (as defined in the Archives
Act 1983) solely for the purposes of enabling the National Archives of
Australia to decide whether to accept, or to arrange, care (as defined in that
Act) of the record.
No breach—act or practice outside Australia
(4) An act or practice does not breach
an approved privacy code if:
(a) the act is done, or the practice
is engaged in, outside Australia and the external Territories; and
(b) the act or practice is required by
an applicable law of a foreign country.
Effect despite subsection (1)
(5) Subsections (2), (3) and (4) have
effect despite subsection (1).
6C
Organisations
What is an organisation?
(1) In this Act:
organisation means:
(a) an individual; or
(b) a body corporate; or
(c) a partnership; or
(d) any other unincorporated
association; or
(e) a
trust;
that is not a small business operator, a registered
political party, an agency, a State or Territory authority or a prescribed
instrumentality of a State or Territory.
Note: Regulations may prescribe an instrumentality
by reference to one or more classes of instrumentality. See subsection 13(3)
of the Legislative Instruments Act 2003.
Example: Regulations may prescribe an instrumentality of a
State or Territory that is an incorporated company, society or association and
therefore not a State or Territory authority.
Legal person treated as different organisations in
different capacities
(2) A legal person can have a number of
different capacities in which the person does things. In each of those
capacities, the person is taken to be a different organisation.
Example: In addition to his or her personal capacity, an
individual may be the trustee of one or more trusts. In his or her personal
capacity, he or she is one organisation. As trustee of each trust, he or she is
a different organisation.
What is a State or Territory authority?
(3) In this Act:
State or Territory authority means:
(a) a State or Territory Minister; or
(b) a Department of State of a State
or Territory; or
(c) a body (whether incorporated or
not), or a tribunal, established or appointed for a public purpose by or under
a law of a State or Territory, other than:
(i) an incorporated
company, society or association; or
(ii) an association of
employers or employees that is registered or recognised under a law of a State
or Territory dealing with the resolution of industrial disputes; or
(d) a body established or appointed,
otherwise than by or under a law of a State or Territory, by:
(i) a Governor of a State;
or
(ii) the Australian Capital
Territory Executive; or
(iii) the Administrator of
the Northern Territory; or
(iv) the Administrator of Norfolk Island; or
(v) a State or Territory
Minister; or
(e) a person holding or performing the
duties of an office established by or under, or an appointment made under, a
law of a State or Territory, other than the office of head of a State or
Territory Department (however described); or
(f) a person holding or performing
the duties of an appointment made, otherwise than under a law of a State or
Territory, by:
(i) a Governor of a State;
or
(ii) the Australian Capital
Territory Executive; or
(iii) the Administrator of
the Northern Territory; or
(iv) the Administrator of Norfolk Island; or
(v) a State or Territory
Minister; or
(g) a State or Territory court.
Making regulations to stop instrumentalities being
organisations
(4) Before the Governor‑General makes
regulations prescribing an instrumentality of a State or Territory for the
purposes of the definition of organisation in subsection (1),
the Minister must:
(a) be satisfied that the State or
Territory has requested that the instrumentality be prescribed for those
purposes; and
(b) consider:
(i) whether treating the
instrumentality as an organisation for the purposes of this Act adversely
affects the government of the State or Territory; and
(ii) the
desirability of regulating under this Act the collection, holding, use,
correction, disclosure and transfer of personal information by the
instrumentality; and
(iii) whether the law of the
State or Territory regulates the collection, holding, use, correction,
disclosure and transfer of personal information by the instrumentality to a
standard that is at least equivalent to the standard that would otherwise apply
to the instrumentality under this Act; and
(c) consult the Commissioner about the
matters mentioned in subparagraphs (b)(ii) and (iii).
State does not include Territory
(5) In this
section:
State does not include the Australian Capital
Territory or the Northern Territory (despite subsection 6(1)).
6D
Small business and small business operators
What is a small business?
(1) A business is a small business
at a time (the test time) in a financial year (the current
year) if its annual turnover for the previous financial year is
$3,000,000 or less.
Test for new business
(2) However, if there was no time in the
previous financial year when the business was carried on, the business is a
small business at the test time only if its annual turnover for the current
year is $3,000,000 or less.
What is a small business operator?
(3) A small business operator
is an individual, body corporate, partnership, unincorporated association or
trust that:
(a) carries on one or more small
businesses; and
(b) does not carry on a business that
is not a small business.
Entities that are not small business operators
(4) However, an individual, body corporate,
partnership, unincorporated association or trust is not a small business
operator if he, she or it:
(a) carries on a business that has had
an annual turnover of more than $3,000,000 for a financial year that has ended
after the later of the following:
(i) the time he, she or it
started to carry on the business;
(ii) the commencement of
this section; or
(b) provides a health service to
another individual and holds any health information except in an employee
record; or
(c) discloses personal information
about another individual to anyone else for a benefit, service or advantage; or
(d) provides a benefit, service or
advantage to collect personal information about another individual from anyone
else; or
(e) is a contracted service provider
for a Commonwealth contract (whether or not a party to the contract).
Private affairs of small business operators who are individuals
(5) Subsection (4) does not prevent an
individual from being a small business operator merely because he or she does
something described in paragraph (4)(b), (c) or (d):
(a) otherwise than in the course of a
business he or she carries on; and
(b) only for the purposes of, or in
connection with, his or her personal, family or household affairs.
Non‑business affairs of other small business operators
(6) Subsection (4) does not prevent a
body corporate, partnership, unincorporated association or trust from being a
small business operator merely because it does something described in paragraph (4)(b),
(c) or (d) otherwise than in the course of a business it carries on.
Disclosure compelled or made with consent
(7) Paragraph (4)(c)
does not prevent an individual, body corporate, partnership, unincorporated
association or trust from being a small business operator only because he, she
or it discloses personal information about another individual:
(a) with the consent of the other
individual; or
(b) as required or authorised by or
under legislation.
Collection with consent or under legislation
(8) Paragraph (4)(d) does not prevent an
individual, body corporate, partnership, unincorporated association or trust
from being a small business operator only because he, she or it:
(a) collects personal information
about another individual from someone else:
(i) with the consent of
the other individual; or
(ii) as required or
authorised by or under legislation; and
(b) provides a benefit, service or advantage
to be allowed to collect the information.
Related bodies corporate
(9) Despite subsection (3), a body
corporate is not a small business operator if it is related to a
body corporate that carries on a business that is not a small business.
6DA
What is the annual turnover of a business?
What is the annual turnover of a business for a
financial year?
(1) The annual turnover of a
business for a financial year is the total of the following that is earned in
the year in the course of the business:
(a) the proceeds of sales of goods
and/or services;
(b) commission income;
(c) repair and service income;
(d) rent, leasing and hiring income;
(e) government bounties and subsidies;
(f) interest, royalties and
dividends;
(g) other operating income.
Note: The annual turnover for a financial year of a
business carried on by an entity that does not carry on another business will
often be similar to the total of the instalment income the entity notifies to
the Commissioner of Taxation for the 4 quarters in the year (or for the year,
if the entity pays tax in annual instalments).
(2) However, if a business has been carried
on for only part of a financial year, its annual turnover for the
financial year is the amount worked out using the formula:
6E
Small business operator treated as organisation
Small business operator that is a reporting entity
(1A) If a small business operator is a reporting
entity or an authorised agent of a reporting entity because of anything done in
the course of a small business carried on by the small business operator, this
Act applies, with the prescribed modifications (if any), in relation to the
activities carried on by the small business operator for the purposes of, or in
connection with, activities relating to:
(a) the Anti‑Money Laundering and
Counter‑Terrorism Financing Act 2006; or
(b) regulations or AML/CTF Rules under
that Act;
as if the small business operator were an organisation.
Note: The regulations may prescribe different
modifications of the Act for different small business operators. See subsection 33(3A)
of the Acts Interpretation Act 1901.
Small business operator that is a protected action
ballot agent under the Fair Work Act 2009
(1B) If a small business operator is the
protected action ballot agent for a protected action ballot conducted under
Part 3‑3 of the Fair Work Act 2009, this Act applies, with the
prescribed modifications (if any), in relation to the activities carried on by
the small business operator for the purpose of, or in connection with, the
conduct of the protected action ballot, as if the small business operator were
an organisation.
Note: The regulations may prescribe different
modifications of the Act for different small business operators. See subsection 33(3A)
of the Acts Interpretation Act 1901.
Small business operator that is an association of
employees that is registered or recognised under the Fair Work (Registered
Organisations) Act 2009
(1C) If a small business operator is an
association of employees that is registered or recognised under the Fair
Work (Registered Organisations) Act 2009, this Act applies, with the
prescribed modifications (if any), in relation to the activities carried on by
the small business operator, as if the small business operator were an
organisation (within the meaning of this Act).
Note: The regulations may prescribe different
modifications of the Act for different small business operators. See subsection 33(3A)
of the Acts Interpretation Act 1901.
Regulations treating a small business operator as an
organisation
(1) This Act applies, with the prescribed
modifications (if any), in relation to a small business operator prescribed for
the purposes of this subsection as if the small business operator were an
organisation.
Note 1: The regulations may prescribe different
modifications of the Act for different small business operators. See subsection 33(3A)
of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe a small business
operator by reference to one or more classes of small business operator. See subsection 13(3)
of the Legislative Instruments Act 2003.
Regulations treating a small business operator as an
organisation for particular acts or practices
(2) This Act also applies, with the
prescribed modifications (if any), in relation to the prescribed acts or
practices of a small business operator prescribed for the purposes of this
subsection as if the small business operator were an organisation.
Note 1: The regulations may prescribe different
modifications of the Act for different acts, practices or small business
operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe an act, practice or
small business operator by reference to one or more classes of acts, practices
or small business operators. See subsection 13(3) of the Legislative
Instruments Act 2003.
Definition
(3) In this
section:
protected action ballot agent means a person
(other than the Australian Electoral Commission) that conducts a protected
action ballot under Part 3‑3 of the Fair Work Act 2009.
Making regulations
(4) Before the Governor‑General makes
regulations prescribing a small business operator, act or practice for the
purposes of subsection (1) or (2), the Minister must:
(a) be satisfied that it is desirable in
the public interest to regulate under this Act the small business operator, act
or practice; and
(b) consult the Commissioner about the
desirability of regulating under this Act the matters described in paragraph (a).
6EA
Small business operators choosing to be treated as organisations
(1) This Act (except section 16D)
applies in relation to a small business operator as if the operator were an
organisation while a choice by the operator to be treated as an organisation is
registered under this section.
(2) A small business operator may make a
choice in writing given to the Commissioner to be treated as an organisation.
Note: A small business operator may revoke such a
choice by writing given to the Commissioner. See subsection 33(3) of the Acts
Interpretation Act 1901.
(3) If the Commissioner is satisfied that a
small business operator has made the choice to be treated as an organisation,
the Commissioner must enter in a register of operators who have made such a
choice:
(a) the name or names under which the
operator carries on business; and
(b) the operator’s ABN, if the
operator has one under the A New Tax System (Australian Business Number) Act
1999.
(4) If a small business operator revokes a
choice to be treated as an organisation, the Commissioner must remove from the
register the material relating to the operator.
(5) The Commissioner may decide the form of
the register and how it is to be kept.
(6) The
Commissioner must make the register available to the public in the way that the
Commissioner determines. However, the Commissioner must not make available to
the public in the register information other than that described in subsection (3).
6F
State instrumentalities etc. treated as organisations
Regulations treating a State instrumentality etc. as an
organisation
(1) This Act applies, with the prescribed
modifications (if any), in relation to a prescribed State or Territory
authority or a prescribed instrumentality of a State or Territory (except an
instrumentality that is an organisation because of section 6C) as if the
authority or instrumentality were an organisation.
Note 1: The regulations may prescribe different
modifications of the Act for different authorities or instrumentalities. See
subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe an authority or
instrumentality by reference to one or more classes of authority or
instrumentality. See subsection 13(3) of the Legislative Instruments
Act 2003.
Making regulations to treat instrumentality etc. as organisation
(3) Before the Governor‑General makes
regulations prescribing a State or Territory authority or instrumentality of a
State or Territory for the purposes of subsection (1), the Minister must:
(a) be satisfied that the relevant
State or Territory has requested that the authority or instrumentality be
prescribed for those purposes; and
(b) consult the Commissioner about the
desirability of regulating under this Act the collection, holding, use,
correction, disclosure and transfer of personal information by the authority or
instrumentality.
7 Acts
and practices of agencies, organisations etc.
(1) Except so far as the contrary intention
appears, a reference in this Act (other than section 8) to an act or to a
practice is a reference to:
(a) an act done, or a practice engaged
in, as the case may be, by an agency (other than an eligible case manager or an
eligible hearing service provider), a file number recipient, a credit reporting
agency or a credit provider other than:
(i) an agency specified in
any of the following provisions of the Freedom of Information Act 1982:
(A) Schedule 1;
(B) Division 1
of Part I of Schedule 2;
(C) Division 1
of Part II of Schedule 2; or
(ii) a federal court; or
(iia) a court of Norfolk Island;
or
(iii) a Minister; or
(iiiaa) a Norfolk Island
Minister; or
(iiia) the Integrity
Commissioner; or
(iv) the ACC; or
(v) a Royal Commission; or
(vi) a Commission of inquiry;
or
(b) an act done, or a practice engaged
in, as the case may be, by a federal court or by an agency specified in
Schedule 1 to the Freedom of Information Act 1982, being an act
done, or a practice engaged in, in respect of a matter of an administrative
nature; or
(ba) an act done, or a practice engaged
in, as the case may be, by a court of Norfolk Island, being an act done, or a
practice engaged in, in respect of a matter of an administrative nature; or
(c) an act done, or a practice engaged
in, as the case may be, by an agency specified in Division 1 of Part II
of Schedule 2 to the Freedom of Information Act 1982, other than an
act done, or a practice engaged in, in relation to a record in relation to
which the agency is exempt from the operation of that Act; or
(ca) an act done, or a practice engaged
in, as the case may be, by a part of the Department of Defence specified in
Division 2 of Part I of Schedule 2 to the Freedom of
Information Act 1982, other than an act done, or a practice engaged in, in
relation to the activities of that part of the Department; or
(cb) an act done, or a practice engaged
in, as the case may be, by an eligible case manager in connection with:
(i) the provision of case
management services (within the meaning of the Employment Services Act 1994)
to persons referred to the eligible case manager under Part 4.3 of that
Act; or
(ii) the performance of
functions conferred on the eligible case manager under that Act; or
(cc) an act done, or a practice engaged
in, as the case may be, by an eligible hearing service provider in connection
with the provision of hearing services under an agreement made under Part 3
of the Hearing Services Administration Act 1997; or
(d) an act done, or a practice engaged
in, as the case may be, by a Minister in relation to the affairs of an agency
(other than a Norfolk Island agency, an eligible hearing service provider or an
eligible case manager), not being an act done, or a practice engaged in, in
relation to an existing record; or
(e) an act done, or a practice engaged
in, as the case may be, by a Minister in relation to a record that is in the
Minister’s possession in his or her capacity as a Minister and relates to the
affairs of an agency (other than a Norfolk Island agency, an eligible hearing
service provider or an eligible case manager); or
(eaa) an act done, or a practice engaged
in, as the case may be, by a Norfolk Island Minister in relation to the affairs
of a Norfolk Island agency, not being an act done, or a practice engaged in, in
relation to an existing record; or
(eab) an act done, or a practice engaged
in, as the case may be, by a Norfolk Island Minister in relation to a record
that is in the Norfolk Island Minister’s possession in his or her capacity as a
Norfolk Island Minister and relates to the affairs of a Norfolk Island agency;
or
(ea) an act done, or a practice engaged
in, as the case may be, by a Minister in relation to the affairs of an eligible
case manager, being affairs in connection with:
(i) the provision of case
management services (within the meaning of the Employment Services Act 1994)
to persons referred to the eligible case manager under Part 4.3 of that
Act; or
(ii) the performance of
functions conferred on the eligible case manager under that Act; or
(eb) an act done, or a practice engaged
in, as the case may be, by a Minister in relation to a record that is in the
Minister’s possession in his or her capacity as a Minister and relates to the
affairs of an eligible case manager, being affairs in connection with:
(i) the provision of case
management services (within the meaning of the Employment Services Act 1994)
to persons referred to the eligible case manager under Part 4.3 of that
Act; or
(ii) the performance of
functions conferred on the eligible case manager under that Act; or
(ec) an act done, or a practice engaged
in, as the case may be, by a Minister in relation to the affairs of an eligible
hearing service provider, being affairs in connection with the provision of
hearing services under an agreement made under Part 3 of the Hearing
Services Administration Act 1997; or
(ed) an act done, or a practice engaged
in, as the case may be, by a Minister in relation to a record that is in the
Minister’s possession in his or her capacity as a Minister and relates to the
affairs of an eligible hearing service provider, being affairs in connection
with the provision of hearing services under an agreement made under Part 3
of the Hearing Services Administration Act 1997; or
(ee) an act done, or a practice engaged
in, by an organisation, other than an exempt act or exempt practice (see
sections 7B and 7C);
but does not include a reference to an act done, or a
practice engaged in, in relation to a record that has originated with, or has
been received from:
(f) an intelligence agency;
(g) the Defence Intelligence
Organisation, the Defence Imagery and Geospatial Organisation or the Defence
Signals Directorate of the Department of Defence; or
(ga) the Integrity Commissioner or a
staff member of ACLEI (within the meaning of the Law Enforcement Integrity
Commissioner Act 2006); or
(h) the ACC or the Board of the ACC.
(1A) Despite subsections (1) and (2), a
reference in this Act (other than section 8) to an act or to a practice
does not include a reference to the act or practice so far as it involves the
disclosure of personal information to:
(a) the Australian Security
Intelligence Organisation; or
(b) the Australian Secret Intelligence
Service; or
(c) the Defence Signals Directorate of
the Department of Defence.
(2) Except so far as the contrary intention
appears, a reference in this Act (other than section 8) to an act or to a
practice includes, in the application of this Act otherwise than in respect of
the Information Privacy Principles, the National Privacy Principles, an
approved privacy code and the performance of the Commissioner’s functions under
section 27, a reference to an act done, or a practice engaged in, as the
case may be, by an agency specified in Part I of Schedule 2 to the Freedom
of Information Act 1982 or in Division 1 of Part II of that Schedule
other than:
(a) an intelligence agency;
(b) the Defence Intelligence
Organisation, the Defence Imagery and Geospatial Organisation or the Defence
Signals Directorate of the Department of Defence; or
(c) the ACC or the Board of the ACC.
(3) Except so far as the contrary intention
appears, a reference in this Act to doing an act includes a reference to:
(a) doing an act in accordance with a
practice; or
(b) refusing or failing to do an act.
(3A) For the purposes of this Act, an act is
only to be taken to have been done, and a practice is only to be taken to have
been engaged in, by a credit provider that is not a corporation if the act is
done, or the practice is engaged in, in the course of, or for the purposes of,
banking (other than State banking not extending beyond the limits of the State
concerned) carried on by the credit provider.
(4) For the purposes of paragraphs 27(1)(b),
(c), (d), (e), (g), (k) and (m), of subsection 31(2) and of Part VI,
this section has effect as if a reference in subsection (1) of this
section to an act done, or to a practice engaged in, included a reference to an
act that is proposed to be done, or to a practice that is proposed to be
engaged in, as the case may be.
7A
Acts of certain agencies treated as acts of organisation
(1) This Act applies, with the prescribed
modifications (if any), in relation to an act or practice described in subsection (2)
or (3) as if:
(a) the act or practice were an act
done, or practice engaged in, by an organisation; and
(b) the agency mentioned in that
subsection were the organisation.
(2) Subsection (1) applies to acts done,
and practices engaged in, by a prescribed agency. Regulations for this purpose
may prescribe an agency only if it is specified in Part I of Schedule 2
to the Freedom of Information Act 1982.
(3) Subsection (1) also applies to acts
and practices that:
(a) are done or engaged in by an
agency specified in Division 1 of Part II of Schedule 2 to the Freedom
of Information Act 1982 in relation to documents in respect of its
commercial activities or the commercial activities of another entity; and
(b) relate to those commercial
activities.
(4) This section has effect despite
subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2).
7B
Exempt acts and exempt practices of organisations
Individuals in non‑business capacity
(1) An act done, or practice engaged in, by
an organisation that is an individual is exempt for the purposes
of paragraph 7(1)(ee) if the act is done, or the practice is engaged in,
other than in the course of a business carried on by the individual.
Note: See also section 16E which provides that
the National Privacy Principles do not apply for the purposes of, or in
connection with, an individual’s personal, family or household affairs.
Organisation acting under Commonwealth contract
(2) An act done, or practice engaged in, by
an organisation is exempt for the purposes of paragraph 7(1)(ee)
if:
(a) the organisation is a contracted
service provider for a Commonwealth contract (whether or not the organisation
is a party to the contract); and
(b) the organisation would be a small
business operator if it were not a contracted service provider for a
Commonwealth contract; and
(c) the act is done, or the practice
is engaged in, otherwise than for the purposes of meeting (directly or
indirectly) an obligation under a Commonwealth contract for which the
organisation is the contracted service provider.
Note: This puts the organisation in the same
position as a small business operator as far as its activities that are not for
the purposes of a Commonwealth contract are concerned, so the organisation need
not comply with the National Privacy Principles or a binding approved privacy
code in relation to those activities.
Employee records
(3) An act done, or practice engaged in, by
an organisation that is or was an employer of an individual, is exempt
for the purposes of paragraph 7(1)(ee) if the act or practice is directly
related to:
(a) a current or former employment relationship
between the employer and the individual; and
(b) an employee record held by the
organisation and relating to the individual.
Journalism
(4) An act done, or practice engaged in, by a
media organisation is exempt for the purposes of paragraph 7(1)(ee)
if the act is done, or the practice is engaged in:
(a) by the organisation in the course
of journalism; and
(b) at a time when the organisation is
publicly committed to observe standards that:
(i) deal with privacy in
the context of the activities of a media organisation (whether or not the
standards also deal with other matters); and
(ii) have been published in
writing by the organisation or a person or body representing a class of media
organisations.
Organisation acting under State contract
(5) An act done, or practice engaged in, by
an organisation is exempt for the purposes of paragraph 7(1)(ee)
if:
(a) the organisation is a contracted
service provider for a State contract (whether or not the organisation is a
party to the contract); and
(b) the act is done, or the practice
is engaged in for the purposes of meeting (directly or indirectly) an
obligation under the contract.
7C
Political acts and practices are exempt
Members of a Parliament etc.
(1) An act done, or practice engaged in, by
an organisation (the political representative) consisting of a
member of a Parliament, or a councillor (however described) of a local
government authority, is exempt for the purposes of paragraph 7(1)(ee)
if the act is done, or the practice is engaged in, for any purpose in
connection with:
(a) an election under an electoral
law; or
(b) a referendum under a law of the
Commonwealth or a law of a State or Territory; or
(c) the participation by the political
representative in another aspect of the political process.
Contractors for political representatives etc.
(2) An act done, or practice engaged in, by
an organisation (the contractor) is exempt for the
purposes of paragraph 7(1)(ee) if the act is done or the practice is
engaged in:
(a) for the purposes of meeting an
obligation under a contract between the contractor and a registered political
party or a political representative described in subsection (1); and
(b) for any purpose in connection with
one or more of the following:
(i) an election under an
electoral law;
(ii) a referendum under a
law of the Commonwealth or a law of a State or Territory;
(iii) the participation in
another aspect of the political process by the registered political party or
political representative;
(iv) facilitating acts or
practices of the registered political party or political representative for a
purpose mentioned in subparagraph (i), (ii) or (iii) of this paragraph.
Subcontractors for organisations covered by subsection (1)
etc.
(3) An act done, or practice engaged in, by
an organisation (the subcontractor) is exempt for
the purposes of paragraph 7(1)(ee) if the act is done or the practice is
engaged in:
(a) for the purposes of meeting an
obligation under a contract between the subcontractor and a contractor
described in subsection (2); and
(b) for a purpose described in paragraph (2)(b).
Volunteers for registered political parties
(4) An act done voluntarily, or practice
engaged in voluntarily, by an organisation for or on behalf of a registered
political party and with the authority of the party is exempt for
the purposes of paragraph 7(1)(ee) if the act is done or the practice is
engaged in for any purpose in connection with one or more of the following:
(a) an election under an electoral
law;
(b) a referendum under a law of the
Commonwealth or a law of a State or Territory;
(c) the participation in another
aspect of the political process by the registered political party;
(d) facilitating acts or practices of
the registered political party for a purpose mentioned in paragraph (a),
(b) or (c).
Effect of subsection (4) on other operation of Act
(5) Subsection (4) does not otherwise
affect the operation of the Act in relation to agents or principals.
Meaning of electoral law and Parliament
(6) In
this section:
electoral law means a law of the
Commonwealth, or a law of a State or Territory, relating to elections to a
Parliament or to a local government authority.
Parliament means:
(a) the Parliament of the
Commonwealth; or
(b) a State Parliament; or
(c) the legislature of a Territory.
Note: To avoid doubt, this section does not make
exempt for the purposes of paragraph 7(1)(ee) an act or practice of the
political representative, contractor, subcontractor or volunteer for a
registered political party involving the use or disclosure (by way of sale or
otherwise) of personal information in a way not covered by subsection (1),
(2), (3) or (4) (as appropriate). The rest of this Act operates normally in
relation to that act or practice.
8 Acts
and practices of, and disclosure of information to, staff of agency,
organisation etc.
(1) For the purposes of this Act:
(a) an act done or practice engaged in
by, or information disclosed to, a person employed by, or in the service of, an
agency, organisation, file number recipient, credit reporting agency or credit
provider in the performance of the duties of the person’s employment shall be
treated as having been done or engaged in by, or disclosed to, the agency,
organisation, recipient, credit reporting agency or credit provider;
(b) an act done or practice engaged in
by, or information disclosed to, a person on behalf of, or for the purposes of
the activities of, an unincorporated body, being a board, council, committee,
sub‑committee or other body established by or under a Commonwealth enactment or
a Norfolk Island enactment for the purpose of assisting, or performing
functions in connection with, an agency or organisation, shall be treated as
having been done or engaged in by, or disclosed to, the agency or organisation;
and
(c) an act done or practice engaged in
by, or information disclosed to, a member, staff member or special member of
the Australian Federal Police in the performance of his or her duties as such a
member, staff member or special member shall be treated as having been done or
engaged in by, or disclosed to, the Australian Federal Police.
(2) Where:
(a) an act done or a practice engaged
in by a person, in relation to a record, is to be treated, under subsection (1),
as having been done or engaged in by an agency; and
(b) that agency is not the record‑keeper
in relation to that record;
that act or practice shall be treated as the act or the
practice of the record‑keeper in relation to that record.
(3) For the purposes of the application of
this Act in relation to an organisation that is a partnership:
(a) an act done or practice engaged in
by a partner is taken to have been done or engaged in by the organisation; and
(b) a communication (including a
complaint, notice, request or disclosure of information) made to a partner is
taken to have been made to the organisation.
(4) For the purposes of the application of
this Act in relation to an organisation that is an unincorporated association:
(a) an act done or practice engaged in
by a member of the committee of management of the association is taken to have
been done or engaged in by the organisation; and
(b) a communication (including a
complaint, notice, request or disclosure of information) made to a member of
the committee of management of the association is taken to have been made to
the organisation.
(5) For the purposes of the application of
this Act in relation to an organisation that is a trust:
(a) an act done or practice engaged in
by a trustee is taken to have been done or engaged in by the organisation; and
(b) a communication (including a
complaint, notice or request or disclosure of information) made to a trustee is
taken to have been made to the organisation.
9
Collectors
(1) An agency that collects personal
information shall be treated, for the purposes of this Act, as a collector in
relation to that information.
(2) Subject to subsection (3), where
personal information is collected by a person:
(a) in the course of the person’s
employment by, or in the service of, an agency other than the Australian
Federal Police; or
(b) as a member, staff member or
special member of the Australian Federal Police in the performance of his or
her duties as such a member, staff member or special member;
then, for the purposes of this Act:
(c) if paragraph (a) applies—the
agency first referred to in that paragraph; and
(d) if paragraph (b) applies—the
Australian Federal Police;
shall be treated as a collector in relation to that
information.
(3) Where personal information is collected
by a person for the purposes of the activities of, an unincorporated body,
being a board, council, committee, sub‑committee or other body established by
or under a Commonwealth enactment or a Norfolk Island enactment for the purpose
of assisting, or performing functions connected with, an agency, that agency
shall be treated, for the purposes of this Act, as a collector in relation to
that information.
10
Record‑keepers
(1) Subject to
subsections (4) and (5), an agency that is in possession or control of a
record of personal information shall be regarded, for the purposes of this Act,
as the record‑keeper in relation to that record.
(2) Subject to subsections (3), (4) and
(5), where a record of personal information is in the possession or under the
control of a person:
(a) in the course of the person’s
employment in the service of or by an agency other than the Australian Federal
Police; or
(b) as a member, staff member or
special member of the Australian Federal Police in the performance of his or
her duties as such a member, staff member or special member;
then, for the purposes of this Act, the record‑keeper in
relation to that record shall be taken to be:
(c) if paragraph (a) applies—the
agency first referred to in that paragraph; and
(d) if paragraph (b) applies—the
Australian Federal Police.
(3) Where a record of personal information is
in the possession or under the control of a person for the purposes of the
activities of, an unincorporated body, being a board, council, committee, sub‑committee
or other body established by or under a Commonwealth enactment or a Norfolk
Island enactment for the purpose of assisting, or performing functions
connected with, an agency, that agency shall be regarded, for the purposes of
this Act, as the record‑keeper in relation to that record.
(4) Where:
(a) a record of personal information
(not being a record relating to the administration of the National Archives of
Australia) is in the care (within the meaning of the Archives Act 1983)
of the National Archives of Australia; or
(b) a record of personal information
(not being a record relating to the administration of the Australian War
Memorial) is in the custody of the Australian War Memorial;
the agency by or on behalf of which the record was placed
in that care or custody or, if that agency no longer exists, the agency to
whose functions the contents of the record are most closely related, shall be
regarded, for the purposes of this Act, as the record‑keeper in relation to
that record.
(5) Where a
record of personal information was placed by or on behalf of an agency in the
memorial collection within the meaning of the Australian War Memorial Act
1980, that agency or, if that agency no longer exists, the agency to whose
functions the contents of the record are most closely related, shall be
regarded, for the purposes of this Act, as the record‑keeper in relation to
that record.
11
File number recipients
(1) A person who is (whether lawfully or
unlawfully) in possession or control of a record that contains tax file number
information shall be regarded, for the purposes of this Act, as a file number
recipient.
(2) Subject to subsection (3), where a
record that contains tax file number information is in the possession or under
the control of a person:
(a) in the course of the person’s
employment in the service of or by a person or body other than an agency;
(b) in the course of the person’s
employment in the service of or by an agency other than the Australian Federal
Police; or
(c) as a member, staff member or
special member of the Australian Federal Police in the performance of his or
her duties as such a member, staff member or special member;
then, for the purposes of this Act, the file number
recipient in relation to that record shall be taken to be:
(d) if paragraph (a) applies—the
person’s employer;
(e) if paragraph (b) applies—the
agency first referred to in that paragraph; and
(f) if paragraph (c) applies—the
Australian Federal Police.
(3) Where a record that contains tax file
number information is in the possession or under the control of a person for
the purposes of the activities of, an unincorporated body, being a board,
council, committee, sub‑committee or other body established by or under a
Commonwealth enactment or a Norfolk Island enactment for the purpose of assisting,
or performing functions connected with, an agency, that agency shall be
treated, for the purposes of this Act, as the file number recipient in relation
to that record.
11A
Credit reporting agencies
For the purposes of this Act, a person
is a credit reporting agency if the person is a corporation that carries on a
credit reporting business.
11B
Credit providers
(1) For the purposes of this Act, but subject
to subsection (2), a person is a credit provider if the person is:
(a) a bank; or
(b) a corporation (other than an
agency):
(iii) a substantial part of
whose business or undertaking is the provision of loans (including the
provision of loans by issuing credit cards); or
(iv) that carries on a
retail business in the course of which it issues credit cards to members of the
public in connection with the sale of goods, or the supply of services, by the
corporation; or
(v) that:
(A) carries
on a business or undertaking involving the provision of loans (including the
provision of loans by issuing credit cards); and
(B) is
included in a class of corporations determined by the Commissioner to be credit
providers for the purposes of this Act; or
(c) a person:
(i) who is not a
corporation; and
(ii) in relation to whom paragraph (b)
would apply if the person were a corporation; or
(d) an
agency that:
(i) carries on a business
or undertaking that involves the making of loans; and
(ii) is determined by the
Commissioner to be a credit provider for the purposes of this Act.
(1A) If an agency is a credit provider because
of paragraph (1)(d), Part IIIA has effect in relation to the carrying
on by the agency of a business or undertaking involving the making of loans
despite anything in Part III or in the Freedom of Information Act 1982.
(2) For the purposes of this Act, a
corporation that would, but for this section, be a credit provider is not to be
regarded as a credit provider if it is included in a class of corporations
declared by the regulations not to be credit providers.
(3) A determination under sub‑subparagraph(1)(b)(v)(B)
or subparagraph (1)(d)(ii) is to be made by notice in writing published in
the Gazette.
(4) A notice so published is a disallowable
instrument for the purposes of section 46A of the Acts Interpretation
Act 1901.
(4A) Subsection (4B) applies to a person
who carries on a business that is involved in one or both of the following:
(a) a securitisation arrangement;
(b) managing loans that are the
subject of a securitisation arrangement.
(4B) While a person to whom this subsection
applies is performing a task that is reasonably necessary for purchasing,
funding or managing, or processing an application for, a loan by means of a
securitisation arrangement (being a loan that has been provided by, or in
respect of which application has been made to, a credit provider):
(a) the person:
(i) is taken, for the
purposes of this Act, to be another credit provider; and
(ii) is subject to the same
obligations under this Act as any other credit provider; and
(b) for the purposes of this Act, the
loan is taken to have been provided by, or the application for the loan is
taken to have been made to, both the person and the first‑mentioned credit
provider.
(4C) Nothing in this Act prevents a report
(within the meaning of subsection 18N(9)) to which section 18N
applies being disclosed if:
(a) the disclosure is reasonably
necessary for purchasing, funding or managing, or processing an application
for, a loan by means of a securitisation arrangement (being a loan that has
been provided by, or in respect of which an application has been made to, a
credit provider); and
(b) the disclosure takes place between
a person to whom subsection (4B) applies in relation to that loan and:
(i) the credit provider;
or
(ii) another person to whom
that subsection applies in relation to that loan.
(4D) A reference in subsection (4B) or (4C)
to purchasing or funding a loan by means of a securitisation arrangement
includes a reference to credit enhancement of the loan.
(4E) A reference in subsection (4B) or (4C)
to managing a loan does not include a reference to an act relating to the
collection of overdue payments in respect of the loan if the act is undertaken
by a person whose primary function in relation to the loan is the collection of
overdue payments.
(5) Subject to subsection (6), while a
person is acting as an agent of a credit provider in performing, on behalf of
the credit provider, a task that is necessary:
(a) in processing an application for a
loan; or
(b) in managing:
(i) a loan given by the
credit provider; or
(ii) an account maintained
by any person with the credit provider;
the first‑mentioned person:
(c) is taken, for the purposes of this
Act, to be another credit provider; and
(d) is subject to the same obligations
under this Act as any other credit provider.
(6) Nothing in
this Act prevents such an agent of a credit provider disclosing to the credit
provider, in the agent’s capacity as such an agent, a report (within the
meaning of subsection 18N(9)) to which section 18N applies.
(7) The reference in subsection (5) to
the management of a loan does not include a reference to any act relating to
the collection of payments that are overdue in respect of the loan.
12
Application of Information Privacy Principles to agency in possession
For the purposes of this Act, where an
agency has possession but not control of a record of personal information, the
Information Privacy Principles apply in relation to that agency to the extent
only of the obligations or duties to which that agency is subject, otherwise
than by virtue of the operation of this Act, because it is in possession of
that particular record.
12A
Act not to apply in relation to State banking or insurance within that State
Where, but for this section, a provision
of this Act:
(a) would have a particular
application; and
(b) by virtue of having that
application, would be a law with respect to, or with respect to matters
including:
(i) State banking not
extending beyond the limits of the State concerned; or
(ii) State insurance not
extending beyond the limits of the State concerned;
the provision is not to have that application.
12B
Severability: additional effect of Act in relation to organisations
(1) Without limiting its effect apart from
each of the following subsections of this section, this Act also has effect in
relation to organisations as provided by that subsection.
(2) This Act
also has the effect it would have if its operation in relation to organisations
were expressly confined to an operation to give effect to the International
Covenant on Civil and Political Rights, and in particular Article 17 of the
Covenant.
Note: The text of the
International Covenant on Civil and Political Rights is set out in Australian
Treaty Series 1980 No. 23. In 2000, this was available in the Australian
Treaties Library of the Department of Foreign Affairs and Trade, accessible through
that Department’s website.
(3) This Act also has the effect it would
have if its operation in relation to organisations were expressly confined to
acts or practices covered by subsection 5B(1) (which deals with acts and
practices outside Australia and the external Territories by organisations).
(4) This Act also has the effect it would
have if its operation in relation to organisations were expressly confined to
organisations that are corporations.
(5) This Act also has the effect it would
have if its operation in relation to organisations were expressly confined to
acts or practices of organisations taking place in the course of, or in relation
to, trade or commerce:
(a) between Australia and places
outside Australia; or
(b) among the States; or
(c) within a Territory, between a
State and a Territory or between 2 Territories.
(6) This Act also has the effect it would
have if its operation in relation to organisations were expressly confined to
acts or practices of organisations taking place using a postal, telegraphic,
telephonic or other like service within the meaning of paragraph 51(v) of
the Constitution.
(7) This Act also has the effect it would
have if its operation in relation to organisations were expressly confined to
acts or practices of organisations taking place in a Territory.
(8) This Act also has the effect it would
have if its operation in relation to organisations were expressly confined to
acts or practices of organisations taking place in a place acquired by the
Commonwealth for public purposes.
Part III—Information
privacy
Division 1—Interferences with privacy
13
Interferences with privacy
For the purposes of this Act, an act or
practice is an interference with the privacy of an individual if the act or
practice:
(a) in the case of an act or practice
engaged in by an agency (whether or not the agency is also a file number
recipient, credit reporting agency or credit provider)—breaches an Information
Privacy Principle in relation to personal information that relates to the
individual; or
(b) in the case of an act or practice
engaged in by a file number recipient (whether or not the file number recipient
is also an agency, organisation, credit reporting agency or credit
provider)—breaches a guideline under section 17 in relation to tax file
number information that relates to the individual; or
(ba) constitutes a breach of Part 2
of the Data‑matching Program (Assistance and Tax) Act 1990 or the
guidelines in force under that Act; or
(bb) constitutes a breach of the
guidelines in force under section 135AA of the National Health Act 1953;
or
(c) involves an unauthorised
requirement or request for disclosure of the tax file number of the individual;
or
(d) in the case of an act or practice
engaged in by a credit reporting agency or credit provider (whether or not the
credit reporting agency or credit provider is also an agency, organisation or
file number recipient)—constitutes a credit reporting infringement in relation
to personal information that relates to the individual.
Note 1: A contravention of the Healthcare
Identifiers Act 2010, or of regulations made under that Act, is an
interference with the privacy of an individual and is covered by this section
(see subsection 29(1) of that Act).
Note 2: A breach of a requirement of Division 5A
of Part 2 of the Anti‑Money Laundering and Counter‑Terrorism Financing
Act 2006 by a credit reporting agency is an interference with the privacy
of an individual and is covered by this section (see section 35L of that
Act).
Note: For the purposes of this section, each of the
following is an interference with the privacy of an individual:
(a) a contravention of the
requirement to ensure that notice is given in accordance with section 157
of the Personal Property Securities Act 2009 (see subsection 157(4)
of that Act);
(b) a search of the Personal
Property Securities Register that is unauthorised under subsection 173(3)
or (4) of that Act (see subsection 173(2) of that Act).
13A
Interferences with privacy by organisations
General rule
(1) For the
purposes of this Act, an act or practice of an organisation is an interference
with the privacy of an individual if:
(a) the act or practice breaches an
approved privacy code that binds the organisation in relation to personal
information that relates to the individual; or
(b) both of the following apply:
(i) the act or practice
breaches a National Privacy Principle in relation to personal information that
relates to the individual;
(ii) the organisation is
not bound by an approved privacy code in relation to the personal information;
or
(c) all of the following apply:
(i) the act or practice
relates to personal information that relates to the individual;
(ii) the organisation is a
contracted service provider for a Commonwealth contract (whether or not the
organisation is a party to the contract);
(iii) because of a provision
of the contract that is inconsistent with an approved privacy code or a
National Privacy Principle that applies to the organisation in relation to the
personal information, the act or practice does not breach the code or Principle
(see subsections 6A(2) and 6B(2));
(iv) the act is done, or the
practice is engaged in, in a manner contrary to, or inconsistent with, that
provision; or
(d) the act or practice involves the
organisation in a contravention of section 16F (which limits direct
marketing using information collected under a Commonwealth contract) involving
personal information that relates to the individual.
Note 1: Sections 13B, 13C and 13D contain
exceptions to this rule.
Note 2: A breach of a requirement of Division 5A
of Part 2 of the Anti‑Money Laundering and Counter‑Terrorism Financing
Act 2006 by a reporting entity is an interference with the privacy of an
individual and is covered by this section (see section 35L of that Act).
Rule applies even if other rules also apply
(2) It does not matter whether the
organisation is also a credit reporting agency, a credit provider or a file
number recipient.
13B
Related bodies corporate
Acts or practices that are not interferences with
privacy
(1) Despite paragraphs 13A(1)(a) and (b),
each of the following acts or practices of an organisation that is a body
corporate is not an interference with the privacy of an
individual:
(a) the collection of personal
information (other than sensitive information) about the individual by the body
corporate from a related body corporate;
(b) the disclosure of personal
information (other than sensitive information) about the individual by the body
corporate to a related body corporate.
Note: Subsection (1) lets related bodies
corporate share personal information. However, in using or holding the
information, they must comply with the National Privacy Principles or a binding
approved privacy code. For example, there is an interference with privacy if:
(a) a body corporate uses personal information it has
collected from a related body corporate; and
(b) the use breaches National Privacy Principle 2
(noting that the collecting body’s primary purpose of collection will be taken
to be the same as that of the related body) or a corresponding provision in a
binding approved privacy code.
(1A) However, paragraph (1)(a) does not
apply to the collection by a body corporate of personal information (other than
sensitive information) from:
(a) a related body corporate that is
not an organisation; or
(b) a related body corporate whose
disclosure of the information to the body corporate is an exempt act or exempt
practice for the purposes of paragraph 7(1)(ee); or
(c) a related body corporate whose
disclosure of the information to the body corporate is not an interference with
privacy because of section 13D.
Note: The effect of subsection (1A) is that a
body corporate’s failure to comply with the National Privacy Principles, or a
binding approved privacy code, in collecting personal information about an
individual from a related body corporate covered by that subsection is an
interference with the privacy of the individual.
Relationship with paragraphs 13A(1)(c) and (d)
(2) Subsection (1) does not prevent an
act or practice of an organisation from being an interference with the
privacy of an individual under paragraph 13A(1)(c) or (d).
13C
Change in partnership because of change in partners
Acts or practices that are not interferences with
privacy
(1) If:
(a) an organisation (the new
partnership) that is a partnership forms at the same time as, or
immediately after, the dissolution of another partnership (the old
partnership); and
(b) at least one person who was a
partner in the old partnership is a partner in the new partnership; and
(c) the new partnership carries on a
business that is the same as, or similar to, a business carried on by the old
partnership; and
(d) the new partnership holds,
immediately after its formation, personal information about an individual that
the old partnership held immediately before its dissolution;
neither the disclosure (if any) by the old partnership,
nor the collection (if any) by the new partnership, of the information that was
necessary for the new partnership to hold the information immediately after its
formation constitutes an interference with the privacy of the
individual.
Note: Subsection (1) lets personal information
be passed on from an old to a new partnership. However, in using or holding the
information, they must comply with the National Privacy Principles or a binding
approved privacy code. For example, the new partnership’s use of personal
information collected from the old partnership may constitute an interference
with privacy if it breaches National Privacy Principle 2 or a
corresponding provision in a binding approved privacy code.
Effect despite section 13A
(2) Subsection (1) has effect despite
section 13A.
13D
Overseas act required by foreign law
Acts or practices that are not interferences with
privacy
(1) An act or practice of an organisation
done or engaged in outside Australia and an external Territory is not an interference
with the privacy of an individual if the act or practice is required by
an applicable law of a foreign country.
Effect despite section 13A
(2) Subsection (1) has effect despite
section 13A.
13E
Effect on section 13 of sections 13B, 13C and 13D
Sections 13B, 13C and 13D do not
prevent an act or practice of an organisation from being an interference
with the privacy of an individual under section 13.
13F
Act or practice not covered by section 13 or section 13A is not an
interference with privacy
An act or practice that is not covered
by section 13 or section 13A is not an interference with the
privacy of an individual.
Division 2—Information
Privacy Principles
14
Information Privacy Principles
The
Information Privacy Principles are as follows:
Information
Privacy Principles
Principle 1
Manner
and purpose of collection of personal information
1. Personal information shall not be
collected by a collector for inclusion in a record or in a generally available
publication unless:
(a) the information is collected for a
purpose that is a lawful purpose directly related to a function or activity of
the collector; and
(b) the collection of the information
is necessary for or directly related to that purpose.
2. Personal information shall not be
collected by a collector by unlawful or unfair means.
Principle 2
Solicitation
of personal information from individual concerned
Where:
(a) a collector collects personal
information for inclusion in a record or in a generally available publication;
and
(b) the information is solicited by
the collector from the individual concerned;
the collector shall take such steps (if any) as are, in the
circumstances, reasonable to ensure that, before the information is collected
or, if that is not practicable, as soon as practicable after the information is
collected, the individual concerned is generally aware of:
(c) the purpose for which the information
is being collected;
(d) if the collection of the
information is authorised or required by or under law—the fact that the
collection of the information is so authorised or required; and
(e) any person to whom, or any body or
agency to which, it is the collector’s usual practice to disclose personal
information of the kind so collected, and (if known by the collector) any
person to whom, or any body or agency to which, it is the usual practice of
that first‑mentioned person, body or agency to pass on that information.
Principle 3
Solicitation
of personal information generally
Where:
(a) a collector collects personal
information for inclusion in a record or in a generally available publication;
and
(b) the information is solicited by
the collector;
the collector shall take such steps (if any) as are, in
the circumstances, reasonable to ensure that, having regard to the purpose for
which the information is collected:
(c) the information collected is
relevant to that purpose and is up to date and complete; and
(d) the collection of the information
does not intrude to an unreasonable extent upon the personal affairs of the
individual concerned.
Principle 4
Storage
and security of personal information
A record‑keeper who has possession or
control of a record that contains personal information shall ensure:
(a) that the record is protected, by
such security safeguards as it is reasonable in the circumstances to take,
against loss, against unauthorised access, use, modification or disclosure, and
against other misuse; and
(b) that if it is necessary for the
record to be given to a person in connection with the provision of a service to
the record‑keeper, everything reasonably within the power of the record‑keeper
is done to prevent unauthorised use or disclosure of information contained in
the record.
Principle 5
Information
relating to records kept by record‑keeper
1. A record‑keeper who has possession or
control of records that contain personal information shall, subject to clause 2
of this Principle, take such steps as are, in the circumstances, reasonable to
enable any person to ascertain:
(a) whether the record‑keeper has
possession or control of any records that contain personal information; and
(b) if the record‑keeper has
possession or control of a record that contains such information:
(i) the nature of that
information;
(ii) the main purposes for
which that information is used; and
(iii) the steps that the
person should take if the person wishes to obtain access to the record.
2. A record‑keeper is not required under
clause 1 of this Principle to give a person information if the record‑keeper
is required or authorised to refuse to give that information to the person
under the applicable provisions of any law of the Commonwealth that provides
for access by persons to documents.
3. A record‑keeper shall maintain a record
setting out:
(a) the nature of the records of
personal information kept by or on behalf of the record‑keeper;
(b) the purpose for which each type of
record is kept;
(c) the classes of individuals about
whom records are kept;
(d) the period for which each type of
record is kept;
(e) the persons who are entitled to
have access to personal information contained in the records and the conditions
under which they are entitled to have that access; and
(f) the steps that should be taken by
persons wishing to obtain access to that information.
4. A record‑keeper
shall:
(a) make the record maintained under
clause 3 of this Principle available for inspection by members of the
public; and
(b) give the Commissioner, in the
month of June in each year, a copy of the record so maintained.
Principle 6
Access
to records containing personal information
Where a record‑keeper has possession or
control of a record that contains personal information, the individual
concerned shall be entitled to have access to that record, except to the extent
that the record‑keeper is required or authorised to refuse to provide the
individual with access to that record under the applicable provisions of any
law of the Commonwealth that provides for access by persons to documents.
Principle 7
Alteration
of records containing personal information
1. A record‑keeper who has possession or
control of a record that contains personal information shall take such steps
(if any), by way of making appropriate corrections, deletions and additions as
are, in the circumstances, reasonable to ensure that the record:
(a) is accurate; and
(b) is, having regard to the purpose
for which the information was collected or is to be used and to any purpose
that is directly related to that purpose, relevant, up to date, complete and
not misleading.
2. The obligation imposed on a record‑keeper
by clause 1 is subject to any applicable limitation in a law of the
Commonwealth that provides a right to require the correction or amendment of
documents.
3. Where:
(a) the record‑keeper of a record
containing personal information is not willing to amend that record, by making
a correction, deletion or addition, in accordance with a request by the
individual concerned; and
(b) no decision or recommendation to
the effect that the record should be amended wholly or partly in accordance
with that request has been made under the applicable provisions of a law of the
Commonwealth;
the record‑keeper shall, if so requested by the individual
concerned, take such steps (if any) as are reasonable in the circumstances to
attach to the record any statement provided by that individual of the
correction, deletion or addition sought.
Principle 8
Record‑keeper to check accuracy etc. of personal
information
before use
A record‑keeper who has possession or
control of a record that contains personal information shall not use that
information without taking such steps (if any) as are, in the circumstances,
reasonable to ensure that, having regard to the purpose for which the
information is proposed to be used, the information is accurate, up to date and
complete.
Principle 9
Personal
information to be used only for relevant purposes
A record‑keeper who has possession or
control of a record that contains personal information shall not use the
information except for a purpose to which the information is relevant.
Principle 10
Limits
on use of personal information
1. A record‑keeper who has possession or
control of a record that contains personal information that was obtained for a
particular purpose shall not use the information for any other purpose unless:
(a) the individual concerned has
consented to use of the information for that other purpose;
(b) the record‑keeper believes on
reasonable grounds that use of the information for that other purpose is
necessary to prevent or lessen a serious and imminent threat to the life or
health of the individual concerned or another person;
(c) use of the information for that
other purpose is required or authorised by or under law;
(d) use of the information for that
other purpose is reasonably necessary for enforcement of the criminal law or of
a law imposing a pecuniary penalty, or for the protection of the public
revenue; or
(e) the purpose for which the
information is used is directly related to the purpose for which the
information was obtained.
2. Where personal information is used for
enforcement of the criminal law or of a law imposing a pecuniary penalty, or
for the protection of the public revenue, the record‑keeper shall include in
the record containing that information a note of that use.
Principle 11
Limits
on disclosure of personal information
1. A record‑keeper who has possession or
control of a record that contains personal information shall not disclose the
information to a person, body or agency (other than the individual concerned)
unless:
(a) the individual concerned is
reasonably likely to have been aware, or made aware under Principle 2,
that information of that kind is usually passed to that person, body or agency;
(b) the individual concerned has
consented to the disclosure;
(c) the record‑keeper believes on
reasonable grounds that the disclosure is necessary to prevent or lessen a
serious and imminent threat to the life or health of the individual concerned
or of another person;
(d) the disclosure is required or
authorised by or under law; or
(e) the disclosure is reasonably
necessary for the enforcement of the criminal law or of a law imposing a
pecuniary penalty, or for the protection of the public revenue.
2. Where personal information is disclosed
for the purposes of enforcement of the criminal law or of a law imposing a
pecuniary penalty, or for the purpose of the protection of the public revenue,
the record‑keeper shall include in the record containing that information a
note of the disclosure.
3. A person, body
or agency to whom personal information is disclosed under clause 1 of this
Principle shall not use or disclose the information for a purpose other than
the purpose for which the information was given to the person, body or agency.
15
Application of Information Privacy Principles
(1) Information Privacy Principles 1, 2,
3, 10 and 11 apply only in relation to information collected after the
commencement of this Act.
(1A) Information Privacy Principles 1, 2,
3, 10 and 11 do not apply to information collected by a Norfolk Island agency
before the commencement of this subsection.
(2) Information Privacy Principles 4 to
9, inclusive, apply in relation to information contained in a record in the
possession or under the control of an agency, whether the information was
collected before, or is collected after, the commencement of this Act.
15B
Special provision relating to the application of the Information Privacy
Principles in relation to Norfolk Island
In relation to a record‑keeper that is a
Norfolk Island agency, a reference in Information Privacy Principle 5, 6
or 7 to a law of the Commonwealth includes a reference to a
Norfolk Island enactment.
16
Agencies to comply with Information Privacy Principles
An agency shall not do an act, or engage
in a practice, that breaches an Information Privacy Principle.
Division 3—Approved privacy
codes and the National Privacy Principles
16A
Organisations to comply with approved privacy codes or National Privacy
Principles
(1) An organisation must not do an act, or
engage in a practice, that breaches an approved privacy code that binds the
organisation.
(2) To the extent (if any) that an
organisation is not bound by an approved privacy code, the organisation must
not do an act, or engage in a practice, that breaches a National Privacy
Principle.
(3) This section, approved privacy codes and
the National Privacy Principles have effect in addition to sections 18 and
18A and Part IIIA, and do not derogate from them.
(4) To avoid doubt, an act done, or practice
engaged in, by an organisation without breaching an approved privacy code or
the National Privacy Principles is not authorised by law (or by this Act) for
the purposes of Part IIIA merely because it does not breach the code or
the Principles.
Note: If an act or practice is otherwise authorised
by law, exceptions to the prohibitions in the National Privacy Principles and
Part IIIA may mean that the act or practice does not breach the Principles
or certain provisions of that Part.
16B
Personal information in records
(1) This Act (except Divisions 4 and 5
of Part III and Part IIIA) applies to the collection of personal
information by an organisation only if the information is collected for
inclusion in a record or a generally available publication.
(2) This Act (except Divisions 4 and 5
of Part III and Part IIIA) applies to personal information that has
been collected by an organisation only if the information is held by the
organisation in a record.
16C
Application of National Privacy Principles
(1) National Privacy Principles 1, 3 (so
far as it relates to collection of personal information) and 10 apply only in
relation to the collection of personal information after the commencement of
this section.
(1A) National Privacy Principle 2 applies
only in relation to personal information collected after the commencement of
this section.
(2) National Privacy Principles 3 (so
far as it relates to personal information used or disclosed), 4, 5, 7 and 9
apply in relation to personal information held by an organisation regardless of
whether the organisation holds the personal information as a result of
collection occurring before or after the commencement of this section.
(3) National Privacy Principle 6 applies
in relation to personal information collected after the commencement of this
section. That Principle also applies to personal information collected by an
organisation before that commencement and used or disclosed by the organisation
after that commencement, except to the extent that compliance by the
organisation with the Principle in relation to the information would:
(a) place an unreasonable
administrative burden on the organisation; or
(b) cause the organisation
unreasonable expense.
(4) National Privacy Principle 8 applies
only to transactions entered into after the commencement of this section.
16D
Delayed application of National Privacy Principles to small business
(1) This section deals with the application
of the National Privacy Principles to an organisation that carries on one or
more small businesses throughout the delayed application period for the
organisation. This section has effect despite section 16C.
(2) National Privacy Principles 1, 3 (so
far as it relates to collection of personal information) and 10 apply only in
relation to the collection of personal information by the organisation after
the delayed application period.
(3) National Privacy Principles 3 (so
far as it relates to personal information used or disclosed), 4, 5, 7 and 9
apply in relation to the organisation only after the delayed application
period. Those Principles then apply in relation to personal information held by
the organisation as a result of collection occurring before, during or after
that period.
(4) National Privacy Principles 2 and 6
apply only in relation to personal information collected by the organisation
after the delayed application period.
(5) National Privacy Principle 8 applies
only to transactions entered into with the organisation after the delayed
application period.
(6) In this section:
delayed application period, for an
organisation, means the period:
(a) starting at the later of the
following times:
(i) the start of the day
when this section commences;
(ii) when the organisation
became an organisation; and
(b) ending at the earlier of the
following times:
(i) immediately before the
first anniversary of the day when this section commences;
(ii) when the organisation
carries on either a business that is not a small business or a business that
involves the provision of health services.
16E
Personal, family or household affairs
Nothing in the National Privacy
Principles applies to:
(a) the collection, holding, use,
disclosure or transfer of personal information by an individual; or
(b) personal information held by an
individual;
only for the purposes of, or in connection with, his or
her personal, family or household affairs.
16F
Information under Commonwealth contract not to be used for direct marketing
(1) This section limits the use and
disclosure of personal information collected:
(a) for the purpose of meeting
(directly or indirectly) an obligation under a Commonwealth contract; and
(b) by an organisation that is a
contracted service provider for the contract.
Note: An organisation may be a contracted service
provider for a Commonwealth contract whether or not the organisation is a party
to the contract.
(2) An organisation that is a contracted
service provider for the contract must not use or disclose the personal
information for direct marketing, unless the use or disclosure is necessary to
meet (directly or indirectly) an obligation under the contract.
(3) Subsection (2) has effect despite:
(a) an approved privacy code (if any)
binding the organisation in relation to the personal information; and
(b) the National Privacy Principles.
Division 4—Tax file number
information
17
Guidelines relating to tax file number information
(1) The Commissioner shall, by notice in
writing, issue guidelines concerning the collection, storage, use and security
of tax file number information.
(2) A guideline issued under subsection (1)
is a disallowable instrument for the purposes of section 46A of the Acts
Interpretation Act 1901.
18
File number recipients to comply with guidelines
A file number recipient shall not do an
act, or engage in a practice, that breaches a guideline issued under section 17.
Division 5—Credit
information
18A
Code of Conduct relating to credit information files and credit reports
(1) The Commissioner must, by notice
published in the Gazette, issue a Code of Conduct concerning:
(a) the collection of personal
information for inclusion in individuals’ credit information files; and
(b) the storage of, security of,
access to, correction of, use of and disclosure of personal information
included in individuals’ credit information files or in credit reports; and
(c) the manner in which credit
reporting agencies and credit providers are to handle disputes relating to
credit reporting; and
(d) any other activities, engaged in
by credit reporting agencies or credit providers, that are connected with
credit reporting.
(2) Before issuing the Code of Conduct, the Commissioner
must, to the extent that it is appropriate and practicable to do so, consult
with government, commercial, consumer and other relevant bodies and
organisations.
(3) In preparing the Code of Conduct, the
Commissioner must have regard to:
(a) the Information Privacy Principles
and the provisions of Part IIIA; and
(aa) the National Privacy Principles
and the provisions of Part IIIAA; and
(b) the likely costs to credit
reporting agencies and credit providers of complying with the Code of Conduct.
(4) The Code of Conduct is a disallowable
instrument for the purposes of section 46A of the Acts Interpretation
Act 1901.
18B
Credit reporting agencies and credit providers to comply with Code of Conduct
A credit reporting agency or credit
provider must not do an act, or engage in a practice, that breaches the Code of
Conduct.
Part IIIAA—Privacy codes
18BA
Application for approval of privacy code
An organisation may apply in writing to
the Commissioner for approval of a privacy code.
18BAA
Privacy codes may cover exempt acts or practices
(1) Despite paragraph 7(1)(ee), a
privacy code may be approved even if it covers exempt acts or practices.
(2) If an approved privacy code covers exempt
acts or practices, this Act applies in relation to the code as if those acts or
practices were not exempt acts or practices.
Note: Because of subsection (2), if an approved
privacy code covers an act or practice that would usually be exempt:
(a) the act or practice, if done or engaged in by an
organisation bound by the code, may constitute an interference with the privacy
of an individual as defined in section 13A; and
(b) section 16A obliges an organisation bound by the
code not to breach the code by doing or engaging in the act or practice; and
(c) the act or practice, if done or engaged in by an
organisation bound by the code, may be the subject of a complaint and
investigation under Part V.
18BB
Commissioner may approve privacy code
(1) Before deciding whether to approve a
privacy code, the Commissioner may consult any person the Commissioner
considers appropriate.
(2) The Commissioner may approve a privacy
code if, and only if, the Commissioner is satisfied:
(a) that the code incorporates all the
National Privacy Principles or sets out obligations that, overall, are at least
the equivalent of all the obligations set out in those Principles; and
(b) that the code specifies the
organisations bound by the code or a way of determining the organisations that
are, or will be, bound by the code; and
(c) that only organisations that
consent to be bound by the code are, or will be, bound by the code; and
(d) that the code sets out a procedure
by which an organisation may cease to be bound by the code and when the
cessation takes effect; and
(e) of the matters mentioned in subsection (3),
if the code sets out procedures for making and dealing with complaints in
relation to acts or practices of an organisation bound by the code that may be
an interference with the privacy of an individual; and
(f) that members of the public have
been given an adequate opportunity to comment on a draft of the code.
(3) If the code sets out procedures for
making and dealing with complaints, the Commissioner must be satisfied that:
(a) the procedures meet:
(i) the prescribed
standards; and
(ii) the Commissioner’s
guidelines (if any) in relation to making and dealing with complaints; and
(b) the code provides for the
appointment of an independent adjudicator to whom complaints may be made; and
(c) the code provides that, in
performing his or her functions, and exercising his or her powers, under the
code, an adjudicator for the code must have due regard to the matters that
paragraph 29(a) requires the Commissioner to have due regard to; and
(d) the determinations, findings,
declarations, orders and directions that the adjudicator may make under the
code after investigating a complaint are the same as those that the
Commissioner may make under section 52 after investigating a complaint
under this Act; and
(e) the code obliges an organisation
bound by the code not to repeat or continue conduct of the organisation
declared by the adjudicator (after investigating a complaint) to constitute an
interference with the privacy of the complainant; and
(f) the code obliges an organisation
bound by the code to perform an act or course of conduct that the adjudicator
has declared (after investigating a complaint) that the organisation should
perform to redress loss or damage suffered by the complainant; and
(g) the code requires organisations
bound by the code to co‑operate with the adjudicator when the adjudicator is
performing functions or exercising powers under the code; and
(h) the code requires a report (in a
form satisfactory to the Commissioner) to be prepared as soon as practicable
after 30 June each year on the operation of the code during the financial
year that ended on that 30 June; and
(i) the code requires that a copy of
each report is to be given to the Commissioner within a timetable that is
satisfactory to the Commissioner; and
(j) the code requires that a copy of
each report is to be made available to anyone who asks for it; and
(k) the code requires the report
prepared for each year to include the number and nature of complaints made to
an adjudicator under the code during the relevant financial year; and
(ka) the code requires the report
prepared for each year to include, for each complaint finally dealt with by an
adjudicator under the code during the relevant financial year, a summary
identifying:
(i) the nature of the
complaint; and
(ii) the provisions of the
code applied in dealing with the complaint; and
(iii) the outcome of the
dealing;
whether or not the adjudicator
made a determination, finding, declaration, order or direction in dealing with
the complaint; and
(l) the code identifies an
adjudicator for the code or another person as the person responsible for the
requirements in this subsection relating to the annual report for the code.
(4) In deciding whether to approve a privacy
code, the Commissioner may consider the matters specified in guidelines issued
by the Commissioner (if any).
(5) An approval must be in writing.
(6) This section does not prevent the
Commissioner approving a privacy code if:
(a) the code also sets out:
(i) the period during
which it will operate; or
(ii) the circumstances in
which it will expire; and
(b) the Commissioner considers that
the period or circumstances are appropriate.
(7) This section does not prevent the
Commissioner approving a privacy code if the code is expressed to apply to:
(a) all personal information or a
specified type of personal information; or
(b) a specified activity or class of
activities of an organisation; or
(c) a specified industry sector and/or
profession; or
(d) a specified class of industry
sectors and/or professions.
18BC
When approval takes effect
(1) The approval of a privacy code takes
effect on the day specified in the approval.
(2) The day specified must not be before the
day on which the approval is given.
18BD Varying
an approved privacy code
(1) An organisation may apply in writing to
the Commissioner for approval of a variation of an approved privacy code by
giving the Commissioner a copy of the code that incorporates the variations.
(2) The Commissioner may approve in writing
the variation.
(3) In deciding whether to approve the
variation, the Commissioner must consider all of the matters that the
Commissioner would consider in deciding whether to approve under section 18BB
a privacy code identical to the approved privacy code with the variation.
(4) However, if the Commissioner thinks that
a variation is minor, he or she need not be satisfied that members of the
public have been given an adequate opportunity to comment on a draft variation
of the code (as would otherwise be required by paragraph 18BB(2)(f)).
Instead, the Commissioner may consult any person he or she thinks appropriate
about the draft variation.
(5) The approval of the variation takes
effect on the day specified in the approval.
(6) The day specified must not be before the
day on which the approval is given.
18BE
Revoking the approval of an approved privacy code
(1) The Commissioner may revoke his or her
approval of an approved privacy code or a variation of an approved privacy
code:
(a) on his or her own initiative; or
(b) on application by an organisation
that is bound by the code.
(2) Before deciding whether to revoke the
approval of a code or variation, the Commissioner must:
(a) if practicable, consult the
organisation that originally sought approval of the code or variation; and
(b) consult any other person the
Commissioner considers appropriate; and
(c) consider the extent to which
members of the public have been given an opportunity to comment on the proposed
revocation.
(3) A revocation must be in writing.
(4) A revocation comes into effect on the day
specified in the revocation.
(5) The day specified must not be before the
day on which the revocation is made.
18BF
Guidelines about privacy codes
(1) The
Commissioner may make:
(a) written guidelines to assist
organisations to develop privacy codes or to apply approved privacy codes; and
(b) written guidelines relating to
making and dealing with complaints under approved privacy codes; and
(c) written guidelines about matters
the Commissioner may consider in deciding whether to approve a privacy code or
a variation of an approved privacy code.
(1A) Before making guidelines for the purposes
of paragraph (1)(b), the Commissioner must give everyone the Commissioner
considers has a real and substantial interest in the matters covered by the
proposed guidelines an opportunity to comment on them.
(2) The Commissioner may publish guidelines
made under subsection (1) in any way the Commissioner considers
appropriate.
18BG
Register of approved privacy codes
(1) The Commissioner must keep a register of
approved privacy codes.
(2) The Commissioner may decide the form of
the register and how it is to be kept.
(3) The Commissioner must make the register
available to the public in the way that the Commissioner determines.
(4) The Commissioner may charge fees for:
(a) making the register available to
the public; or
(b) providing copies of, or extracts
from, the register.
18BH
Review of operation of approved privacy code
(1) The Commissioner may review the operation
of an approved privacy code.
Note: The review may inform a decision by the
Commissioner under section 18BE to revoke the approved privacy code.
(2) The
Commissioner may do one or more of the following for the purposes of the
review:
(a) consider the process under the
code for making and dealing with complaints;
(b) inspect the records of an
adjudicator for the code;
(c) consider the outcome of complaints
dealt with under the code;
(d) interview an adjudicator for the
code.
18BI
Review of adjudicator’s decision under approved privacy code
(1) A person
who is aggrieved by a determination made by an adjudicator (other than the
Commissioner) under an approved privacy code after investigating a complaint
may apply to the Commissioner for review of the determination.
Note: The review of the adjudicator’s determination
will include review of any finding, declaration, order or direction that is
included in the determination.
(2) Divisions 1 and 2 of Part V
apply in relation to the complaint covered by the application as if the
complaint had been made to the Commissioner and subsection 36(1A) did not
prevent the Commissioner from investigating it.
Note: Divisions 1 and 2 of Part V provide
for the investigation and determination of complaints made to the Commissioner.
(3) The adjudicator’s determination continues
to have effect unless and until the Commissioner makes a determination under
Division 2 of Part V relating to the complaint.
Part IIIA—Credit
reporting
18C
Certain credit reporting only to be undertaken by corporations
(1) A person must not use an eligible
communications service in the course of carrying on a credit reporting business
unless the person is a corporation.
(2) A person must not:
(a) in the course of trade or
commerce:
(i) between Australia and places outside Australia; or
(ii) among the States; or
(iii) between a State and a
Territory; or
(iv) among the Territories;
or
(b) in the course of banking (other
than State banking not extending beyond the limits of the State concerned); or
(c) in the course of insurance
business (other than insurance business relating to State insurance not
extending beyond the limits of the State concerned); or
(d) in a Territory;
carry on a credit reporting business unless the person is
a corporation.
(3) A person must not act on a corporation’s
behalf in the course of carrying on a credit reporting business unless the
person is a corporation.
(4) A person who intentionally contravenes
this section is guilty of an offence punishable, on conviction, by a fine not
exceeding $30,000.
18D
Personal information not to be given to certain persons carrying on credit
reporting
(1) A person must not use an eligible
communications service to give to a person carrying on a credit reporting
business personal information in circumstances to which this section applies
unless the last‑mentioned person is a corporation.
(2) A person must not:
(a) in the course of trade or
commerce:
(i) between Australia and places outside Australia; or
(ii) among the States; or
(iii) between a State and a
Territory; or
(iv) among the Territories;
or
(b) in the course of banking (other
than State banking not extending beyond the limits of the State concerned); or
(c) in the course of insurance
business (other than insurance business relating to State insurance not
extending beyond the limits of the State concerned); or
(d) in a Territory;
give to a person carrying on a credit reporting business
personal information in circumstances to which this section applies unless the
last‑mentioned person is a corporation.
(3) A corporation must not give to a person
carrying on a credit reporting business personal information in circumstances
to which this section applies unless the last‑mentioned person is a
corporation.
(4) A person who intentionally contravenes
this section is guilty of an offence punishable, on conviction, by a fine not
exceeding $12,000.
(5) For the purposes of this section,
personal information is to be taken to be given to a person in circumstances to
which this section applies if the person to whom the information is given is
likely to use the information in the course of carrying on a credit reporting
business.
18E
Permitted contents of credit information files
(1) A credit reporting agency must not
include personal information in an individual’s credit information file unless:
(a) the inclusion of the information
in the file is reasonably necessary in order to identify the individual; or
(b) the
information is a record of:
(i) both:
(A) a credit
provider having sought a credit report in relation to an individual in
connection with an application for credit or commercial credit made by the
individual to the credit provider; and
(B) the
amount of credit or commercial credit sought in the application; or
(ia) a person who is a
credit provider because of the application of subsection 11B(4B) having
sought a credit report in relation to the individual for the purpose of
assessing:
(A) the risk
in purchasing a loan by means of a securitisation arrangement; or
(B) the risk
in undertaking credit enhancement of a loan that is, or is proposed to be,
purchased or funded by means of a securitisation arrangement;
being a loan given to,
or applied for by, the individual or a person in relation to whom the
individual is, or is proposing to be, a guarantor; or
(ii) a mortgage insurer
having sought a credit report in connection with the provision of insurance to
a credit provider in respect of mortgage credit given by the credit provider to
the individual, or to a person in relation to whom the individual is, or is
proposing to be, a guarantor; or
(iii) a trade insurer having
sought a credit report in connection with the provision of insurance to a
credit provider in respect of commercial credit given by the credit provider to
the individual or another person; or
(iv) a credit provider
having sought a credit report in connection with the individual having offered
to act as guarantor in respect of a loan or an application for a loan; or
(v) a credit provider being
a current credit provider in relation to the individual; or
(vi) credit provided by a
credit provider to an individual, being credit in respect of which:
(A) the
individual is at least 60 days overdue in making a payment, including a payment
that is wholly or partly a payment of interest; and
(B) the
credit provider has taken steps to recover the whole or any part of the amount
of credit (including any amounts of interest) outstanding; or
(vii) a cheque, for an amount
not less than $100, that:
(A) has been
drawn by the individual; and
(B) has
twice been presented and dishonoured; or
(viii) court judgments made
against the individual; or
(ix) bankruptcy orders made
against the individual; or
(x) the opinion of a credit
provider that the individual has, in the circumstances specified, committed a
serious credit infringement; or
(ba) the information is a record of an
overdue payment by the individual as guarantor under a guarantee given against
default by a person (the borrower) in repaying all or any of an
amount of credit obtained by the borrower from a credit provider, and the
following subparagraphs apply:
(i) the credit provider is
not prevented under any law of the Commonwealth, a State or a Territory from
bringing proceedings against the individual to recover the amount of the
overdue payment;
(ii) the credit provider
has given the individual notice of the borrower’s default that gave rise to the
individual’s obligation to make the payment;
(iii) 60 days have elapsed
since the day on which the notice was given;
(iv) the credit provider
has, separately from and in addition to the giving of the notice referred to in
subparagraph (ii), taken steps to recover the amount of the overdue
payment from the individual.
(c) the information is included in a
statement provided by the individual under subsection 18J(2) for inclusion
in the file; or
(d) the information is included in a
note included in the file under subsection 18F(4) or 18K(5).
(2) A credit reporting agency must not
include in an individual’s credit information file personal information
recording the individual’s:
(a) political, social or religious
beliefs or affiliations; or
(b) criminal record; or
(c) medical history or physical
handicaps; or
(d) race, ethnic origins or national
origins; or
(e) sexual preferences or practices;
or
(f) lifestyle, character or
reputation.
(3) The Commissioner may determine, in
writing, the kinds of information that are, for the purposes of paragraph (1)(a),
reasonably necessary to be included in an individual’s credit information file
in order to identify the individual.
(4) Where the Commissioner so determines,
information that is not of a kind so determined is to be taken not to be
information that is permitted to be included in an individual’s credit
information file under paragraph (1)(a).
(5) A determination is to be made by notice
published in the Gazette.
(6) A notice so published is a disallowable
instrument for the purposes of section 46A of the Acts Interpretation
Act 1901.
(7) A credit reporting agency must not open a
credit information file in relation to an individual unless it has information,
concerning the individual, to include in the file that is information of a kind
referred to in paragraph (1)(b) or (ba).
(8) A credit provider must not give to a
credit reporting agency personal information relating to an individual if:
(a) a credit reporting agency is
prohibited, under subsection (1), from including the information in the
individual’s credit information file; or
(b) the credit provider does not have
reasonable grounds for believing that the information is correct; or
(c) the credit provider did not, at
the time of, or before, acquiring the information, inform the individual that
the information might be disclosed to a credit reporting agency.
18F
Deletion of information from credit information files
(1) A credit reporting agency must delete
from an individual’s credit information file maintained by the credit reporting
agency any personal information of a kind referred to in paragraph 18E(1)(b)
or (ba) within 1 month after the end of the maximum permissible period for the
keeping of personal information of that kind.
(2) For the purposes of subsection (1),
the maximum permissible periods for the keeping of personal information of the
kind referred to in paragraph 18E(1)(b) are as follows:
(a) in the case of information of a
kind referred to in subparagraph (i), (ia), (ii), (iii) or (iv) of that
paragraph—the period of 5 years commencing on the day on which the credit
report concerned was sought;
(b) in the case of information of a
kind referred to in subparagraph (v) of that paragraph—the period of 14
days commencing on the day on which the credit reporting agency is notified
under subsection (5) that the credit provider concerned is no longer a
current credit provider in relation to the individual concerned;
(c) in the case of information of a
kind referred to in subparagraph (vi) of that paragraph—the period of 5
years commencing on the day on which the credit reporting agency was informed
of the overdue payment concerned;
(d) in the case of information of a
kind referred to in subparagraph (vii) of that paragraph—the period of 5
years commencing on the day on which the second dishonouring of the cheque
occurred;
(e) in the case of information of a
kind referred to in subparagraph (viii) of that paragraph—the period of 5
years commencing on the day on which the court judgment concerned was made;
(f) in the case of information of a
kind referred to in subparagraph (ix) of that paragraph—the period of 7
years commencing on the day on which the bankruptcy order concerned was made;
(g) in the case of information of a
kind referred to in subparagraph (x) of that paragraph—the period of 7
years commencing on the day on which the information was included in the credit
information file concerned.
(2A) For the purposes of subsection (1),
the maximum permissible period for the keeping of personal information of the
kind referred to in paragraph 18E(1)(ba) is the period of 5 years
beginning on the day when the credit reporting agency is informed of the
overdue payment concerned.
(3) Where:
(a) a credit reporting agency has been
given information that an individual is overdue in making a payment in respect
of credit provided by a credit provider; and
(b) the individual ceases to be
overdue in making the payment or contends that he or she is not overdue in
making the payment;
the credit provider must, as soon as practicable, inform
the credit reporting agency that the individual has ceased to be overdue in
making the payment, or contends that he or she is not overdue in making the
payment, as the case may be.
(4) On being informed that the individual is
no longer overdue in making the payment, or that the individual contends that
he or she is not overdue in making the payment, the credit reporting agency
must include in the individual’s credit information file a note to that effect.
(5) Where a credit provider ceases to be a
current credit provider in relation to an individual, the credit provider must,
as soon as practicable, notify that fact to any credit reporting agency that
was previously informed that the credit provider was a current credit provider
in relation to the individual.
18G Accuracy
and security of credit information files and credit reports
A credit reporting agency in possession
or control of a credit information file, or a credit provider or credit
reporting agency in possession or control of a credit report, must:
(a) take reasonable steps to ensure
that personal information contained in the file or report is accurate, up‑to‑date,
complete and not misleading; and
(b) ensure that the file or report is
protected, by such security safeguards as are reasonable in the circumstances,
against loss, against unauthorised access, use, modification or disclosure, and
against other misuse; and
(c) if it is necessary for the file or
report to be given to a person in connection with the provision of a service to
the credit reporting agency or credit provider, ensure that everything
reasonably within the power of the credit reporting agency or credit provider
is done to prevent unauthorised use or disclosure of personal information
contained in the file or report.
18H
Access to credit information files and credit reports
(1) A credit reporting agency in possession
or control of an individual’s credit information file must take reasonable
steps to ensure that the individual can obtain access to that file.
(2) A credit provider, or a credit reporting
agency, in possession or control of a credit report containing personal
information concerning an individual must take all reasonable steps to ensure
that the individual can obtain access to that report.
(3) An individual’s rights of access under
this section may also be exercised by a person (other than a credit provider,
mortgage insurer or trade insurer) authorised, in writing, by the individual to
exercise those rights on the individual’s behalf in connection with:
(a) an application, or a proposed
application, by the individual for a loan; or
(b) the individual having sought
advice in relation to a loan.
18J
Alteration of credit information files and credit reports
(1) A credit reporting agency in possession
or control of a credit information file, or a credit provider or credit
reporting agency in possession or control of a credit report, must take
reasonable steps, by way of making appropriate corrections, deletions and
additions, to ensure that the personal information contained in the file or
report is accurate, up‑to‑date, complete and not misleading.
(2) Where:
(a) a credit reporting agency in
possession or control of a credit information file, or a credit provider or
credit reporting agency in possession or control of a credit report, does not
amend personal information contained in that file or report, by making a
correction, deletion or addition, in accordance with a request by the
individual concerned; and
(b) the individual requests the credit
reporting agency or credit provider to include in that file or report a
statement provided by the individual of the correction, deletion or addition
sought;
the credit reporting agency or credit provider must take
reasonable steps to include the statement in the file or report within 30 days
after being requested to do so.
(3) Where the credit reporting agency or
credit provider considers a statement included pursuant to subsection 18J(2)
to be of undue length in the circumstances, the credit reporting agency or
credit provider may refer the statement to the Commissioner for such reduction
as is considered appropriate and, if the statement is altered, the statement as
altered is to be included in the file or report.
18K
Limits on disclosure of personal information by credit reporting agencies
(1) A credit
reporting agency in possession or control of an individual’s credit information
file must not disclose personal information contained in the file to a person,
body or agency (other than the individual) unless:
(a) the information is contained in a
credit report given to a credit provider who requested the report for the
purpose of assessing an application for credit made by the individual to the
credit provider; or
(ab) the
information:
(i) is contained in a
credit report given to a person who is a credit provider because of the
application of subsection 11B(4B); and
(ii) the person requested
the report for the purpose of assessing the risk in purchasing a loan by means
of a securitisation arrangement, being a loan given to or applied for by:
(A) the
individual; or
(B) a person
in relation to whom the individual is, or is proposing to be, a guarantor; or
(ac) the information:
(i) is contained in a
credit report given to a person who is a credit provider because of the application
of subsection 11B(4B); and
(ii) the person requested
the report for the purpose of assessing the risk in undertaking credit
enhancement of a loan that is, or is proposed to be, purchased or funded by
means of a securitisation arrangement, being a loan given to or applied for by:
(A) the
individual; or
(B) a person
in relation to whom the individual is, or is proposing to be, a guarantor; or
(b) the information is contained in a
credit report given to a credit provider who requested the report for the
purpose of assessing an application for commercial credit made by a person to
the credit provider, and the individual to whom the report relates has
specifically agreed to the report being given to the credit provider for that
purpose; or
(c) the information is contained in a
credit report given to a credit provider who requested the report for the
purpose of assessing whether to accept the individual as a guarantor in respect
of:
(i) a loan provided by the
credit provider to a person other than the individual; or
(ii) a loan for which an
application has been made by a person other than the individual to the credit
provider;
and the first‑mentioned
individual has specifically agreed, in writing, to the report being given to
the credit provider for that purpose; or
(d) the information is contained in a
credit report given to a mortgage insurer for the purpose of assessing:
(i) whether to provide
insurance to, or the risk of providing insurance to, a credit provider in
respect of mortgage credit given by the credit provider to the individual; or
(ii) the risk of the
individual defaulting on mortgage credit in respect of which the mortgage
insurer has provided insurance to a credit provider; or
(iii) the risk of the
individual being unable to meet a liability that might arise under a guarantee
entered into, or proposed to be entered into, in respect of mortgage credit
given by a credit provider to another person; or
(e) the information is contained in a
credit report given to a trade insurer for the purpose of assessing:
(i) whether to provide
insurance to, or the risk of providing insurance to, a credit provider in
respect of commercial credit given by the credit provider to the individual or
another person; or
(ii) the risk of a person
defaulting on commercial credit in respect of which the trade insurer has
provided insurance to a credit provider;
and the individual to whom the
report relates has specifically agreed, in writing, to the report being given
to the trade insurer for that purpose; or
(f) the credit reporting agency has,
at least 30 days before the disclosure, received information of a kind referred
to in subparagraph 18E(1)(b)(vi), and the information is contained in a
credit report given to a credit provider referred to in the credit information
file as a credit provider who is a current credit provider in relation to the
individual; or
(g) the information is contained in a
credit report given to a credit provider who requested the report for the
purpose of the collection of payments that are overdue in respect of credit
provided to the individual by the credit provider; or
(h) the information is contained in a
credit report given to a credit provider who requested the report for the
purpose of the collection of payments that are overdue in respect of commercial
credit provided to a person by the credit provider, and:
(i) the individual to whom
the report relates has specifically agreed, in writing, to the report being
given to the credit provider for that purpose; or
(ii) that individual had
specifically agreed, in writing, to a credit report relating to the individual
being given to the credit provider for the purpose of the credit provider
assessing the application that the first‑mentioned person made to the credit
provider for the provision of the commercial credit concerned; or
(iii) the credit provider
provided the commercial credit concerned before the commencement of this
section; or
(j) the information is contained in a
credit report given to another credit reporting agency; or
(k) the information is contained in a
record in which the only personal information relating to individuals is
publicly available information; or
(m) the disclosure is required or
authorised by or under law; or
(n) the credit reporting agency is
satisfied that a credit provider or law enforcement authority believes on
reasonable grounds that the individual has committed a serious credit
infringement and the information is given to that credit provider or law
enforcement authority or to any other credit provider or law enforcement
authority.
(1A) For the purposes of paragraph (1)(b),
the individual’s agreement to the report being given to the credit provider
must be in writing unless:
(a) the report is requested for the
purpose of assessing an application for commercial credit that was at first
instance made orally; and
(b) the application has not yet been
made in writing.
(2) A credit reporting agency must not
disclose personal information contained in an individual’s credit information
file, or in any other record containing information derived from the file, that
is in the possession or control of the credit reporting agency if the file or
other record contains personal information that the credit reporting agency
would be:
(a) prohibited from including in an
individual’s credit information file under section 18E; or
(b) required to delete from such a
file under section 18F.
(3) Subsection (2) does not prohibit the
credit reporting agency from disclosing personal information that it would be
prohibited from including in an individual’s credit information file under
section 18E if:
(a) the credit reporting agency
included the information in a credit information file or other record before
the commencement of this section; and
(b) the information is information of
a kind that the Commissioner has determined, in writing, to be information that
the credit reporting agency may disclose without contravening that subsection.
(4) A credit reporting agency that
intentionally contravenes subsection (1) or (2) is guilty of an offence
punishable, on conviction, by a fine not exceeding $150,000.
(5) Where a credit reporting agency discloses
personal information contained in an individual’s credit information file, it
must include in the file a note of that disclosure.
Note: A credit reporting agency must not include a
note about the disclosure of information in a file if a notation has been made
on a summons, or a notice, relating to the disclosure of the information and
the notation has not been cancelled (see section 29A of the Australian
Crime Commission Act 2002 and sections 77A and 91 of the Law
Enforcement Integrity Commissioner Act 2006).
(6) A credit reporting agency must not
include in a credit report given to a credit provider under paragraph (1)(a)
any information relating to an individual’s commercial activities (other than
information that the credit reporting agency is permitted under section 18E
to include in the individual’s credit information file).
(7) A determination under paragraph (3)(b)
is to be made by notice published in the Gazette.
(8) A notice so published is a disallowable
instrument for the purposes of section 46A of the Acts Interpretation
Act 1901.
18L
Limits on use by credit providers of personal information contained in credit
reports etc.
(1) A credit provider that is or has been in
possession or control of a credit report must not use the report or any
personal information derived from the report for any purpose other than
assessing an application for credit made to the credit provider by the
individual concerned unless:
(aa) the report was obtained under
paragraph 18K(1)(a) or (ab) and the credit provider uses the report or
information for the purpose of assessing the risk in purchasing a loan by means
of a securitisation arrangement, being a loan given to or applied for by:
(i) the individual; or
(ii) a person in relation
to whom the individual is, or is proposing to be, a guarantor; or
(ab) the report was obtained under
paragraph 18K(1)(a) or (ac) and the credit provider uses the report or
information for the purpose of assessing the risk in undertaking credit
enhancement of a loan that is, or is proposed to be, purchased or funded by
means of a securitisation arrangement, being a loan given to or applied for by:
(i) the individual; or
(ii) a person in relation
to whom the individual is, or is proposing to be, a guarantor; or
(a) the report was obtained under
paragraph 18K(1)(b) and the credit provider uses the report or information
for the purpose of assessing an application for commercial credit made by a
person to the credit provider; or
(b) the report was obtained under
paragraph 18K(1)(c) and the credit provider uses the report or information
for the purpose of assessing whether to accept the individual as a guarantor in
respect of:
(i) a loan provided by the
credit provider to a person other than the individual; or
(ii) a loan for which an
application has been made by a person other than the individual to the credit
provider; or
(ba) the report was obtained under
paragraph 18K(1)(a), (b) or (c) and the credit provider uses the report or
information for the internal management purposes of the credit provider, being
purposes directly related to the provision or management of loans by the credit
provider; or
(c) the report was obtained under
paragraph 18K(1)(f) and the credit provider uses the information for the
purpose of assisting the individual to avoid defaulting on his or her credit
obligations; or
(d) the credit provider uses the
report or information for the purpose of the collection of payments that are
overdue in respect of credit provided to the individual by the credit provider;
or
(da) the report was obtained under
paragraph 18K(1)(h) and the credit provider uses the report or information
for the purpose of the collection of payments that are overdue in respect of
commercial credit provided to a person by the credit provider; or
(e) use of the report or information
for that other purpose is required or authorised by or under law; or
(f) the credit provider believes on
reasonable grounds that the individual has committed a serious credit
infringement, and the report or information is used in connection with that
infringement.
(2) A credit provider that intentionally
contravenes subsection (1) is guilty of an offence punishable, on
conviction, by a fine not exceeding $150,000.
(3) A credit provider that is or has been in
possession or control of a credit report must not:
(a) use the report unless all personal
information concerning individuals that is not information of a kind referred
to in subsection 18E(1) has been deleted from the report; or
(b) use any personal information
derived from the report if the information is not information of a kind
referred to in subsection 18E(1).
(4) Where a
credit provider has received a credit report for the purpose of assessing an
application for credit made to the credit provider by an individual, the credit
provider must not, in assessing the application, use information that:
(a) concerns the individual’s
commercial activities or commercial credit worthiness; and
(b) was obtained from a person or body
carrying on a business or undertaking involving the provision of information
about the commercial credit worthiness of persons;
unless the individual has specifically agreed to the
information being obtained by the credit provider for that purpose.
(4A) For the purposes of subsection (4),
the individual’s agreement to the information being obtained by the credit
provider must be in writing unless:
(a) the information is obtained for
the purpose of assessing an application for credit that was at first instance
made orally; and
(b) the application has not yet been
made in writing.
(5) References in subsection (3) to
information that is not information of a kind referred to in subsection 18E(1)
do not include references to information the disclosure of which is taken,
because of the application of subsection 18K(3), not to be in
contravention of subsection 18K(2).
(6) The Commissioner may determine, in
writing, the manner in which information of a kind referred to in subsection (4)
may, under that subsection, be used (including the manner in which an
individual’s agreement may be obtained for the purposes of that subsection).
(7) A determination is to be made by notice
published in the Gazette.
(8) A notice so published is a disallowable
instrument for the purposes of section 46A of the Acts Interpretation
Act 1901.
18M
Information to be given if an individual’s application for credit is refused
(1) If:
(a) a credit provider refuses an
application by an individual for credit (including an application made jointly
by that individual and one or more other persons); and
(b) the refusal is based wholly or
partly on information derived from a credit report relating to that individual
that a credit reporting agency has given to the credit provider for the purpose
of assessing the application;
the credit provider must give the individual a written
notice:
(c) stating:
(i) that the application has
been refused; and
(ii) that the refusal was
based wholly or partly, as the case requires, on information derived from a
credit report relating to that individual that a credit reporting agency has
given to the credit provider; and
(iii) the name and address
of the credit reporting agency; and
(d) notifying that individual of his
or her right under this Act to obtain access to his or her credit information
file maintained by the credit reporting agency.
(2) If:
(a) a credit provider refuses an
application by an individual for credit, being an application made jointly by
that individual and one or more other persons; and
(b) the refusal is based wholly or
partly on information derived from a credit report relating to one of those
other persons that a credit reporting agency has given to the credit provider
for the purpose of assessing the application;
the credit provider must give to that individual a written
notice stating:
(c) that the application has been
refused; and
(d) that the refusal was based wholly
or partly, as the case requires, on information derived from a credit report
relating to that person that a credit reporting agency has given to the credit
provider.
(3) If:
(a) a credit provider refuses an
application by an individual for credit (including an application made jointly
by that individual and one or more other persons); and
(b) the refusal is based wholly or
partly on information derived from a credit report relating to another person
who was proposing to be a guarantor in respect of the credit;
the credit provider must give that individual a written
notice stating:
(c) that the application has been
refused; and
(d) that the refusal was based wholly
or partly, as the case requires, on information derived from a credit report
relating to that person that a credit reporting agency has given to the credit
provider.
18N
Limits on disclosure by credit providers of personal information contained in
reports relating to credit worthiness etc.
(1) A credit provider that is or has been in
possession or control of a report must not disclose the report or any personal
information derived from the report to another person for any purpose unless:
(a) the report or information is
disclosed to a credit reporting agency for the purpose of being used:
(i) to create a credit
information file in relation to the individual concerned; or
(ii) to include information
in a credit information file, maintained by the credit reporting agency, in
relation to the individual concerned; or
(b) the individual concerned has
specifically agreed to the disclosure of the report or information to another
credit provider for the particular purpose; or
(ba) the
report or information is disclosed:
(i) to the guarantor of a
loan provided by the credit provider to the individual concerned; and
(ii) for any purpose
related to the enforcement or proposed enforcement of the guarantee; or
(bb) the
report or information is disclosed to a mortgage insurer:
(i) for the purpose of
assessing whether to provide insurance to, or the risk of providing insurance
to, a credit provider in respect of mortgage credit given by the credit
provider to the individual concerned or applied for by the individual concerned
to the credit provider; or
(ii) for the purpose of
assessing the risk of the individual defaulting on mortgage credit in respect
of which the mortgage insurer has provided insurance to the credit provider; or
(iii) for any purpose
arising under a contract for mortgage insurance that has been entered into
between the credit provider and the mortgage insurer; or
(bc) the report or information is
disclosed:
(i) to a person or body
generally recognised and accepted in the community as being a person appointed,
or a body established, for the purpose of settling disputes between credit
providers, acting in their capacity as credit providers, and their customers;
and
(ii) for the purpose of
settling a dispute between the credit provider and the individual concerned; or
(bd) the report or information is
disclosed:
(i) to a Minister,
Department or authority, of a State or Territory whose functions or
responsibilities include giving assistance (directly or indirectly) that
facilitates the giving of mortgage credit to individuals; and
(ii) for the purpose of
enabling the Minister, Department or authority to determine the extent of
assistance (if any) it will give in relation to the giving of mortgage credit
to the individual concerned; or
(bda) the report or information is
disclosed:
(i) to a Minister,
Department or authority, of a State or Territory whose functions or
responsibilities include the management or supervision of schemes or
arrangements under which assistance is given (directly or indirectly) that
facilitates the giving of mortgage credit to individuals; and
(ii) for the purpose of
enabling the Minister, Department or authority to manage or supervise any such
scheme or arrangement; or
(be) the report or information:
(i) is disclosed to a
person or body carrying on a business of supplying goods or services; and
(ii) is disclosed for the
purpose of enabling that person or body to decide whether to accept, as payment
for goods or services supplied to the individual concerned, payment by means of
credit card or electronic transfer of funds; and
(iii) does not contain or
include any personal information derived from a credit report, other than:
(A) information
of a kind referred to in paragraph 18E(1)(a); and
(B) information
as to whether the individual has a line of credit with the credit provider, or
funds deposited with the credit provider, sufficient to meet the payment
concerned; or
(bf) the report or information:
(i) is disclosed to a
person or body that is considering taking an assignment of, or discharging on
the individual’s behalf, a debt owed by the individual to the credit provider;
and
(ii) does not contain or
include any personal information derived from a credit report, other than:
(A) information
of a kind referred to in paragraph 18E(1)(a); and
(B) information
as to the amount of the debt, or the amount required to be paid in order to
discharge the debt; or
(bg) the
report or information is disclosed to a person who is a guarantor in respect
of, or who has provided property as security for, a loan given by the credit
provider to the individual concerned, and:
(i) the individual has
specifically agreed to the disclosure of the report or information to any such
person; or
(ii) the
following circumstances apply:
(A) the
guarantee or security was given before the commencement of this paragraph;
(B) the
report or information is disclosed for the purpose of giving to the person
information that is relevant to the amount or possible amount of the person’s
liability under the contract of guarantee or security;
(C) the
credit provider has, prior to the disclosure, informed the individual that such
disclosures may take place; or
(bh) the report or information is
disclosed to a person for the purpose of that person considering whether to
offer to act as guarantor in respect of, or to offer property as security for:
(i) a loan given by the
credit provider to the individual concerned; or
(ii) a loan for which the
individual concerned has applied to the credit provider;
and the individual has
specifically agreed to the disclosure of the report or information to any such
person for that purpose; or
(c) the report (not being a credit
report) or information:
(i) is disclosed to a
person or body carrying on a business or undertaking that involves the
collection of debts on behalf of others; and
(ii) is disclosed for the
purpose of the collection of payments that are overdue in respect of credit
provided to the individual concerned by the credit provider; and
(iii) does not contain or
include any personal information derived from a credit report, other than:
(A) information
of a kind referred to in paragraph 18E(1)(a); and
(B) information
of a kind referred to in subparagraph 18E(1)(b)(vi), not being information
that relates to an overdue payment in respect of which a note to the effect
that the individual is no longer overdue in making the payment has been
included, under subsection 18F(4), in the credit information file from
which the credit report was prepared; and
(C) information
of a kind referred to in subparagraph 18E(1)(b) (viii) or (ix); or
(ca) the
report (not being a credit report) or information:
(i) is disclosed to a
person or body carrying on a business or undertaking that involves the
collection of debts on behalf of others; and
(ii) is disclosed for the
purpose of the collection of payments that are overdue in respect of commercial
credit provided to a person by the credit provider; and
(iii) does not contain or
include any personal information derived from a credit report, other than
information of a kind referred to in paragraph 18E(1)(a) or subparagraph 18E(1)(b)
(viii) or (ix); or
(d) where the credit provider is a
corporation—the report or information is disclosed to a corporation that is
related to the credit provider; or
(e) the report or information is
disclosed to a corporation (including the professional legal advisers or
professional financial advisers of that corporation) that proposes to use the
report or information:
(i) in the process of
considering whether to:
(A) accept
an assignment of a debt owed to the credit provider; or
(B) accept a
debt owed to the credit provider as security for a loan to the credit provider;
or
(C) purchase
an interest in the credit provider (including, in a case where the credit
provider is a corporation, a corporation that is related to the credit
provider); or
(ii) in connection with
exercising rights arising from any acceptance or purchase of a kind referred to
in subparagraph (i); or
(f) the report or information is
disclosed to a person who manages loans made by the credit provider, for use in
managing those loans; or
(fa) the report or information is
disclosed to another credit provider in the following circumstances:
(i) the credit provider
and the other credit provider have each provided to the individual concerned
mortgage credit in respect of which the same real property forms all or part of
the security;
(ii) the individual is at
least 60 days overdue in making a payment in respect of the mortgage credit
provided by either credit provider;
(iii) the disclosure is for
the purpose of either credit provider deciding what action to take in relation
to the overdue payment; or
(g) disclosure of the report or
information to that other person for the particular purpose is required or
authorised by or under law; or
(ga) the report or information is
disclosed to:
(i) the individual; or
(ii) a person (other than a
credit provider, mortgage insurer or trade insurer) authorised, in writing, by
the individual to seek access to the report or information; or
(gb) the report or information is
disclosed in the following circumstances:
(i) the individual
concerned maintains an account with the credit provider;
(ii) the report or
information relates to the operation of the account;
(iii) the report or
information is disclosed to another person who is authorised by the individual
to operate the account;
(iv) either:
(A) the
report or information contains no information about the credit worthiness,
credit standing, credit history or credit capacity of the individual concerned,
other than basic transaction information; or
(B) the
disclosure takes place in the ordinary course of the other person operating the
account in the way authorised by the individual concerned; or
(h) the credit provider believes on
reasonable grounds that the individual concerned has committed a serious credit
infringement and the report or information is given to another credit provider
or a law enforcement authority.
(1A) For the
purposes of paragraph (1)(b), the individual’s agreement to the disclosure
of the report or information to another credit provider:
(a) must be in writing unless:
(i) the disclosure is
sought for the purpose of assessing an application for credit or commercial
credit that was initially made orally; and
(ii) the application has
not yet been made in writing; and
(b) must be given to:
(i) the credit provider
with possession or control of the report or information; or
(ii) the other credit
provider.
(1B) For the purposes of paragraphs (1)(bg)
and (bh), the individual’s agreement to the disclosure of the report or
information must be in writing unless:
(a) the disclosure relates to an
application for a loan that was initially made orally; and
(b) the application has not yet been
made in writing.
(1C) Paragraph (1)(ga) does not affect the
operation of paragraph (1)(g) in relation to an individual obtaining
access to credit report under section 18H.
(1D) For the purposes of paragraph (1)(gb),
basic transaction information is any one or more of the following:
(a) the account balance;
(b) the amount of available credit in
relation to the account;
(c) the minimum payment (if any) due
on the account;
(d) information relating to
transactions on the account by the other person.
(2) A credit provider that intentionally
contravenes subsection (1) is guilty of an offence punishable, on
conviction, by a fine not exceeding $150,000.
(3) A credit provider that is or has been in
possession or control of a credit report, or a report containing personal
information derived from a credit report, must not:
(a) disclose the report to another
person unless all personal information concerning individuals that is not
information of a kind referred to in subsection 18E(1) has been deleted
from the report; or
(b) disclose to another person any
personal information derived from the report if the information is not
information of a kind referred to in subsection 18E(1).
(4) References in subsection (3) to
information that is not information of a kind referred to in subsection 18E(1)
do not include references to information the disclosure of which is taken,
because of the application of subsection 18K(3), not to be in
contravention of subsection 18K(2).
(5) The Commissioner may determine, in
writing, the manner in which a report or personal information derived from a
report may, under subsection (1), be disclosed (including the manner in
which an individual’s agreement may be obtained for the purposes of paragraph (1)(b)).
(6) Where the Commissioner so determines, a
report or information that is disclosed in a manner contrary to the
determination is to be taken, except for the purposes of subsection (2),
to have been disclosed contrary to subsection (1).
(7) A determination is to be made by notice
published in the Gazette.
(8) A notice so published is a disallowable
instrument for the purposes of section 46A of the Acts Interpretation
Act 1901.
(9) In this section, unless the contrary
intention appears:
report means:
(a) a credit report; or
(b) subject to subsection (10),
any other record or information, whether in a written, oral or other form, that
has any bearing on an individual’s credit worthiness, credit standing, credit
history or credit capacity;
but does not include a credit report or any other record
or information in which the only personal information relating to individuals
is publicly available information.
(10) For the purposes of the application of
this section to a credit provider that is not a corporation, a record or
information (other than a credit report) is not taken to be a report for the
purposes of this section unless it is being or has been prepared by or for a
corporation.
18NA
Disclosure by credit providers to certain persons who gave indemnities
In respect of a disclosure by a credit
provider of a report or information to a person who, on or after 7 December
1992 and before the commencement of this section, gave an indemnity against the
default of a borrower in making a payment in respect of a loan given by the
credit provider, subparagraph 18N(1)(bg)(ii) has effect as if the
reference in sub‑subparagraph 18N(1)(bg)(ii)(A) to the commencement of
paragraph 18N(1)(bg) were a reference to the commencement of this section.
18P
Limits on use or disclosure by mortgage insurers or trade insurers of personal
information contained in credit reports
(1) A mortgage insurer that is or has been in
possession or control of a credit report must not use the report or any
personal information derived from the report for any purpose other than:
(a) assessing whether to provide
insurance to, or the risk of providing insurance to, a credit provider in
respect of mortgage credit given by the credit provider to the individual
concerned or applied for by the individual concerned to the credit provider; or
(b) assessing the risk of the
individual concerned defaulting on mortgage credit in respect of which the
mortgage insurer has provided insurance to a credit provider; or
(ba) assessing the risk of the
individual concerned being unable to meet a liability that might arise under a
guarantee entered into, or proposed to be entered into, in respect of mortgage
credit given by the credit provider to another person; or
(c) any purpose arising under the
contract for mortgage insurance that has been entered into between a credit
provider and the mortgage insurer;
unless use of the report or information for that other
purpose is required or authorised by or under law.
(2) A trade insurer that is or has been in
possession or control of a credit report must not use the report or any
personal information derived from the report for any purpose other than
assessing:
(a) whether to provide insurance to,
or the risk of providing insurance to, a credit provider in respect of
commercial credit given by the credit provider to another person; or
(b) the risk of a person defaulting on
commercial credit in respect of which the trade insurer has provided insurance
to a credit provider;
unless use of the report or information for that other
purpose is required or authorised by or under law.
(3) A mortgage
insurer or trade insurer that is or has been in possession or control of a
credit report must not:
(a) use the report unless all personal
information concerning individuals that is not information of a kind referred
to in subsection 18E(1) has been deleted from the report; or
(b) use any personal information
derived from the report if the information is not information of a kind
referred to in subsection 18E(1).
(4) References in subsection (3) to
information that is not information of a kind referred to in subsection 18E(1)
do not include references to information the disclosure of which is taken,
because of the application of subsection 18K(3), not to be in
contravention of subsection 18K(2).
(5) A mortgage insurer or trade insurer that
is or has been in possession or control of a credit report must not disclose
the report or any personal information derived from the report to another
person for any purpose unless disclosure of the report or information to that
other person for that purpose is required or authorised by or under law.
(6) A mortgage insurer or trade insurer that
knowingly or recklessly contravenes subsection (1), (2) or (5) is guilty
of an offence punishable, on conviction, by a fine not exceeding $150,000.
(7) A reference in this section (other than subsection (3))
to a credit report is taken to include a reference to a report or information
disclosed to a mortgage insurer under paragraph 18N(1)(bb).
18Q
Limits on use by certain persons of personal information obtained from credit
providers
(1) A corporation that has obtained a report
or information under paragraph 18N(1)(d) must not:
(a) use the report or information, or
any personal information derived from the report or information, otherwise than
for a purpose for which, or in circumstances under which, a credit provider
would be permitted under section 18L to use the report or information; or
(b) disclose the report or
information, or any personal information derived from the report or
information, to another person otherwise than for a purpose for which, or in
circumstances under which, a credit provider would be permitted under section 18N
to disclose the report or information to another person.
(2) A corporation that has obtained a report
or information under paragraph 18N(1)(e) must not use the report or
information, or any personal information derived from the report or
information, for any purpose other than:
(a) for use in the process of
considering whether to:
(i) accept an assignment
of a debt owed to the credit provider from whom the report or information was
obtained; or
(ii) accept a debt owed to
the credit provider as security for a loan to the credit provider; or
(iii) purchase an interest
in the credit provider (including, where the credit provider is a corporation,
a corporation that is related to the credit provider); or
(b) for use in connection with
exercising rights arising from any acceptance or purchase of a kind referred to
in paragraph (a).
(3) A professional legal adviser or
professional financial adviser of a corporation who has obtained a report or
information under paragraph 18N(1)(e) must not use the report or
information, or any personal information derived from the report or
information, for any purpose other than use by the person, in his or her
capacity as such a professional legal or financial adviser, in connection with
advising the corporation:
(a) whether to accept an assignment of
a debt owed to the credit provider from whom the report or information was
obtained; or
(b) whether to accept a debt owed to
the credit provider as a security for a loan to the credit provider; or
(c) whether to purchase an interest in
the credit provider (including, in a case where the credit provider is a
corporation, a corporation that is related to the credit provider);
(d) in connection with exercising
rights arising from any acceptance or purchase of a kind referred to in paragraph (a),
(b) or (c);
unless use of the report or information, or the
information so derived, is required or authorised by or under law.
(4) A person who has obtained a report or
information under paragraph 18N(1)(f) must not use the report or
information, or any personal information derived from the report or
information, for any purpose other than use by the person in managing loans
made by the credit provider from whom the person obtained the report or
information, unless use of the report or information, or the information so
derived, for that other purpose is required or authorised by or under law.
(5) A person who has obtained a report or
information under paragraph 18N(1)(e) or (f) must not disclose the report
or information, or any personal information derived from the report or
information, to another person unless disclosure of the report or information,
or the information so derived, is required or authorised by or under law.
(6) If:
(a) a person was, because of the
application of subsection 11B(4B), a credit provider in relation to a
loan; and
(b) the person has ceased to be such a
credit provider in relation to the loan; and
(c) the person had, while such a
credit provider in relation to the loan, obtained possession or control of a
credit report;
the person must not use the report, or any personal
information derived from the report, otherwise than for a purpose for which, or
in circumstances under which, a credit provider would be permitted under
section 18L to use the report or information.
(7) Subject to
subsection (7A), if:
(a) a person was, because of the
application of subsection 11B(4B), a credit provider in relation to a
loan; and
(b) the person has ceased to be such a
credit provider in relation to the loan; and
(c) the person had, while such a
credit provider in relation to the loan, obtained possession or control of a
report (within the meaning of subsection 18N(9));
the person must not disclose the report, or any personal
information derived from the report, to another person otherwise than for the
purposes for which, or in circumstances under which, a credit provider would be
permitted under section 18N to disclose the report or information to
another person.
(7A) For the purposes of the application of subsection (7)
to a person other than a corporation, a record or information (other than a
credit report) is not taken to be a report for the purposes of that subsection
unless it is being or has been prepared by or for a corporation.
(8) In spite of anything in this section to
the contrary, this section does not impose any obligations on a person in
relation to a report or information obtained under paragraph 18N(1)(e) or
(f), or in relation to any personal information derived from such a report or
information, unless:
(a) the person is a corporation; or
(b) the credit provider from whom the
person obtained the report or information is a corporation.
(9) A person who intentionally contravenes
this section is guilty of an offence punishable, on conviction, by a fine not
exceeding $30,000.
18R
False or misleading credit reports
(1) A credit reporting agency or credit
provider must not give to any other person or body (whether or not the other
person or body is a credit reporting agency or credit provider) a credit report
that contains false or misleading information.
(2) A credit reporting agency or credit
provider that intentionally contravenes subsection (1) is guilty of an
offence punishable, on conviction, by a fine not exceeding $75,000.
18S
Unauthorised access to credit information files or credit reports
(1) A person must not obtain access to an
individual’s credit information file in the possession or control of a credit
reporting agency unless the access is authorised by this Act.
(2) A person must not obtain access to a
credit report in the possession or control of a credit provider or credit
reporting agency unless:
(a) the person is given the report in
accordance with this Act; or
(b) the access is otherwise authorised
by this Act.
(3) A person who intentionally contravenes
this section is guilty of an offence punishable, on conviction, by a fine not
exceeding $30,000.
18T
Obtaining access to credit information files or credit reports by false
pretences
(1) A person must not, by a false pretence,
obtain access to an individual’s credit information file in the possession or
control of a credit reporting agency.
Penalty: $30,000.
(2) A person must not, by a false pretence,
obtain access to a credit report in the possession or control of a credit
provider or credit reporting agency.
Penalty: $30,000.
18U
Application of section 4B of Crimes Act
Subsection 4B(3) of the Crimes
Act 1914 does not apply in relation to an offence against subsection 18K(4),
18L(2), 18N(2) or 18R(2) or section 18P.
18V
Application of this Part
(1) Subject to this section, this Part applies
in relation to any credit information file, any credit report or any report of
a kind referred to in section 18N, in existence on or after the
commencement of this section, whether or not it was in existence before that
commencement.
(2) Paragraph 18E(8)(c) does not apply in
relation to information acquired by a credit provider before 25 February
1992.
(3) Section 18F applies in relation to
personal information that was, immediately before 25 February 1992,
contained in an individual’s credit information file as if the references to
the days mentioned in the paragraphs of subsection 18F(2) were all
references to 25 February 1992.
Part IV—Functions of the
Information Commissioner
Division 2—Functions of Commissioner
27
Functions of Commissioner in relation to interferences with privacy
(1) Subject to this Part, the Commissioner
has the following functions:
(a) to investigate an act or practice
of an agency that may breach an Information Privacy Principle and, where the
Commissioner considers it appropriate to do so, to endeavour, by conciliation,
to effect a settlement of the matters that gave rise to the investigation;
(aa) to approve privacy codes and
variations of approved privacy codes and to revoke those approvals;
(ab) subject to Part V—to
investigate an act or practice of an organisation that may be an interference
with the privacy of an individual because of section 13A and, if the
Commissioner considers it appropriate to do so, to attempt, by conciliation, to
effect a settlement of the matters that gave rise to the investigation;
(ac) to perform functions, and exercise
powers, conferred on an adjudicator by an approved privacy code under which the
Commissioner has been appointed as an independent adjudicator to whom
complaints may be made;
(ad) to review the operation of approved
privacy codes under section 18BH;
(ae) on application under section 18BI
for review of the determination of an adjudicator (other than the Commissioner)
in relation to a complaint—to deal with the complaint in accordance with that
section;
(b) to examine (with or without a
request from a Minister or a Norfolk Island Minister) a proposed enactment that
would require or authorise acts or practices of an agency or organisation that
might, in the absence of the enactment, be interferences with the privacy of
individuals or which may otherwise have any adverse effects on the privacy of
individuals and to ensure that any adverse effects of such proposed enactment
on the privacy of individuals are minimised;
(c) to undertake research into, and to
monitor developments in, data processing and computer technology (including
data‑matching and data‑linkage) to ensure that any adverse effects of such
developments on the privacy of individuals are minimised, and to report to the
Minister the results of such research and monitoring;
(d) to promote an understanding and
acceptance of the Information Privacy Principles and of the objects of those
Principles and of the National Privacy Principles;
(e) to prepare, and to publish in such
manner as the Commissioner considers appropriate, guidelines for the avoidance
of acts or practices of an agency or an organisation that may or might be
interferences with the privacy of individuals or which may otherwise have any
adverse effects on the privacy of individuals;
(ea) to prepare, and to publish in the
way that the Commissioner considers appropriate, guidelines:
(i) to assist
organisations to develop privacy codes or to apply approved privacy codes; or
(ii) relating to making and
dealing with complaints under approved privacy codes; or
(iii) about matters the
Commissioner may consider in deciding whether to approve a privacy code or a
variation of an approved privacy code;
(f) to provide (on request or on the
Commissioner’s own initiative) advice to a Minister, a Norfolk Island Minister,
agency or organisation on any matter relevant to the operation of this Act;
(fa) to provide advice to an
adjudicator for an approved privacy code on any matter relevant to the
operation of this Act or the code, on request by the adjudicator;
(g) to maintain, and to publish
annually, a record (to be known as the Personal Information Digest) of the
matters set out in records maintained by record‑keepers in accordance with
clause 3 of Information Privacy Principle 5;
(h) to conduct audits of records of
personal information maintained by agencies for the purpose of ascertaining
whether the records are maintained according to the Information Privacy
Principles;
(ha) to conduct audits of particular
acts done, and particular practices engaged in, by agencies in relation to
personal information, if those acts and practices, and those agencies, are
prescribed by regulations made for the purposes of this paragraph;
(j) whenever the Commissioner thinks
it necessary, to inform the Minister of action that needs to be taken by an
agency in order to achieve compliance by the agency with the Information
Privacy Principles;
(k) to examine (with or without a
request from a Minister or a Norfolk Island Minister) a proposal for data
matching or data linkage that may involve an interference with the privacy of
individuals or which may otherwise have any adverse effects on the privacy of
individuals and to ensure that any adverse effects of such proposal on the
privacy of individuals are minimised;
(m) for the purpose of promoting the
protection of individual privacy, to undertake educational programs on the
Commissioner’s own behalf or in co‑operation with other persons or authorities
acting on behalf of the Commissioner;
(p) to issue guidelines under the Data‑matching
Program (Assistance and Tax) Act 1990;
(pa) to issue guidelines under section 135AA
of the National Health Act 1953;
(q) to monitor and report on the
adequacy of equipment and user safeguards;
(r) may, and if requested to do so,
shall make reports and recommendations to the Minister in relation to any
matter that concerns the need for or the desirability of legislative or
administrative action in the interests of the privacy of individuals;
(s) to do anything incidental or
conducive to the performance of any of the Commissioner’s other functions.
(1A) To avoid doubt, the Commissioner is not
subject to Part V in performing functions, and exercising powers,
conferred on an adjudicator by an approved privacy code under which the
Commissioner has been appointed as an independent adjudicator to whom
complaints may be made.
(2) The Commissioner has power to do all
things that are necessary or convenient to be done for or in connection with
the performance of his or her functions under subsection (1).
(3) Without limiting subsection (2), the
Commissioner may, at the request of an organisation, examine the records of
personal information maintained by the organisation, for the purpose of
ascertaining whether the records are maintained according to:
(a) an approved privacy code that
binds the organisation; or
(b) to the extent (if any) that the
organisation is not bound by an approved privacy code—the National Privacy
Principles.
27A
Functions of Commissioner in relation to healthcare identifiers
(1) In addition to the functions under
sections 27, 28, 28A and 28B, the Commissioner has the following functions
in relation to healthcare identifiers:
(a) to investigate an act or practice
that may be an interference with the privacy of an individual under subsection 29(1)
of the Healthcare Identifiers Act 2010 and, if the Commissioner
considers it appropriate to do so, to attempt by conciliation, to effect a
settlement of the matters that gave rise to the investigation;
(b) to do anything incidental or
conducive to the performance of that function.
(2) The Commissioner has power to do all
things that are necessary or convenient to be done for or in connection with
the performance of his or her functions under subsection (1).
(3) Section 38 (severability) of the Healthcare
Identifiers Act 2010 applies to this section in the same way as it applies
to Parts 3 and 4 of that Act.
28
Functions of Commissioner in relation to tax file numbers
(1) In addition to the functions under
sections 27, 27A, 28A and 28B, the Commissioner has the following
functions in relation to tax file numbers:
(a) to issue guidelines under section 17;
(b) to investigate acts or practices
of file number recipients that may breach guidelines issued under section 17;
(c) to investigate acts or practices
that may involve unauthorised requests or requirements for the disclosure of
tax file numbers;
(d) to examine the records of the
Commissioner of Taxation to ensure that:
(i) he or she is not using
tax file number information for purposes beyond his or her powers; and
(ii) he or she is taking
adequate measures to prevent the unlawful disclosure of the tax file number
information that he or she holds;
(e) to conduct audits of records of
tax file number information maintained by file number recipients for the
purpose of ascertaining whether the records are maintained according to any
relevant guidelines issued under section 17;
(f) to evaluate compliance with
guidelines issued under section 17;
(g) to provide advice (with or without
a request) to file number recipients on their obligations under the Taxation
Administration Act 1953 with regard to the confidentiality of tax file
number information and on any matter relevant to the operation of this Act;
(h) to monitor the security and
accuracy of tax file number information kept by file number recipients;
(j) to do anything incidental or
conducive to the performance of any of the preceding functions.
(2) The Commissioner has power to do all
things that are necessary or convenient to be done for or in connection with
the performance of his or her functions under subsection (1).
28A
Functions of Commissioner in relation to credit reporting
(1) In addition to the functions under
sections 27, 27A, 28 and 28B, the Commissioner has the following functions
in relation to credit reporting:
(a) to develop the Code of Conduct in
consultation with government, commercial, consumer and other relevant bodies
and organisations;
(b) to investigate an act or practice
of a credit reporting agency or credit provider that may constitute a credit
reporting infringement and, where the Commissioner considers it appropriate to
do so, to endeavour, by conciliation, to effect a settlement of the matters
that gave rise to the investigation;
(c) to promote an understanding and
acceptance of:
(i) the Code of Conduct
and the provisions of Part IIIA; and
(ii) the objects of those
provisions;
(d) to make such determinations as the
Commissioner is empowered to make under section 11B or Part IIIA; and
(e) to prepare, and to publish in such
manner as the Commissioner considers appropriate, guidelines for the avoidance
of acts or practices of a credit reporting agency or credit provider that may
or might be interferences with the privacy of individuals;
(f) to provide advice (with or
without a request) to a Minister, a credit reporting agency or a credit
provider on any matter relevant to the operation of this Act;
(g) to conduct audits of credit
information files maintained by credit reporting agencies, and credit reports
in the possession, or under the control, of credit providers or credit
reporting agencies, for the purpose of ascertaining whether the files or
reports are maintained in accordance with the Code of Conduct and the
provisions of Part IIIA;
(h) to monitor the security and
accuracy of personal information contained in credit information files
maintained by credit reporting agencies and in credit reports in the possession,
or under the control, of credit providers or credit reporting agencies;
(j) to examine the records of credit
reporting agencies and credit providers to ensure that:
(i) credit reporting
agencies and credit providers are not using personal information contained in
credit information files and credit reports for unauthorised purposes; and
(ii) credit reporting
agencies and credit providers are taking adequate measures to prevent the
unlawful disclosure of personal information contained in credit information
files and credit reports;
(k) for the purpose of promoting the
protection of individual privacy, to undertake educational programs on the
Commissioner’s own behalf or in co‑operation with other persons or authorities
on the Commissioner’s behalf;
(m) to do anything incidental or
conducive to the performance of any of the preceding functions.
(2) The Commissioner has power to do all
things that are necessary or convenient to be done for or in connection with
the performance of his or her functions under subsection (1).
28B
Functions of Commissioner in relation to personal property securities
(1) In addition to the functions under
sections 27, 27A, 28 and 28A, the Commissioner has the following functions
in relation to personal property securities:
(a) to investigate an act or practice
that may be an interference with the privacy of an individual under subsection 157(4)
or 173(2) of the Personal Property Securities Act 2009 and, if the
Commissioner considers it appropriate to do so, to attempt by conciliation, to
effect a settlement of the matters that gave rise to the investigation;
(b) to do anything incidental or
conducive to the performance of that function.
(2) The Commissioner has power to do all
things that are necessary or convenient to be done for or in connection with
the performance of his or her functions under subsection (1).
29
Commissioner to have regard to certain matters
In the performance of his or her
functions, and the exercise of his or her powers, under this Act, the Commissioner
shall:
(a) have due regard for the protection
of important human rights and social interests that compete with privacy,
including the general desirability of a free flow of information (through the
media and otherwise) and the recognition of the right of government and
business to achieve their objectives in an efficient way;
(b) take
account of:
(i) international
obligations accepted by Australia, including those concerning the international
technology of communications; and
(ii) developing general
international guidelines relevant to the better protection of individual
privacy;
(c) ensure that his or her
recommendations and guidelines are, within the limitations of the powers of the
Commonwealth, capable of acceptance, adaptation and extension throughout Australia; and
(d) ensure that his or her directions
and guidelines are consistent with whichever of the following (if any) are
relevant:
(i) the Information
Privacy Principles;
(ii) the National Privacy
Principles;
(iii) the Code of Conduct
and Part IIIA.
Division 3—Reports by
Commissioner
30
Reports following investigation of act or practice
(1) Where the Commissioner has investigated
an act or practice without a complaint having been made under section 36,
the Commissioner may report to the Minister about the act or practice, and
shall do so:
(a) if so directed by the Minister; or
(b) if the Commissioner:
(i) thinks that the act or
practice is an interference with the privacy of an individual; and
(ii) has not considered it
appropriate to endeavour to effect a settlement of the matters that gave rise
to the investigation or has endeavoured without success to effect such a
settlement.
(2) Where the Commissioner reports under subsection (1)
about an act done in accordance with a practice, the Commissioner shall also
report to the Minister about the practice.
(3) Where, after an investigation under
paragraph 27(1)(a), 28(1)(b) or (c) or 28A(1)(b) of an act or practice of
an agency, file number recipient, credit reporting agency or credit provider,
the Commissioner is required by virtue of paragraph (1)(b) of this section
to report to the Minister about the act or practice, the Commissioner:
(a) shall set out in the report his or
her findings and the reasons for those findings;
(b) may include in the report any
recommendations by the Commissioner for preventing a repetition of the act or a
continuation of the practice;
(c) may include in the report any
recommendation by the Commissioner for either or both of the following:
(i) the payment of
compensation in respect of a person who has suffered loss or damage as a result
of the act or practice;
(ii) the taking of other
action to remedy or reduce loss or damage suffered by a person as a result of
the act or practice;
(d) shall serve a copy of the report
on the agency, file number recipient, credit reporting agency or credit
provider concerned and the Minister (if any) or Norfolk Island Minister (if
any) responsible for the agency, recipient, credit reporting agency or credit
provider; and
(e) may serve a copy of the report on
any person affected by the act or practice.
(4) Where, at the end of 60 days after a copy
of a report about an act or practice of an agency, file number recipient,
credit reporting agency or credit provider was served under subsection (3),
the Commissioner:
(a) still thinks that the act or
practice is an interference with the privacy of an individual; and
(b) is not satisfied that reasonable
steps have been taken to prevent a repetition of the act or a continuation of
the practice;
the Commissioner shall give to the Minister a further
report that:
(c) incorporates the first‑mentioned
report and any document that the Commissioner has received, in response to the
first‑mentioned report, from the agency, file number recipient, credit
reporting agency or credit provider;
(d) states whether, to the knowledge
of the Commissioner, any action has been taken as a result of the findings, and
recommendations (if any), set out in the first‑mentioned report and, if so, the
nature of that action; and
(e) states why the Commissioner is not
satisfied that reasonable steps have been taken to prevent a repetition of the
act or a continuation of the practice;
and shall serve a copy of the report on the Minister (if
any) or Norfolk Island Minister (if any) responsible for the agency, recipient,
credit reporting agency or credit provider.
(5) The Minister shall cause a copy of a
report given to the Minister under subsection (4) to be laid before each
House of the Parliament within 15 sitting days of that House after the report
is received by the Minister.
(6) This section does not apply to:
(a) a complaint made under section 36
in relation to an act or practice of an organisation; or
(b) a complaint the Commissioner
accepts under subsection 40(1B).
31
Report following examination of proposed enactment
(1) Where the Commissioner has examined a
proposed enactment under paragraph 27(1)(b), subsections (2) and (3)
of this section have effect.
(2) If the Commissioner thinks that the
proposed enactment would require or authorise acts or practices of an agency or
organisation that would be interferences with the privacy of individuals, the
Commissioner shall:
(a) report to the Minister about the
proposed enactment; and
(b) include in the report any
recommendations he or she wishes to make for amendment of the proposed enactment
to ensure that it would not require or authorise such acts or practices.
(3) Otherwise, the Commissioner may report to
the Minister about the proposed enactment, and shall do so if so directed by
the Minister.
(4) Where the Commissioner is of the belief
that it is in the public interest that the proposed enactment should be the
subject of a further report, the Commissioner may give to the Minister a
further report setting out the Commissioner’s reasons for so doing.
(5) The Minister shall cause a copy of a
report given under subsection (4) to be laid before each House of the
Parliament as soon as practicable, and no later than 15 sitting days of that
House, after the report is received by the Minister.
32
Report following monitoring of certain activities
(1) Where the Commissioner, in the
performance of the function referred to in paragraph 27(1)(c), (h), (ha), (j),
(k), (m) or (r), 28(1)(e), (f) or (h) or 28A(1)(g), (h), (j) or (k), has
monitored an activity or conducted an audit, the Commissioner may report to the
Minister about that activity or audit, and shall do so if so directed by the
Minister.
(2) Where the Commissioner is of the belief
that it is in the public interest that the activity should be the subject of a
further report, the Commissioner may give to the Minister a further report
setting out the Commissioner’s reasons for so doing.
(3) The Minister shall cause a copy of a
report given under subsection (2) to be laid before each House of the
Parliament as soon as practicable, and no later than 15 sitting days of that
House, after the report is received by the Minister.
33
Exclusion of certain matters from reports
(1) In setting out findings, opinions and
reasons in a report to be given under section 30, 31 or 32, the
Commissioner may exclude a matter if the Commissioner considers it desirable to
do so having regard to the obligations of the Commissioner under subsections (2)
and (3).
(2) In deciding under subsection (1)
whether or not to exclude matter from a report, the Commissioner shall have
regard to the need to prevent:
(a) prejudice to the security, defence
or international relations of Australia;
(b) prejudice to relations between the
Commonwealth Government and the Government of a State or between the Government
of a State and the Government of another State;
(c) the disclosure of deliberations or
decisions of the Cabinet, or of a Committee of the Cabinet, of the Commonwealth
or of a State;
(d) the disclosure of deliberations or
advice of the Federal Executive Council or the Executive Council of a State;
(da) the disclosure of the deliberations
or decisions of the Australian Capital Territory Executive or of a committee of
that Executive;
(e) the disclosure, or the
ascertaining by a person, of the existence or identity of a confidential source
of information in relation to the enforcement of the criminal law;
(f) the
endangering of the life or safety of any person;
(g) prejudice to the proper
enforcement of the law or the protection of public safety;
(h) the disclosure of information the
disclosure of which is prohibited, absolutely or subject to qualifications, by
or under another enactment;
(j) the unreasonable disclosure of
the personal affairs of any person; and
(k) the unreasonable disclosure of
confidential commercial information.
(3) The Commissioner shall try to achieve an
appropriate balance between meeting the need referred to in subsection (2)
and the desirability of ensuring that interested persons are sufficiently
informed of the results of the Commissioner’s investigation, examination or
monitoring.
(4) Where the Commissioner excludes a matter
from a report, he or she shall give to the Minister a report setting out the
excluded matter and his or her reasons for excluding the matter.
Norfolk Island
(5) In this section:
State includes Norfolk Island.
33B
Copies of certain reports to be given to the Norfolk Island Justice Minister
(1) If:
(a) the Commissioner gives a report to
the Minister under section 30, 31 or 32; and
(b) the report relates to a Norfolk
Island matter;
the Commissioner must, at the same time, give a copy of
the report to the Norfolk Island Justice Minister.
(2) For the purposes of this section, a
report relates to a Norfolk Island matter if:
(a) in the case of a report under
section 30—the report relates to an act or practice of a Norfolk Island
agency; or
(b) in the case of a report under
section 31—the report relates to a proposed Norfolk Island enactment; or
(c) in the case of a report under
section 32—the report relates to an activity or audit of a Norfolk Island
agency.
Division 4—Miscellaneous
34
Provisions relating to documents exempt under the Freedom of Information Act
1982
(1) The Commissioner shall not, in connection
with the performance of the functions referred to in section 27, give to a
person information as to the existence or non‑existence of a document where
information as to the existence or non‑existence of that document would, if
included in a document of an agency, cause the last‑mentioned document to be:
(a) an exempt document by virtue of
section 33 or subsection 37(1) or 45A(1) of the Freedom of
Information Act 1982; or
(b) an exempt document to the extent
referred to in subsection 45A(2) or (3) of that Act.
(2) The Commissioner shall not, in connection
with the performance of the functions referred to in section 27, give to a
person information:
(a) about the contents of a document
of an agency, or the contents of an official document of a Minister or a
Norfolk Island Minister, being a document that is an exempt document; or
(b) about exempt matter contained in a
document of an agency or in an official document of a Minister or a Norfolk
Island Minister.
(3) An expression used in this section and in
the Freedom of Information Act 1982 has the same meaning in this section
as in that Act.
35
Direction where refusal or failure to amend exempt document
(1) Where:
(a) an application made under
subsection 55(1) of the Freedom of Information Act 1982 for review
of a decision under that Act refusing access to a document has been finally
determined or otherwise disposed of;
(b) the period within which an appeal
may be made to the Federal Court has expired or, if such an appeal has been
instituted, the appeal has been determined;
(c) the effect of the review and any
appeal is that access is not to be given to the document;
(d) the applicant has requested the
agency concerned to amend the document;
(e) the applicant has complained to
the Commissioner under this Act about the refusal or failure of the agency to
amend the document;
(f) the Commissioner has, as a result
of the complaint, recommended under subsection 30(3) of this Act that the
agency amend the document, or amend a part of the document, to which the
applicant has been refused access; and
(g) as at the end of 60 days after a
copy of the report containing the recommendation was served on the agency, the
Commissioner:
(i) still thinks that the
agency should amend the document in a particular manner; and
(ii) is not satisfied that
the agency has amended the document in that manner;
the Commissioner may direct the agency to add to the
document an appropriate notation setting out particulars of the amendments of
the document that the Commissioner thinks should be made.
(2) An agency shall comply with a direction
given in accordance with subsection (1).
(3) In subsection (1), amend,
in relation to a document, means amend by making a correction, deletion or
addition.
(4) An expression used in this section and in
the Freedom of Information Act 1982 has the same meaning in this section
as in that Act.
Part V—Investigations
Division 1—Investigation of complaints and investigations on the
Commissioner’s initiative
36
Complaints
(1) Subject to subsection (1A), an
individual may complain to the Commissioner about an act or practice that may
be an interference with the privacy of the individual.
(1A) Subsection (1) does not apply to a
complaint by an individual about an act or practice of an organisation that is
bound by an approved privacy code that:
(a) contains a procedure for making
and dealing with complaints to an adjudicator in relation to acts or practices
that may be an interference with the privacy of an individual; and
(b) is relevant to the act or practice
complained of.
(1B) Subsection (1A) does not prevent an
individual from making a complaint under an approved privacy code to the
adjudicator for the code if the adjudicator is the Commissioner.
(1C) Subsection (1A) does not prevent an
individual from complaining under this Part to the Commissioner about an act
done, or practice engaged in, by an organisation purportedly for the purpose of
meeting (directly or indirectly) an obligation under a Commonwealth contract
(whether or not the organisation is a party to the contract).
Note: Section 40A requires an adjudicator for
an approved privacy code to refer a code complaint to the Commissioner if the
complaint is about an act or practice of a contracted service provider for a
Commonwealth contract.
(2) In the case of an act or practice that may
be an interference with the privacy of 2 or more individuals, any one of those
individuals may make a complaint under subsection (1) on behalf of all of
the individuals.
(2A) In the case of a representative complaint,
this section has effect subject to section 38.
(3) A complaint shall be in writing.
(4) It is the duty of:
(a) members of the staff of the
Commissioner; and
(b) members of the staff of the
Ombudsman who have had powers of the Commissioner delegated to them under
section 99;
to provide appropriate assistance to a person who wishes
to make a complaint and requires assistance to formulate the complaint.
(5) The complaint shall specify the
respondent to the complaint.
(6) In the case of a complaint about an act
or practice of an agency:
(a) if the agency is an individual or
a body corporate, the agency shall be the respondent; and
(b) if the agency is an unincorporated
body, the principal executive of the agency shall be the respondent.
(7) In the case of a complaint about an act
or practice of an organisation, the organisation is the respondent.
Note: Section 70A contains further rules about
how this Part operates in relation to respondent organisations that are not
legal persons.
(8) The respondent to a complaint about an
act or practice described in one of paragraphs 13(b) to (d) (inclusive), other
than an act or practice of an agency or organisation, is the person who engaged
in the act or practice.
37
Principal executive of agency
The
principal executive of an agency of a kind specified in column 1 of an item in
the following table is the person specified in column 2 of the item:
Item
|
Column 1
Agency
|
Column 2
Principal executive
|
1
|
Department
|
The Secretary of the Department
|
2
|
An unincorporated body, or a tribunal, referred to in paragraph (c)
of the definition of agency in subsection 6(1)
|
The chief executive officer of the body or tribunal
|
3
|
A body referred to in paragraph (d) of the definition
of agency in subsection 6(1)
|
The chief executive officer of the body
|
4
|
A federal court
|
The registrar or principal registrar of the court or the
person occupying an equivalent office
|
5
|
The Australian Federal Police
|
The Commissioner of Police
|
5A
|
A public sector agency (within the meaning of the Public
Sector Management Act 2000 of Norfolk Island)
|
The Chief Executive Officer (within the meaning of the Public
Sector Management Act 2000 of Norfolk Island)
|
5B
|
An unincorporated body, or a tribunal, referred to in paragraph (c)
of the definition of Norfolk Island agency in subsection 6(1)
|
The Chief Executive Officer (within the meaning of the Public
Sector Management Act 2000 of Norfolk Island)
|
5C
|
A body referred to in paragraph (d) of the definition
of Norfolk Island agency in subsection 6(1)
|
The Chief Executive Officer (within the meaning of the Public
Sector Management Act 2000 of Norfolk Island)
|
5D
|
A court of Norfolk Island
|
The registrar or principal registrar of the court or the
person occupying an equivalent office
|
6
|
An eligible case manager that is an individual
|
The individual
|
7
|
An eligible case manager that is not an individual
|
The individual primarily responsible for the management of
the eligible case manager
|
8
|
The nominated AGHS company
|
The chief executive officer of the company
|
9
|
An eligible hearing service provider that is an individual
|
The individual
|
10
|
An eligible hearing service
provider that is not an individual
|
The individual primarily
responsible for the management of the eligible hearing service provider
|
38
Conditions for making a representative complaint
(1) A
representative complaint may be lodged under section 36 or accepted under
subsection 40(1B) only if:
(a) the class members have complaints
against the same person; and
(b) all the complaints are in respect
of, or arise out of, the same, similar or related circumstances; and
(c) all the complaints give rise to a
substantial common issue of law or fact.
(2) A representative complaint made under
section 36 or accepted under subsection 40(1B) must:
(a) describe or otherwise identify the
class members; and
(b) specify the nature of the
complaints made on behalf of the class members; and
(c) specify the nature of the relief
sought; and
(d) specify the questions of law or
fact that are common to the complaints of the class members.
In describing or otherwise identifying the class members,
it is not necessary to name them or specify how many there are.
(3) A representative complaint may be lodged
without the consent of class members.
38A
Commissioner may determine that a complaint is not to continue as a
representative complaint
(1) The Commissioner may, on application by
the respondent or on his or her own initiative, determine that a complaint
should no longer continue as a representative complaint.
(2) The Commissioner may only make such a
determination if the Commissioner is satisfied that it is in the interests of
justice to do so for any of the following reasons:
(a) the costs that would be incurred
if the complaint were to continue as a representative complaint are likely to
exceed the costs that would be incurred if each class member lodged a separate
complaint;
(b) the representative complaint will
not provide an efficient and effective means of dealing with the complaints of
the class members;
(c) the complaint was not brought in
good faith as a representative complaint;
(d) it is otherwise inappropriate that
the complaints be pursued by means of a representative complaint.
(3) If the Commissioner makes such a determination:
(a) the complaint may be continued as
a complaint by the complainant on his or her own behalf against the respondent;
and
(b) on the application of a person who
was a class member for the purposes of the former representative complaint, the
Commissioner may join that person as a complainant to the complaint as
continued under paragraph (a).
38B
Additional rules applying to the determination of representative complaints
(1) The Commissioner may, on application by a
class member, replace the complainant with another class member, where it
appears to the Commissioner that the complainant is not able adequately to
represent the interests of the class members.
(2) A class member may, by notice in writing
to the Commissioner, withdraw from a representative complaint at any time
before the Commissioner begins to hold an inquiry into the complaint.
(3) The Commissioner may at any stage direct
that notice of any matter be given to a class member or class members.
38C
Amendment of representative complaints
If the Commissioner is satisfied that a
complaint could be dealt with as a representative complaint if the class of
persons on whose behalf the complaint is lodged is increased, reduced or
otherwise altered, the Commissioner may amend the complaint so that the
complaint can be dealt with as a representative complaint.
39
Class member for representative complaint not entitled to lodge individual
complaint
A person who is a class member for a
representative complaint is not entitled to lodge a complaint in respect of the
same subject matter.
40
Investigations
(1) Subject to subsection (1A), the
Commissioner shall investigate an act or practice if:
(a) the act or practice may be an
interference with the privacy of an individual; and
(b) a complaint about the act or
practice has been made under section 36.
(1A) The Commissioner must not investigate a
complaint if the complainant did not complain to the respondent before making
the complaint to the Commissioner under section 36. However, the Commissioner
may decide to investigate the complaint if he or she considers that it was not
appropriate for the complainant to complain to the respondent.
(1B) The Commissioner must investigate under
this Part a complaint about an act or practice of an organisation that is bound
by a relevant approved privacy code that contains a procedure for making and
dealing with complaints in relation to acts or practices that may be an
interference with the privacy of an individual if:
(a) the act or practice occurred after
the approval of the code came into effect; and
(b) the adjudicator for the code
refers the complaint to the Commissioner; and
(c) the Commissioner accepts the
complaint; and
(d) the Commissioner consults the
complainant before accepting the complaint.
(1C) If the Commissioner accepts a complaint
mentioned in subsection (1B), the Commissioner must deal with it as if it
were a complaint made under section 36 in relation to an act or practice
of the organisation.
(2) The Commissioner may investigate an act
or practice if:
(a) the act or practice may be an
interference with the privacy of an individual; and
(b) the Commissioner thinks it is
desirable that the act or practice be investigated.
(3) This section has effect subject to
section 41.
40A
Referring complaint about act under Commonwealth contract
(1) This section applies if:
(a) a complaint is made to an
adjudicator for an approved privacy code; and
(b) the adjudicator forms the view
that the complaint is about an act done or practice engaged in:
(i) by an organisation
that is a contracted service provider for a Commonwealth contract; and
(ii) for the purposes of
meeting (directly or indirectly) an obligation under the contract.
(2) Despite
the code, the adjudicator must:
(a) stop investigating the complaint
under the code (without making a determination under the code about the
complaint); and
(b) refer the complaint to the
Commissioner under subsection 40(1B) for investigation under this Part.
(3) The Commissioner must accept the
complaint under subsection 40(1B).
Note: This means that the Commissioner must
investigate the complaint (subject to section 41) as if the complaint had
been made to the Commissioner under section 36. See subsections 40(1B)
and (1C).
41
Circumstances in which Commissioner may decide not to investigate or may defer
investigation
(1) The Commissioner may decide not to
investigate, or not to investigate further, an act or practice about which a
complaint has been made under section 36, or which the Commissioner has
accepted under subsection 40(1B), if the Commissioner is satisfied that:
(a) the act or practice is not an
interference with the privacy of an individual;
(c) the complaint was made more than
12 months after the complainant became aware of the act or practice;
(d) the complaint is frivolous,
vexatious, misconceived or lacking in substance;
(e) the act or practice is the subject
of an application under another Commonwealth law, or a State or Territory law,
and the subject‑matter of the complaint has been, or is being, dealt with
adequately under that law; or
(f) another Commonwealth law, or a
State or Territory law, provides a more appropriate remedy for the act or
practice that is the subject of the complaint.
(2) The Commissioner may decide not to
investigate, or not to investigate further, an act or practice about which a
complaint has been made under section 36, or accepted by the Commissioner
under subsection 40(1B), if the Commissioner is satisfied that the
complainant has complained to the respondent about the act or practice and
either:
(a) the respondent has dealt, or is
dealing, adequately with the complaint; or
(b) the respondent has not yet had an
adequate opportunity to deal with the complaint.
(3) The Commissioner may defer the
investigation or further investigation of an act or practice about which a
complaint has been made under section 36, or accepted by the Commissioner
under subsection 40(1B), if:
(a) an application has been made by
the respondent for a determination under section 72 in relation to the act
or practice; and
(b) the Commissioner is satisfied that
the interests of persons affected by the act or practice would not be
unreasonably prejudiced if the investigation or further investigation were
deferred until the application had been disposed of.
42
Preliminary inquiries
Where a complaint has been made to the
Commissioner, or the Commissioner accepts a complaint under subsection 40(1B),
the Commissioner may, for the purpose of determining:
(a) whether the Commissioner has power
to investigate the matter to which the complaint relates; or
(b) whether the Commissioner may, in
his or her discretion, decide not to investigate the matter;
make inquiries of the respondent.
43
Conduct of investigations
(1) Before commencing an investigation of a
matter to which a complaint relates, the Commissioner shall inform the
respondent that the matter is to be investigated.
(1A) Before starting to investigate an act done,
or practice engaged in, by a contracted service provider for the purpose of
providing (directly or indirectly) a service to an agency under a Commonwealth
contract, the Commissioner must also inform the agency that the act or practice
is to be investigated.
Note: See subsection 6(9) about provision of
services to an agency.
(2) An investigation under this Division shall
be conducted in private but otherwise in such manner as the Commissioner thinks
fit.
(3) The Commissioner may, for the purposes of
an investigation, obtain information from such persons, and make such
inquiries, as he or she thinks fit.
(4) Subject to subsection (5), it is not
necessary for a complainant or respondent to be afforded an opportunity to
appear before the Commissioner in connection with an investigation under this
Division.
(5) The Commissioner shall not make a finding
under section 52 that is adverse to a complainant or respondent unless the
Commissioner has afforded the complainant or respondent an opportunity to
appear before the Commissioner and to make submissions, orally, in writing or
both, in relation to the matter to which the investigation relates.
(6) Where the Commissioner affords an agency,
organisation or person an opportunity to appear before the Commissioner under subsection (5),
the agency, organisation or person may, with the approval of the Commissioner,
be represented by another person.
(7) Where, in connection with an
investigation of a matter under this Division, the Commissioner proposes to
afford the complainant or respondent an opportunity to appear before the
Commissioner and to make submissions under subsection (5), or proposes to
make a requirement of a person under section 44, the Commissioner shall,
if he or she has not previously informed the responsible Minister (if any) or
Norfolk Island Minister (if any) that the matter is being investigated, inform
that Minister accordingly.
(8) The Commissioner may, either before or
after the completion of an investigation under this Division, discuss any
matter that is relevant to the investigation with a Minister or a Norfolk
Island Minister concerned with the matter.
(8A) Subsection (8) does not allow the
Commissioner to discuss a matter relevant to an investigation of a breach of an
approved privacy code or the National Privacy Principles with a Minister or a
Norfolk Island Minister, unless the investigation is of an act done, or
practice engaged in:
(a) by a contracted service provider
for a Commonwealth contract; and
(b) for the purpose of providing a
service to an agency to meet (directly or indirectly) an obligation under the
contract.
(9) Where the Commissioner forms the opinion,
either before or after completing an investigation under this Division, that
there is evidence that an officer of an agency has been guilty of a breach of
duty or of misconduct and that the evidence is, in all the circumstances, of
sufficient force to justify the Commissioner doing so, the Commissioner shall
bring the evidence to the notice of:
(a) an appropriate officer of an
agency; or
(b) if the Commissioner thinks that
there is no officer of an agency to whose notice the evidence may appropriately
be drawn—an appropriate Minister or Norfolk Island Minister.
44
Power to obtain information and documents
(1) If the Commissioner has reason to believe
that a person has information or a document relevant to an investigation under
this Division, the Commissioner may give to the person a written notice
requiring the person:
(a) to give the information to the
Commissioner in writing signed by the person or, in the case of a body
corporate, by an officer of the body corporate; or
(b) to produce the document to the
Commissioner.
(2) A notice given by the Commissioner under subsection (1)
shall state:
(a) the place at which the information
or document is to be given or produced to the Commissioner; and
(b) the time at which, or the period
within which, the information or document is to be given or produced.
(2A) If documents are produced to the
Commissioner in accordance with a requirement under subsection (1), the
Commissioner:
(a) may take possession of, and may
make copies of, or take extracts from, the documents; and
(b) may retain possession of the
documents for any period that is necessary for the purposes of the
investigation to which the documents relate; and
(c) during that period must permit a
person who would be entitled to inspect any one or more of the documents if
they were not in the Commissioner’s possession to inspect at all reasonable
times any of the documents that the person would be so entitled to inspect.
(3) If the Commissioner has reason to believe
that a person has information relevant to an investigation under this Division,
the Commissioner may give to the person a written notice requiring the person
to attend before the Commissioner at a time and place specified in the notice
to answer questions relevant to the investigation.
(4) This section is subject to sections 69
and 70 but it has effect regardless of any other enactment.
(5) A person is not liable to a penalty under
the provisions of any other enactment because he or she gives information,
produces a document or answers a question when required to do so under this
Division.
45
Power to examine witnesses
(1) The Commissioner may administer an oath
or affirmation to a person required under section 44 to attend before the
Commissioner and may examine such a person on oath or affirmation.
(2) The oath or affirmation to be taken or
made by a person for the purposes of this section is an oath or affirmation
that the answers the person will give will be true.
46
Directions to persons to attend compulsory conference
(1) For the purposes of performing the
Commissioner’s functions in relation to a complaint (except an NPP complaint or
a code complaint accepted under subsection 40(1B)), the Commissioner may,
by written notice, direct:
(a) the complainant;
(b) the respondent; and
(c) any other person who, in the
opinion of the Commissioner, is likely to be able to provide information
relevant to the matter to which the complaint relates or whose presence at the
conference is, in the opinion of the Commissioner, likely to assist in
connection with the performance of the Commissioner’s functions in relation to
the complaint;
to attend, at a time and place specified in the notice, a
conference presided over by the Commissioner.
(2) A person who has been directed to attend
a conference and who:
(a) fails to attend as required by the
direction; or
(b) fails to attend from day to day
unless excused, or released from further attendance, by the Commissioner;
is guilty of an offence punishable on conviction:
(c) in the case of an individual—by a
fine not exceeding $1,000 or imprisonment for a period not exceeding 6 months,
or both; or
(d) in the case of a body corporate—by
a fine not exceeding $5,000.
(2A) Subsection (2) does not apply if the
person has a reasonable excuse.
Note: A defendant bears an evidential burden in
relation to the matter in subsection (2A) (see subsection 13.3(3) of
the Criminal Code).
(3) A person who has been directed under subsection (1)
to attend a conference is entitled to be paid by the Commonwealth a reasonable
sum for the person’s attendance at the conference.
(4) The Commissioner may, in a notice given
to a person under subsection (1), require the person to produce such
documents at the conference as are specified in the notice.
47
Conduct of compulsory conference
(1) The Commissioner may require a person
attending a conference under this Division to produce a document.
(2) A conference under this Division shall be
held in private and shall be conducted in such manner as the Commissioner
thinks fit.
(3) A body of persons, whether corporate or
unincorporate, that is directed under section 46 to attend a conference
shall be deemed to attend if a member, officer or employee of that body attends
on behalf of that body.
(4) Except with the consent of the
Commissioner:
(a) an individual is not entitled to
be represented at the conference by another person; and
(b) a body of persons, whether
corporate or unincorporate, is not entitled to be represented at the conference
by a person other than a member, officer or employee of that body.
48
Complainant and certain other persons to be informed of various matters
(1) Where the Commissioner decides not to
investigate, or not to investigate further, a matter to which a complaint
relates, the Commissioner shall, as soon as practicable and in such manner as
the Commissioner thinks fit, inform the complainant and the respondent of the
decision and of the reasons for the decision.
(2) If the Commissioner decides not to
investigate (at all or further) an act done, or practice engaged in, by a
contracted service provider for the purpose of providing (directly or
indirectly) a service to an agency under a Commonwealth contract, the
Commissioner must also inform the agency of the decision.
Note: See subsection 6(9) about provision of
services to an agency.
49
Investigation under section 40 to cease if certain offences may have been
committed
(1) Where, in the course of an investigation
under section 40, the Commissioner forms the opinion that a tax file
number offence, a healthcare identifier offence, an AML/CTF verification
offence or a credit reporting offence may have been committed, the Commissioner
shall:
(a) inform the Commissioner of Police
or the Director of Public Prosecutions of that opinion;
(b) in the case of an investigation
under subsection 40(1), give a copy of the complaint to the Commissioner
of Police or the Director of Public Prosecutions, as the case may be; and
(c) subject to subsection (3),
discontinue the investigation except to the extent that it concerns matters
unconnected with the offence that the Commissioner believes may have been
committed.
(2) If, after having been informed of the
Commissioner’s opinion under paragraph (1)(a), the Commissioner of Police
or the Director of Public Prosecutions, as the case may be, decides that the
matter will not be, or will no longer be, the subject of proceedings for an
offence, he or she shall give a written notice to that effect to the
Commissioner.
(3) Upon receiving such a notice the
Commissioner may continue the investigation discontinued under paragraph (1)(c).
(4) In subsection (1):
AML/CTF verification offence (short for anti‑money
laundering and counter‑terrorism financing offence) means an offence
against section 35H, 35J or 35K of the Anti‑Money Laundering and
Counter‑Terrorism Financing Act 2006.
credit reporting offence means:
(a) an offence against subsection 18C(4),
18D(4), 18K(4), 18L(2), 18N(2), 18R(2) or 18S(3) or section 18T; or
(b) an offence against section 6
of the Crimes Act 1914, or section 11.1, 11.4 or 11.5 of the Criminal
Code, being an offence that relates to an offence referred to in paragraph (a)
of this definition.
tax file number offence means:
(a) an offence against section 8WA
or 8WB of the Taxation Administration Act 1953; or
(b) an offence against section 6
of the Crimes Act 1914, or section 11.1, 11.4 or 11.5 of the Criminal
Code, being an offence that relates to an offence referred to in paragraph (a)
of this definition.
49A
Investigation under section 40 to cease if civil penalty provision under Personal
Property Securities Act 2009 may have been contravened
(1) If, in the course of an investigation
under section 40, the Commissioner forms the opinion that subsection 172(3)
of the Personal Property Securities Act 2009 (civil penalty for
searching otherwise than for authorised purposes) may have been contravened,
the Commissioner must:
(a) inform the Registrar of Personal Property
Securities under the Personal Property Securities Act 2009 of that
opinion; and
(b) in the case of an investigation
under subsection 40(1), give a copy of the complaint to the Registrar of
Personal Property Securities; and
(c) discontinue the investigation
except to the extent that it concerns matters unconnected with the
contravention that the Commissioner believes may have taken place.
(2) The Registrar of Personal Property
Securities must notify the Commissioner in writing if, after having been
informed of the Commissioner’s opinion under paragraph (1)(a), the
Registrar decides:
(a) not to apply for an order under
section 222 of the Personal Property Securities Act 2009; or
(b) to discontinue a proceeding that
is an application for an order under section 222 of that Act.
(3) Upon receiving a notice under subsection (2),
the Commissioner may continue an investigation discontinued under paragraph (1)(c).
50
Reference of matters to other authorities
(1) In this section:
Australian Human Rights Commission includes a
person performing functions of that Commission.
Norfolk Island Public Service Board means the
Public Service Board established under the Public Sector Management Act 2000
of Norfolk Island.
Ombudsman means the Commonwealth Ombudsman.
(2) Where, before the Commissioner commences,
or after the Commissioner has commenced, to investigate a matter to which a
complaint relates, the Commissioner forms the opinion that:
(a) a complaint relating to that
matter has been, or could have been, made by the complainant:
(i) to the Australian
Human Rights Commission under Division 3 of Part II of the Australian
Human Rights Commission Act 1986; or
(ii) to the Ombudsman under
the Ombudsman Act 1976; or
(iia) to the Ombudsman under
a particular Norfolk Island enactment; or
(iii) to the Postal Industry
Ombudsman under the Ombudsman Act 1976; or
(iv) to the Overseas
Students Ombudsman under the Ombudsman Act 1976; or
(b) an application with respect to
that matter has been, or could have been, made by the complainant to the Australian
Public Service Commissioner under the Public Service Act 1999; or
(ba) an application with respect to that
matter has been, or could have been, made by the complainant to the Norfolk
Island Public Service Board under the Public Sector Management Act 2000
of Norfolk Island;
and that that matter could be more conveniently or
effectively dealt with by the Australian Human Rights Commission, the
Ombudsman, the Postal Industry Ombudsman, the Overseas Students Ombudsman or
the Australian Public Service Commissioner, as the case may be, the
Commissioner may decide not to investigate the matter, or not to investigate
the matter further, as the case may be, and, if the Commissioner so decides, he
or she shall:
(c) transfer the complaint to the Australian
Human Rights Commission, the Ombudsman, the Postal Industry Ombudsman, the
Overseas Students Ombudsman or the Australian Public Service Commissioner; and
(d) give notice in writing to the
complainant stating that the complaint has been so transferred; and
(e) give to the Australian Human
Rights Commission, the Ombudsman, the Postal Industry Ombudsman, the Overseas
Students Ombudsman or the Australian Public Service Commissioner any
information or documents that relate to the complaint and are in the
possession, or under the control, of the Commissioner.
(3) A
complaint transferred under subsection (2) shall be taken to be:
(a) a
complaint made:
(i) to the Australian
Human Rights Commission under Division 3 of Part II of the Australian
Human Rights Commission Act 1986; or
(ii) to the Ombudsman under
the Ombudsman Act 1976; or
(iia) to the Ombudsman under
the Norfolk Island enactment concerned; or
(iii) to the Postal Industry
Ombudsman under the Ombudsman Act 1976; or
(iv) to the Overseas
Students Ombudsman under the Ombudsman Act 1976; or
(b) an application made to the Australian
Public Service Commissioner under the Public Service Act 1999; or
(c) an application made to the Norfolk
Island Public Service Board under the Public Sector Management Act 2000
of Norfolk Island;
as the case requires.
50A
Substitution of respondent to complaint
(1) This section lets the Commissioner
substitute an agency for an organisation as respondent to a complaint if:
(a) the organisation is a contracted
service provider for a Commonwealth contract to provide services to the agency;
and
(b) before
the Commissioner makes a determination under section 52 in relation to the
complaint, the organisation:
(i) dies or ceases to
exist; or
(ii) becomes bankrupt or
insolvent, commences to be wound up, applies to take the benefit of a law for
the relief of bankrupt or insolvent debtors, compounds with creditors or makes
an assignment of any property for the benefit of creditors.
(2) The Commissioner may amend the complaint
to specify as a respondent to the complaint the agency or its principal
executive, instead of the organisation.
Note 1: The complaint still relates to the act or
practice of the organisation.
Note 2: Section 53B lets the Commissioner treat an
agency as a respondent to a determination if the organisation cannot comply
with a determination to pay an amount to a complainant.
(3) Before amending the complaint, the
Commissioner must:
(a) give the agency a notice stating
that the Commissioner proposes to amend the complaint and stating the reasons
for the proposal; and
(b) give the agency an opportunity to
appear before the Commissioner and to make oral and/or written submissions
relating to the proposed amendment.
(4) If the Commissioner amends the complaint
after starting to investigate it, the Commissioner is taken to have satisfied
subsection 43(1A) in relation to the agency.
51
Effect of investigation by Auditor‑General
Where the Commissioner becomes aware
that a matter being investigated by the Commissioner is, or is related to, a
matter that is under investigation by the Auditor‑General, the Commissioner
shall not, unless the Commissioner and Auditor‑General agree to the contrary,
continue to investigate the matter until the investigation by the Auditor‑General
has been completed.
Division 2—Determinations
following investigation of complaints
52
Determination of the Commissioner
(1) After investigating a complaint, the
Commissioner may:
(a) make a determination dismissing
the complaint; or
(b) find the complaint substantiated
and make a determination that includes one or more of the following:
(i) a declaration:
(A) where
the principal executive of an agency is the respondent—that the agency has
engaged in conduct constituting an interference with the privacy of an
individual and should not repeat or continue such conduct; or
(B) in any
other case—that the respondent has engaged in conduct constituting an
interference with the privacy of an individual and should not repeat or
continue such conduct;
(ii) a declaration that the
respondent should perform any reasonable act or course of conduct to redress
any loss or damage suffered by the complainant;
(iii) a declaration that the
complainant is entitled to a specified amount by way of compensation for any
loss or damage suffered by reason of the act or practice the subject of the
complaint;
(iv) a declaration that it
would be inappropriate for any further action to be taken in the matter.
(1A) The loss or damage referred to in paragraph (1)(b)
includes injury to the complainant’s feelings or humiliation suffered by the
complainant.
(1B) A determination of the Commissioner under subsection (1)
is not binding or conclusive between any of the parties to the determination.
(2) The Commissioner shall, in a
determination, state any findings of fact upon which the determination is
based.
(3) In a determination under paragraph (1)(a)
or (b) (other than a determination made on a representative complaint), the
Commissioner may include a declaration that the complainant is entitled to a
specified amount to reimburse the complainant for expenses reasonably incurred
by the complainant in connection with the making of the complaint and the
investigation of the complaint.
(3A) The Commissioner may include an order
mentioned in subsection (3B) in a determination under subparagraph (1)(b)(i)
or (ii) that concerns a breach of:
(a) Information Privacy Principle 7;
or
(b) National Privacy Principle 6,
to the extent that it deals with the correction of personal information; or
(c) a provision of an approved privacy
code that corresponds to National Privacy Principle 6, to the extent that
it deals with the correction of personal information; or
(d) section 18J.
(3B) A determination may include an order that:
(a) an agency or respondent make an
appropriate correction, deletion or addition to a record, or to a credit
information file or credit report, as the case may be; or
(b) an agency or respondent attach to
a record, or include in a credit information file or credit report, as the case
may be, a statement provided by the complainant of a correction, deletion or
addition sought by the complainant.
(4) A determination by the Commissioner under
subparagraph (1)(b)(iii) on a representative complaint:
(a) may provide for payment of
specified amounts or of amounts worked out in a manner specified by the
Commissioner; and
(b) if the Commissioner provides for
payment in accordance with paragraph (a), must make provision for the
payment of the money to the complainants concerned.
(5) If the Commissioner makes a determination
under subparagraph (1)(b)(iii) on a representative complaint, the
Commissioner may give such directions (if any) as he or she thinks just in
relation to:
(a) the manner in which a class member
is to establish his or her entitlement to the payment of an amount under the
determination; and
(b) the manner for determining any
dispute regarding the entitlement of a class member to the payment.
(6) In this
section:
complainant, in relation to a representative
complaint, means the class members.
53
Determination must identify the class members who are to be affected by the
determination
A determination under section 52 on
a representative complaint must describe or otherwise identify those of the
class members who are to be affected by the determination.
53A
Notice to be given to outsourcing agency
(1) If the Commissioner makes a determination
to which a contracted service provider for a Commonwealth contract is the
respondent, the Commissioner:
(a) must give a copy of the
determination to each agency:
(i) to which services are
or were to be provided under the contract; and
(ii) to which the Commissioner
considers it appropriate to give a copy; and
(b) may give such an agency a written
recommendation of any measures that the Commissioner considers appropriate.
(2) The Commissioner may give an agency a
recommendation only after consulting the agency.
(3) An agency that receives a recommendation
from the Commissioner must tell the Commissioner in writing of any action the
agency proposes to take in relation to the recommendation. The agency must do
so within 60 days of receiving the recommendation.
53B
Substituting respondent to determination
(1) This
section applies if:
(a) the respondent to a determination
under subsection 52(1) is a contracted service provider for a Commonwealth
contract; and
(b) the determination includes:
(i) a declaration under
subparagraph 52(1)(b)(iii) that the complainant is entitled to a specified
amount by way of compensation; or
(ii) a declaration under
subsection 52(3) that the complainant is entitled to a specified amount by
way of reimbursement; and
(c) at a particular time after the
determination was made, the respondent:
(i) dies or ceases to
exist; or
(ii) becomes bankrupt or
insolvent, commences to be wound up, applies to take the benefit of a law for
the relief of bankrupt or insolvent debtors, compounds with creditors or makes
an assignment of any property for the benefit of creditors; and
(d) at that time, the complainant had
not been paid the whole or part of an amount referred to in subparagraph (b)(i)
or (b)(ii).
(2) The Commissioner may determine in writing
that a specified agency to which services were or were to be provided under the
contract is the respondent to the determination under section 52. The
determination has effect according to its terms for the purposes of section 60.
Note: This means that the amount owed by the
contracted service provider will be a debt due by the agency to the
complainant.
(3) Before making a determination, the
Commissioner must give the agency:
(a) a notice stating that the
Commissioner proposes to make the determination and stating the reasons for the
proposal; and
(b) an opportunity to appear before
the Commissioner and to make oral and/or written submissions relating to the
proposed determination.
Division 3—Enforcement
54
Application of Division
(1) This Division applies to a determination
made under section 52 after the commencement of this Division, except
where the respondent to the determination is an agency or the principal
executive of an agency.
(1A) This Division also applies to a
determination made by an adjudicator for an approved privacy code under the
code in relation to a complaint made under the code.
Note: The making of a determination by the
Commissioner under this Act is subject to judicial review under the Administrative
Decisions (Judicial Review) Act 1977.
(2) In this section:
agency does not include the nominated AGHS
company, an eligible hearing service provider or an eligible case manager.
55
Obligations of respondent organisation
Determination under section 52
(1) An organisation that is the respondent to
a determination made under section 52:
(a) must not repeat or continue
conduct that is covered by a declaration that is included in the determination
under sub‑subparagraph 52(1)(b)(i)(B); and
(b) must perform the act or course of
conduct that is covered by a declaration that is included in the determination
under subparagraph 52(1)(b)(ii).
Determination under approved privacy code
(2) An organisation that is the respondent to
a determination made under an approved privacy code:
(a) must not repeat or continue
conduct that is covered by a declaration that is included in the determination
and that corresponds to a declaration mentioned in paragraph (1)(a); and
(b) must perform the act or course of
conduct that is covered by a declaration that is included in the determination
and that corresponds to a declaration mentioned in paragraph (1)(b).
55A
Proceedings in the Federal Court or Federal Circuit Court to enforce a
determination
(1) Any of the following persons may commence
proceedings in the Federal Court or the Federal Circuit Court for an order to
enforce a determination:
(a) the complainant;
(b) the Commissioner, if the
determination was made under section 52;
(c) the adjudicator for the approved
privacy code under which the determination was made, if it was made under an
approved privacy code.
(2) If the court is satisfied that the
respondent has engaged in conduct that constitutes an interference with the
privacy of the complainant, the court may make such orders (including a
declaration of right) as it thinks fit.
(3) The court may, if it thinks fit, grant an
interim injunction pending the determination of the proceedings.
(4) The court is not to require a person, as
a condition of granting an interim injunction, to give an undertaking as to
damages.
(5) The court is to deal by way of a hearing
de novo with the question whether the respondent has engaged in conduct that
constitutes an interference with the privacy of the complainant.
(6) Despite subsection (5), the court
may receive any of the following as evidence in proceedings about a
determination made by the Commissioner under section 52:
(a) a copy of the Commissioner’s
written reasons for the determination;
(b) a copy of any document that was
before the Commissioner;
(c) a copy of a record (including any
tape recording) of any appearance before the Commissioner (including any oral
submissions made) under subsection 43(5).
(7) Despite subsection (5), the court
may receive any of the following as evidence in proceedings about a
determination made by an adjudicator under an approved privacy code:
(a) a copy of the adjudicator’s
written reasons for the determination;
(b) a copy of any document that was
before the adjudicator;
(c) a copy of a record (including any
tape recording) of any appearance before the adjudicator (including any oral
submissions made).
(7A) In conducting a hearing and making an order
under this section, the court is to have due regard to the matters that
paragraph 29(a) requires the Commissioner to have due regard to.
(8) In this section:
complainant, in relation to a representative
complaint, means any of the class members.
55B
Evidentiary certificate
(1) The Commissioner may issue a written
certificate setting out the findings of fact upon which the Commissioner based
his or her determination that:
(a) a specified agency had breached an
Information Privacy Principle; or
(b) a specified organisation had
breached an approved privacy code or a National Privacy Principle.
(2) An adjudicator for an approved privacy
code may issue a written certificate setting out the findings of fact upon
which the adjudicator based his or her determination that a specified
organisation had breached an approved privacy code.
(3) In any proceedings
under section 55A, a certificate under subsection (1) or (2) of this
section is prima facie evidence of the facts found by the Commissioner or
adjudicator and set out in the certificate. However, the certificate is not
prima facie evidence of a finding that:
(a) a specified agency had breached an
Information Privacy Principle; or
(b) a specified organisation had
breached an approved privacy code or a National Privacy Principle.
(4) A document
purporting to be a certificate under subsection (1) or (2) must, unless
the contrary is established, be taken to be a certificate and to have been
properly given.
Division 4—Review and
enforcement of determinations involving Commonwealth agencies
57
Application of Division
(1) This Division applies to a determination
that is made under section 52 and has an agency, or the principal
executive of an agency, as the respondent.
(2) In this section:
agency does not include the nominated AGHS
company, an eligible hearing service provider or an eligible case manager.
58
Obligations of respondent agency
If an agency is the respondent to a
determination to which this Division applies:
(a) the agency must not repeat or
continue conduct that is covered by a declaration included in the determination
under subparagraph 52(1)(b)(i); and
(b) the agency must perform the act or
course of conduct that is covered by a declaration included in the
determination under subparagraph 52(1)(b)(ii).
59
Obligations of principal executive of agency
If the principal executive of an agency
is the respondent to a determination to which this Division applies, the
principal executive must take all such steps as are reasonably within his or
her power to ensure:
(a) that the terms of the
determination are brought to the notice of all members, officers and employees
of the agency whose duties are such that they may engage in conduct of the kind
to which the determination relates; and
(b) that no member, officer or
employee of the agency repeats or continues conduct that is covered by a
declaration included in the determination under subparagraph 52(1)(b)(i);
and
(c) the performance of any act or
course of conduct that is covered by a declaration included in the
determination under subparagraph 52(1)(b)(ii).
60
Compensation and expenses
(1) If a determination to which this Division
applies includes a declaration of the kind referred to in subparagraph 52(1)(b)(iii)
or subsection 52(3), the complainant is entitled to be paid the amount
specified in the declaration.
(2) If the respondent is an agency that has
the capacity to sue and be sued, the amount is recoverable as a debt due by the
agency to the complainant. In any other case, the amount is recoverable as a
debt due by the Commonwealth to the complainant.
(2B) If a determination relates to a Norfolk
Island agency, the reference in subsection (2) to the Commonwealth
is to be read as a reference to Norfolk Island.
(3) In this section:
complainant, in relation to a representative
complaint, means a class member.
61
Review of determinations regarding compensation and expenses
(1) Application may be made to the
Administrative Appeals Tribunal for review of:
(a) a declaration of the kind referred
to in subparagraph 52(1)(b)(iii) or subsection 52(3) that is included
in a determination to which this Division applies; or
(b) a decision of the Commissioner
refusing to include such a declaration in a determination to which this Division
applies.
(2) An agency, or the principal executive of
an agency, may not apply for review without the permission of the Minister.
62
Enforcement of determination against an agency
(1) If an agency fails to comply with section 58,
an application may be made to the Federal Court or the Federal Circuit Court
for an order directing the agency to comply.
(2) If the
principal executive of an agency fails to comply with section 59, an
application may be made to the Federal Court or the Federal Circuit Court for
an order directing the principal executive to comply.
(3) The application may be made by the
Commissioner or by the complainant. In the case of a representative complaint, complainant
means a class member.
(4) On an application under this section, the
court may make such other orders as it thinks fit with a view to securing
compliance by the respondent.
(5) An application may not be made under this
section in relation to a determination under section 52 until:
(a) the time has expired for making an
application under section 61 for review of the determination; or
(b) if such an application is made,
the decision of the Administrative Appeals Tribunal on the application has come
into operation.
Division 5—Miscellaneous
63
Legal assistance
(1) If:
(a) the Commissioner has dismissed a
file number complaint; and
(b) the respondent to the complaint is
not an agency or the principal executive of an agency;
the respondent may apply to the Attorney‑General for
assistance under this section.
(2) A person who:
(a) has commenced or proposes to
commence proceedings in the Federal Court or the Federal Circuit Court under
section 55; or
(b) has engaged in conduct or is
alleged to have engaged in conduct in respect of which proceedings have been
commenced in the Federal Court or the Federal Circuit Court under section 55;
may apply to the Attorney‑General for the provision of
assistance under this section in respect of the proceedings.
(2A) Subsection (2) does not permit an
application relating to proceedings under section 55A to enforce a
determination relating to a code complaint or an NPP complaint.
(3) If the Attorney‑General is satisfied that
in all the circumstances it is reasonable to grant an application made under
this section, he or she may authorise the provision by the Commonwealth to the
applicant of:
(a) in the case of an application
under subsection (1)—such financial assistance in connection with the
investigation of the complaint as the Attorney‑General determines; or
(b) in the case of an application
under subsection (2)—such legal or financial assistance in respect of the
proceeding as the Attorney‑General determines.
(4) An authorisation under subsection (3)
may be made subject to such conditions (if any) as the Attorney‑General
determines.
(5) In considering an application made under
this section, the Attorney‑General must have regard to any hardship to the
applicant that refusal of the application would involve.
64
Commissioner etc. not to be sued
(1) Neither the Commissioner nor a person
acting under his or her direction or authority is liable to an action, suit or
proceeding in relation to an act done or omitted to be done in good faith in
the exercise or purported exercise of any power or authority conferred by this
Act.
(2) Neither an adjudicator for an approved
privacy code, nor a person acting under his or her direction or authority, is
liable to an action, suit or proceeding in relation to an act done or omitted
to be done in good faith in the exercise or purported exercise of any power or
authority conferred by this Act or the code.
65
Failure to attend etc. before Commissioner
(1) A person shall not:
(a) refuse or fail to attend before
the Commissioner; or
(b) refuse or fail to be sworn or make
an affirmation;
when so required under this Act.
Penalty: $2,000 or imprisonment for 12 months, or both.
(2) Subsection (1) does not apply if the
person has a reasonable excuse.
Note: A defendant bears an evidential burden in
relation to the matter in subsection (2) (see subsection 13.3(3) of
the Criminal Code).
(3) A person shall not
furnish information or make a statement to the Commissioner knowing that it is
false or misleading in a material particular.
Penalty: $2,000 or imprisonment for 12 months, or both.
66
Failure to give information etc.
(1) A person
shall not refuse or fail:
(a) to give information; or
(b) to answer a question or produce a
document or record;
when so required under this Act.
Penalty:
(a) in the case of an
individual—$2,000 or imprisonment for 12 months, or both; or
(b) in the case of a body
corporate—$10,000.
(1A) For the purposes of subsection (1B), a
journalist has a reasonable excuse if giving the information, answering the
question or producing the document or record would tend to reveal the identity
of a person who gave information or a document or record to the journalist in
confidence.
(1B) Subsection (1) does not apply if the
person has a reasonable excuse.
Note: A defendant bears an evidential burden in
relation to the matter in subsection (1B) (see subsection 13.3(3) of
the Criminal Code).
(2) For the purposes of subsections (3)
to (11) (inclusive):
document includes a record.
information includes an answer to a question.
(3) Subject to subsections (4), (7) and
(10), it is a reasonable excuse for the purposes of subsection (1B) for an
individual:
(a) to refuse or fail to give
information when so required under this Act; or
(b) to refuse or fail to produce a
document when so required under this Act;
that giving the information, or producing the document, as
the case may be, might tend to incriminate the individual or make the
individual liable to forfeiture or a penalty.
(4) Subsection (3) does not apply in
relation to a failure or refusal by an individual to give information, or to
produce a document, on the ground that giving the information or producing the
document might tend to prove his or her guilt of an offence against, or make
him or her liable to forfeiture or a penalty under, a law of the Commonwealth
or of a Territory, if the Director of Public Prosecutions has given the
individual a written undertaking under subsection (5).
(5) An undertaking by the Director of Public
Prosecutions shall:
(a) be an undertaking that:
(i) information given, or
a document produced, by the individual; or
(ii) any information or
document obtained as a direct or indirect consequence of the giving of the
information, or the production of the document;
will not be used in evidence in
any proceedings for an offence against a law of the Commonwealth or of a
Territory, or in any disciplinary proceedings, against the individual, other
than proceedings in respect of the falsity of evidence given by the individual;
(b) state that, in the opinion of the
Director of Public Prosecutions, there are special reasons why, in the public
interest, the information or document should be available to the Commissioner;
and
(c) state the general nature of those
reasons.
(6) The Commissioner may recommend to the
Director of Public Prosecutions that an individual who has been, or is to be,
required under this Act to give information or produce a document be given an
undertaking under subsection (5).
(7) Subsection (3) does not apply in
relation to a failure or refusal by an individual to give information, or to
produce a document, on the ground that giving the information or producing the
document might tend to prove his or her guilt of an offence against, or make
him or her liable to forfeiture or a penalty under, a law of a State, if the
Attorney‑General of the State, or a person authorised by that Attorney‑General
(being the person holding the office of Director of Public Prosecutions, or a
similar office, of the State) has given the individual a written undertaking
under subsection (8).
(8) An undertaking by the Attorney‑General of
the State, or authorised person, shall:
(a) be an undertaking that:
(i) information given, or
a document produced, by the individual; or
(ii) any information or
document obtained as a direct or indirect consequence of the giving of the
information, or the production of the document;
will not be used in evidence in
any proceedings for an offence against a law of the State, or in any
disciplinary proceedings, against the individual, other than proceedings in
respect of the falsity of evidence given by the individual;
(b) state that, in the opinion of the
person giving the undertaking, there are special reasons why, in the public
interest, the information or document should be available to the Commissioner;
and
(c) state the general nature of those
reasons.
(9) The Commissioner may recommend to the
Attorney‑General of a State that an individual who has been, or is to be,
required under this Act to give information or produce a document be given an
undertaking under subsection (8).
(10) For the
purposes of subsection (1B):
(a) it is not a reasonable excuse for a
body corporate to refuse or fail to produce a document that production of the
document might tend to incriminate the body corporate or make it liable to
forfeiture or a penalty; and
(b) it is not a reasonable excuse for
an individual to refuse or fail to produce a document that is, or forms part
of, a record of an existing or past business (not being, if the individual is
or has been an employee, a document that sets out details of earnings received
by the individual in respect of his or her employment and does not set out any
other information) that production of the document might tend to incriminate
the individual or make the individual liable to forfeiture or a penalty.
(11) Subsections (4), (7) and (10) do not
apply where proceedings, in respect of which giving information or producing a
document might tend to incriminate an individual or make an individual liable
to forfeiture or a penalty, have been commenced against the individual and have
not been finally dealt with by a court or otherwise disposed of.
Norfolk Island
(12) In this section:
Attorney‑General, in relation to Norfolk
Island, means the Norfolk Island Justice Minister.
State includes Norfolk Island.
67
Protection from civil actions
Civil proceedings do not lie against a
person in respect of loss, damage or injury of any kind suffered by another
person because of any of the following acts done in good faith:
(a) the making of a complaint under
this Act;
(aa) the making of a complaint under an
approved privacy code;
(ab) the acceptance of a complaint under
subsection 40(1B);
(b) the making of a statement to, or
the giving of a document or information to, the Commissioner, whether or not
pursuant to a requirement under section 44.
68
Power to enter premises
(1) Subject to subsection (3), for the
purposes of the performance by the Commissioner of his or her functions under
this Act, a person authorised by the Commissioner in writing for the purposes
of this section may, at any reasonable time of the day, enter premises occupied
by an agency, an organisation, a file number recipient, a credit reporting
agency or a credit provider and inspect any documents that are kept at those
premises and that are relevant to the performance of those functions, other
than documents in respect of which the Attorney‑General has furnished a
certificate under subsection 70(1) or (2) or documents in respect of which
the Norfolk Island Justice Minister has given a certificate under subsection 70(4).
(1A) The Commissioner may authorise a person only
while the person is a member of the staff assisting the Commissioner.
(2) The occupier or person in charge of the
premises shall provide the authorised person with all reasonable facilities and
assistance for the effective exercise of the authorised person’s powers under subsection (1).
(3) A person
shall not enter under subsection (1) premises other than premises that are
occupied by an agency unless:
(a) the occupier of the premises has
consented to the person entering the premises; or
(b) the person is authorised, pursuant
to a warrant issued under subsection (4), to enter the premises.
(3A) Before obtaining the consent, the
authorised person must inform the occupier or person in charge that he or she
may refuse to consent.
(3B) An entry by an authorised person with the
consent of the occupier or person in charge is not lawful if the consent was
not voluntary.
(3C) The authorised person may not enter
premises (other than premises occupied by an agency) if:
(a) the occupant or person in charge
asks the authorised person to produce his or her identity card; and
(b) the authorised person does not
produce it.
(3D) If an authorised person is on premises with
the consent of the occupier or person in charge, the authorised person must
leave the premises if the occupier or person in charge asks the authorised
person to do so.
(4) If, on an application made by a person
authorised by the Commissioner under subsection (1), a Magistrate is
satisfied, by information on oath, that it is reasonably necessary, for the
purposes of the performance by the Commissioner of his or her functions under
this Act, that the person be empowered to enter the premises, the Magistrate
may issue a warrant authorising the person, with such assistance as the person
thinks necessary, to enter the premises, if necessary by force, for the purpose
of exercising those powers.
(5) A warrant
issued under subsection (4) shall state:
(a) whether entry is authorised to be
made at any time of the day or during specified hours of the day; and
(b) a day, not being later than one
month after the day on which the warrant was issued, at the end of which the
warrant ceases to have effect.
(6) Nothing in subsection (1) restricts
the operation of any other provision of this Part.
68A
Identity cards
(1) The Commissioner must issue to a person
authorised for the purposes of section 68 an identity card in the form
approved by the Commissioner. The identity card must contain a recent
photograph of the authorised person.
(2) As soon as practicable after the person
ceases to be authorised, he or she must return the identity card to the
Commissioner.
(3) A person must not contravene subsection (2).
Penalty: 1 penalty unit.
69
Restrictions on Commissioner obtaining personal information and documents
(1) Information relating to an individual
shall not be furnished, in connection with a complaint, in such a manner as to
reveal the individual’s identity, unless the individual has made the complaint
or has consented to the information being so furnished.
(2) A document that contains information
relating to an individual and that reveals the individual’s identity shall not
be produced, in connection with a complaint, unless:
(a) the person has made the complaint
or has consented to the document being so produced; or
(b) the document is a copy of another
document and has had deleted from it such information as reveals the identity
of the person.
(3) A person shall not furnish, in connection
with a complaint, prescribed information that relates to an individual other
than the complainant and does not also relate to the complainant.
(4) A person shall not furnish, in connection
with a complaint, prescribed information that relates both to the complainant
and to another individual, unless the information is so furnished in such a
manner as not to reveal the identity of the other person.
(5) A person shall not produce, in connection
with a complaint, a prescribed document containing information that relates to
an individual other than the complainant and does not also relate to the
complainant, unless the document is a copy of another prescribed document and
has had that information deleted from it.
(6) A person shall not produce, in connection
with a complaint, a prescribed document containing information that relates
both to the complainant and to another individual, unless the document is a
copy of another prescribed document and has had deleted from it such
information as reveals the identity of the other individual.
(7) This section has effect notwithstanding
any other provision of this Part.
(8) A reference in this section to furnishing
information, or to producing a document, in connection with a complaint is a
reference to furnishing the information, or to producing the document, as the case
may be, to the Commissioner in connection with the performance or exercise by
the Commissioner, in relation to that complaint, of the Commissioner’s
functions or powers.
(9) In this section:
complaint means:
(a) a complaint under section 36;
or
(b) a complaint the Commissioner
accepts under subsection 40(1B).
document includes any other record.
prescribed document means a document that was
furnished or obtained under or for the purposes of a relevant law or a copy of
such a document.
prescribed information means information that
the person furnishing the information acquired by reason of holding or having
held an office, or being or having been employed, under or for the purposes of
a relevant law.
relevant law means a taxation law or a law of
the Commonwealth relating to census and statistics.
taxation law
means:
(a) an Act of which the Commissioner
of Taxation has the general administration (other than an Act prescribed for
the purposes of paragraph (b) of the definition of taxation law
in section 2 of the Taxation Administration Act 1953); or
(b) regulations under an Act referred
to in paragraph (a) of this definition.
70
Certain documents and information not required to be disclosed
(1) Where the
Attorney‑General furnishes to the Commissioner a certificate certifying that
the giving to the Commissioner of information concerning a specified matter
(including the giving of information in answer to a question), or the
production to the Commissioner of a specified document or other record, would
be contrary to the public interest because it would:
(a) prejudice the security, defence or
international relations of Australia;
(b) involve the disclosure of
communications between a Minister of the Commonwealth and a Minister of a
State, being a disclosure that would prejudice relations between the
Commonwealth Government and the Government of a State;
(c) involve the disclosure of
deliberations or decisions of the Cabinet or of a Committee of the Cabinet;
(d) involve the disclosure of
deliberations or advice of the Executive Council;
(e) prejudice the conduct of an
investigation or inquiry into crime or criminal activity that is currently
being pursued, or prejudice the fair trial of any person;
(f) disclose, or enable a person to
ascertain, the existence or identity of a confidential source of information in
relation to the enforcement of the criminal law;
(g) prejudice the effectiveness of the
operational methods or investigative practices or techniques of agencies
responsible for the enforcement of the criminal law; or
(h) endanger the life or physical
safety of any person;
the Commissioner is not entitled to require a person to
give any information concerning the matter or to produce the document or other
record.
(2) Without limiting the operation of subsection (1),
where the Attorney‑General furnishes to the Commissioner a certificate
certifying that the giving to the Commissioner of information as to the
existence or non‑existence of information concerning a specified matter
(including the giving of information in answer to a question) or as to the
existence or non‑existence of any document or other record required to be
produced to the Commissioner would be contrary to the public interest:
(a) by reason that it would prejudice
the security, defence or international relations of Australia; or
(b) by reason that it would prejudice
the proper performance of the functions of the ACC; or
(c) by reason that it would prejudice
the proper performance of the functions of the Integrity Commissioner;
the Commissioner is not entitled, pursuant to this Act, to
require a person to give any information as to the existence or non‑existence
of information concerning that matter or as to the existence of that document
or other record.
(4) If the Norfolk Island Justice Minister
gives to the Commissioner a certificate certifying that:
(a) the giving to the Commissioner of
information concerning a specified matter (including the giving of information
in answer to a question); or
(b) the production to the Commissioner
of a specified document or other record;
would be contrary to the public interest because it would:
(c) involve the disclosure of
communications between a Norfolk Island Minister and a Minister of the
Commonwealth or of a State, being a disclosure that would prejudice relations
between the Government of Norfolk Island and the Government of the Commonwealth
or of a State; or
(d) involve the disclosure of
deliberations or decisions of the Cabinet of Norfolk Island; or
(e) prejudice the conduct of an investigation
or inquiry into crime or criminal activity that is currently being pursued, or
prejudice the fair trial of any person; or
(f) disclose, or enable a person to
ascertain, the existence or identity of a confidential source of information in
relation to the enforcement of the criminal law; or
(g) prejudice the effectiveness of the
operational methods or investigative practices or techniques of agencies
responsible for the enforcement of the criminal law; or
(h) endanger the life or physical safety
of any person;
the Commissioner is not entitled to require a person to
give any information concerning the matter or to produce the document or other
record.
70A
Application of Part to organisations that are not legal persons
Partnerships
(1) If, apart from this subsection, this Part
would impose an obligation to do something (or not to refuse or fail to do
something) on an organisation that is a partnership, the obligation is imposed
instead on each partner but may be discharged by any of the partners.
Unincorporated associations
(2) If, apart from this subsection, this Part
would impose an obligation to do something (or not to refuse or fail to do
something) on an organisation that is an unincorporated association, the
obligation is imposed instead on each member of the committee of management of
the association but may be discharged by any of the members of that committee.
Trusts
(3) If, apart from this subsection, this Part
would impose an obligation to do something (or not to refuse or fail to do
something) on an organisation that is a trust, the obligation is imposed
instead on each trustee but may be discharged by any of the trustees.
70B
Application of this Part to former organisations
If an individual, body corporate,
partnership, unincorporated association or trust ceases to be an organisation
but continues to exist, this Part operates in relation to:
(a) an act or practice of the
organisation (while it was an organisation); and
(b) the individual, body corporate,
partnership, unincorporated association or trust;
as if he, she or it were still (and had been at all
relevant times) an organisation.
Example 1: If an individual carrying on a business was not a
small business operator, but later became one and remained alive:
(a) a complaint may be made under this Part about an act
or practice of the individual in carrying on the business before he or she
became a small business operator; and
(b) the complaint may be investigated (and further
proceedings taken) under this Part as though the individual were still an
organisation.
Example 2: A small business operator chooses under section 6EA
to be treated as an organisation, but later revokes the choice. A complaint
about an act or practice the operator engaged in while the choice was registered
under that section may be made and investigated under this Part as if the
operator were an organisation.
Part VI—Public interest
determinations and temporary public interest determinations
Division 1—Public interest determinations
71
Interpretation
For the purposes of this Part, a person
is interested in an application made under section 73 if, and only if, the
Commissioner is of the opinion that the person has a real and substantial
interest in the application.
72
Power to make, and effect of, determinations
Determinations about an agency’s acts and practices
(1) Subject to this Division, where the
Commissioner is satisfied that:
(a) an act or practice of an agency
breaches, or may breach, an Information Privacy Principle; and
(b) the public interest in the agency
doing the act, or engaging in the practice, outweighs to a substantial degree
the public interest in adhering to that Information Privacy Principle;
the Commissioner may make a written determination to that
effect and, if the Commissioner does so, the fact that the act or practice
breaches that Information Privacy Principle shall:
(c) if the agency does the act while
the determination is in force; or
(d) in so far as the agency engages in
the practice while the determination is in force;
as the case may be, be disregarded for the purpose of
section 16.
Determinations about an organisation’s acts and
practices
(2) Subject to this Division, if the
Commissioner is satisfied that:
(a) an act or practice of an
organisation breaches, or may breach, an approved privacy code, or a National
Privacy Principle, that binds the organisation; but
(b) the public interest in the
organisation doing the act, or engaging in the practice, substantially
outweighs the public interest in adhering to that code or Principle;
the Commissioner may make a written determination to that
effect.
Effect of determination under subsection (2)
(3) The organisation is taken not to
contravene section 16A if the organisation does the act, or engages in the
practice, while the determination is in force under subsection (2).
Giving a determination under subsection (2)
general effect
(4) The Commissioner may make a written
determination that no organisation is taken to contravene section 16A if,
while that determination is in force, an organisation does an act, or engages
in a practice, that is the subject of a determination under subsection (2)
in relation to that organisation or any other organisation.
Effect of determination under subsection (4)
(5) A determination under subsection (4)
has effect according to its terms.
73
Application by agency or organisation
(1) An agency or organisation may apply in
accordance with the regulations for a determination under section 72 about
an act or practice of the agency or organisation.
(2) The CEO of the National Health and
Medical Research Council may make an application under subsection (1) on
behalf of other agencies concerned with medical research or the provision of
health services.
(3) Where an application is made by virtue of
subsection (2), a reference in the succeeding provisions of this Part to
the agency is a reference to the CEO of the National Health and Medical
Research Council.
(4) Where the Commissioner makes a
determination under section 72 on an application made by virtue of subsection (2),
that section has effect, in relation to each of the agencies on whose behalf
the application was made as if the determination had been made on an
application by that agency.
74
Publication of application
(1) Subject to subsection (2), the
Commissioner shall publish, in such manner as he or she thinks fit, notice of
the receipt by the Commissioner of an application.
(2) The Commissioner shall not, except with
the consent of the agency, permit the disclosure to another body or person of
information contained in a document provided by an agency as part of, or in
support of, an application if the agency has informed the Commissioner in
writing that the agency claims that the document is an exempt document within
the meaning of Part IV of the Freedom of Information Act 1982.
75
Draft determination
(1) The Commissioner shall prepare a draft of
his or her proposed determination in relation to the application.
(2) If the applicant is an agency, the
Commissioner must send to the agency, and to each other person (if any) who is
interested in the application, a written invitation to notify the Commissioner,
within the period specified in the invitation, whether or not the agency or
other person wishes the Commissioner to hold a conference about the draft
determination.
(2A) If the applicant is an organisation, the
Commissioner must:
(a) send a written invitation to the
organisation to notify the Commissioner, within the period specified in the
invitation, whether or not the organisation wishes the Commissioner to hold a
conference about the draft determination; and
(b) issue, in any way the Commissioner
thinks appropriate, an invitation in corresponding terms to the other persons
(if any) that the Commissioner thinks appropriate.
(3) An invitation under subsection (2)
or subsection (2A) shall specify a period that begins on the day on which
the invitation is sent and is not shorter than the prescribed period.
76
Conference
(1) If an agency, organisation or person
notifies the Commissioner, within the period specified in an invitation sent to
the agency, organisation or person, that the agency, organisation or person
wishes a conference to be held about the draft determination, the Commissioner
shall hold such a conference.
(2) The Commissioner shall fix a day, time
and place for the holding of the conference.
(3) The day fixed shall not be more than 30
days after the latest day on which a period specified in any of the invitations
sent in relation to the draft determination expires.
(4) The Commissioner shall give notice of the
day, time and place of the conference to the agency or organisation and to each
person to whom an invitation was sent.
77
Conduct of conference
(1) At the conference, the agency or organisation
is entitled to be represented by a person who is, or persons each of whom is,
an officer or employee of the agency or organisation.
(2) At the conference, a person to whom an
invitation was sent, or any other person who is interested in the application
and whose presence at the conference is considered by the Commissioner to be
appropriate, is entitled to attend and participate personally or, in the case
of a body corporate, to be represented by a person who is, or persons each of
whom is, a director, officer or employee of the body corporate.
(3) The Commissioner may exclude from the
conference a person who:
(a) is entitled neither to participate
in the conference nor to represent a person who is entitled to be represented
at the conference;
(b) uses insulting language at the
conference;
(c) creates, or takes part in creating
or continuing, a disturbance at the conference; or
(d) repeatedly disturbs the
conference.
78
Determination of application
The Commissioner shall, after complying
with this Part in relation to the application, make:
(a) such determination under section 72
as he or she considers appropriate; or
(b) a written determination dismissing
the application.
79
Making of determination
(1) The Commissioner shall, in making a determination,
take account of all matters raised at the conference.
(2) The Commissioner shall, in making a
determination, take account of all submissions about the application that have
been made, whether at a conference or not, by the agency, organisation or any
other person.
(3) The Commissioner shall include in a
determination a statement of the reasons for the determination.
80
Determinations disallowable
A determination referred to in paragraph 78(a)
is a disallowable instrument for the purposes of section 46A of the Acts
Interpretation Act 1901.
Division 2—Temporary public
interest determinations
80A
Temporary public interest determinations
(1) This section applies if the Commissioner
is satisfied that:
(a) the act or practice of an agency
or organisation that is the subject of an application under section 73 for
a determination under section 72 breaches, or may breach:
(i) in the case of an
agency—an Information Privacy Principle; and
(ii) in the case of an
organisation—an approved privacy code, or a National Privacy Principle, that
binds the organisation; and
(b) the public interest in the agency
or organisation doing the act, or engaging in the practice, outweighs to a
substantial degree the public interest in adhering to that Principle or code;
and
(c) the application raises issues that
require an urgent decision.
(2) The Commissioner may make a written
temporary public interest determination that he or she is satisfied of the
matters set out in subsection (1). The Commissioner may do so:
(a) on request by the agency or
organisation; or
(b) on the Commissioner’s own
initiative.
(3) The Commissioner must:
(a) specify in the determination a
period of up to 12 months during which the determination is in force (subject
to subsection 80D(2)); and
(b) include in the determination a
statement of the reasons for the determination.
80B
Effect of temporary public interest determination
Agency covered by a determination
(1) If an act or practice of an agency is the
subject of a temporary public interest determination, the agency is taken not
to breach section 16 if the agency does the act, or engages in the
practice, while the determination is in force.
Organisation covered by a determination
(2) If an act or practice of an organisation
is the subject of a temporary public interest determination, the organisation
is taken not to contravene section 16A if the organisation does the act,
or engages in the practice, while the determination is in force.
Giving a temporary public interest determination
general effect
(3) The Commissioner may make a written
determination that no organisation is taken to contravene section 16A if,
while that determination is in force, an organisation does an act, or engages
in a practice, that is the subject of a temporary public interest determination
in relation to that organisation or another organisation.
Effect of determination under subsection (3)
(4) A determination under subsection (3)
has effect according to its terms.
80C
Determinations disallowable
A determination under this Division is a
disallowable instrument for the purposes of section 46A of the Acts
Interpretation Act 1901.
80D
Commissioner may continue to consider application
(1) The fact that the Commissioner has made a
determination under this Division about an act or practice does not prevent the
Commissioner from dealing under Division 1 with an application made under
section 73 in relation to that act or practice.
(2) A determination under this Division about
an act or practice ceases to be in effect when:
(a) a determination made under
subsection 72(1) or (2) (as appropriate) about the act or practice comes
into effect; or
(b) a determination is made under
paragraph 78(b) to dismiss the application.
Division 3—Register of
determinations
80E
Register of determinations
(1) The Commissioner must keep a register of
determinations made under Division 1 or 2.
(2) The Commissioner may decide the form of
the register and how it is to be kept.
(3) The Commissioner must make the register
available to the public in the way that the Commissioner determines.
(4) The Commissioner may charge fees for:
(a) making the register available to
the public; or
(b) providing copies of, or extracts
from, the register.
Part VIA—Dealing with
personal information in emergencies and disasters
Division 1—Object and interpretation
80F
Object
The object of this Part is to make
special provision for the collection, use and disclosure of personal
information in emergencies and disasters.
80G
Interpretation
(1) In this Part:
duty of confidence means any duty or
obligation arising under the common law or at equity pursuant to which a person
is obliged not to disclose information, but does not include legal professional
privilege.
emergency declaration means a
declaration under section 80J or 80K.
permanent resident means a person, other than
an Australian citizen:
(a) whose normal place of residence is
situated in Australia; and
(b) whose presence in Australia is not subject to any limitation as to time imposed by law; and
(c) who is not an illegal entrant
within the meaning of the Migration Act 1958.
secrecy provision means a provision of a law
of the Commonwealth (including a provision of this Act), or of a Norfolk Island
enactment, that prohibits or regulates the use or disclosure of personal
information, whether the provision relates to the use or disclosure of personal
information generally or in specified circumstances.
(2) For the purposes of this Part, a
reference in the definition of personal information in subsection 6(1)
to an individual is taken to include a reference to an individual who is not
living.
80H
Meaning of permitted purpose
(1) For the purposes of this Part, a permitted
purpose is a purpose that directly relates to the Commonwealth’s
response to an emergency or disaster in respect of which an emergency
declaration is in force.
(2) Without limiting subsection (1), any
of the following is a permitted purpose in relation to an
emergency or disaster:
(a) identifying individuals who:
(i) are or may be injured,
missing or dead as a result of the emergency or disaster; or
(ii) are or may be
otherwise involved in the emergency or disaster;
(b) assisting individuals involved in
the emergency or disaster to obtain services such as repatriation services,
medical or other treatment, health services and financial or other humanitarian
assistance;
(c) assisting with law enforcement in
relation to the emergency or disaster;
(d) coordination or management of the
emergency or disaster;
(e) ensuring that people who are responsible
(within the meaning of subclause 2.5 of Schedule 3) for individuals
who are, or may be, involved in the emergency or disaster are appropriately
informed of matters that are relevant to:
(i) the involvement of
those individuals in the emergency or disaster; or
(ii) the response to the
emergency or disaster in relation to those individuals.
Division 2—Declaration of
emergency
80J
Declaration of emergency—events of national significance
The Prime Minister or the Minister may
make a declaration under this section if the Prime Minister or the Minister (as
the case may be) is satisfied that:
(a) an emergency or disaster has
occurred; and
(b) the emergency or disaster is of
such a kind that it is appropriate in the circumstances for this Part to apply
in relation to the emergency or disaster; and
(c) the emergency or disaster is of
national significance (whether because of the nature and extent of the
emergency or disaster, the direct or indirect effect of the emergency or
disaster, or for any other reason); and
(d) the emergency or disaster has
affected one or more Australian citizens or permanent residents (whether within
Australia or overseas).
Note: A declaration under this section is merely a
trigger for the operation of this Part and is not directly related to any other
legislative or non‑legislative scheme about emergencies.
80K
Declaration of emergency—events outside Australia
(1) The Prime Minister or the Minister may
make a declaration under this section if the Prime Minister or the Minister (as
the case may be) is satisfied that:
(a) an emergency or disaster has
occurred outside Australia; and
(b) the emergency or disaster is of
such a kind that it is appropriate in the circumstances for this Part to apply
in relation to the emergency or disaster; and
(c) the emergency or disaster has
affected one or more Australian citizens or permanent residents (whether within
Australia or overseas).
(2) The Minister must consult the Minister
administering the Diplomatic Privileges and Immunities Act 1967 before
the Minister makes a declaration under this section.
Note: A declaration under this section is merely a
trigger for the operation of this Part and is not directly related to any other
legislative or non‑legislative scheme about emergencies.
80L
Form of declarations
(1) An emergency declaration must be in
writing and signed by:
(a) if the Prime Minister makes the
declaration—the Prime Minister; or
(b) if the Minister makes the
declaration—the Minister.
(2) An emergency declaration must be
published, as soon as practicable after the declaration has effect:
(a) on the website maintained by the
Department; and
(b) by notice published in the Gazette.
(3) An emergency declaration is not a
legislative instrument.
80M
When declarations take effect
An emergency declaration has effect from
the time at which the declaration is signed.
80N
When declarations cease to have effect
An emergency declaration ceases to have
effect at the earliest of:
(a) if a time at which the declaration
will cease to have effect is specified in the declaration—at that time; or
(b) the time at which the declaration
is revoked; or
(c) the end of 12 months starting when
the declaration is made.
Division 3—Provisions
dealing with the use and disclosure of personal information
80P
Authorisation of collection, use and disclosure of personal information
(1) At any time when an emergency declaration
is in force in relation to an emergency or disaster, an entity may collect, use
or disclose personal information relating to an individual if:
(a) the entity reasonably believes
that the individual concerned may be involved in the emergency or disaster; and
(b) the collection, use or disclosure
is for a permitted purpose in relation to the emergency or disaster; and
(c) in the case of a disclosure of the
personal information by an agency—the disclosure is to:
(i) an agency; or
(ii) a State or Territory
authority; or
(iii) an organisation; or
(iv) an entity not covered
by subparagraph (i), (ii) or (iii) that is, or is likely to be, involved
in managing, or assisting in the management of, the emergency or disaster; or
(v) a person who is responsible
for the individual (within the meaning of subclause 2.5 of Schedule 3);
and
(d) in the case of a disclosure of the
personal information by an organisation or another person—the disclosure is to:
(i) an agency; or
(ii) an entity that is
directly involved in providing repatriation services, medical or other
treatment, health services or financial or other humanitarian assistance
services to individuals involved in the emergency or disaster; or
(iii) a person or entity
prescribed by the regulations for the purposes of this paragraph; or
(iv) a person or entity
specified by the Minister, by legislative instrument, for the purposes of this
paragraph; and
(e) in the case of any disclosure of
the personal information—the disclosure is not to a media organisation.
(2) An entity is not liable to any
proceedings for contravening a secrecy provision in respect of a use or
disclosure of personal information authorised by subsection (1), unless
the secrecy provision is a designated secrecy provision (see subsection (7)).
(3) An entity is not liable to any
proceedings for contravening a duty of confidence in respect of a disclosure of
personal information authorised by subsection (1).
(4) An entity that is an agency does not
breach an Information Privacy Principle in respect of a collection, use or
disclosure of personal information authorised by subsection (1).
(5) An entity that is an organisation does
not breach an approved privacy code or a National Privacy Principle in respect
of a collection, use or disclosure of personal information authorised by subsection (1).
(6) A collection, use or disclose of personal
information by an officer or employee of an agency in the course of duty as an
officer or employee is authorised by subsection (1) only if the officer or
employee is authorised by the agency to collect, use or disclose the personal
information.
(7) In this section:
designated secrecy provision means any of the
following:
(a) sections 18 and 92 of the Australian
Security Intelligence Organisation Act 1979;
(b) section 34 of the Inspector‑General
of Intelligence and Security Act 1986;
(c) section 39, 39A, 40 and 41 of
the Intelligence Services Act 2001;
(d) a provision of a law of the
Commonwealth prescribed by the regulations for the purposes of this paragraph;
(e) a provision of a law of the
Commonwealth of a kind prescribed by the regulations for the purposes of this
paragraph.
entity includes
the following:
(a) a person;
(b) an agency;
(c) an organisation.
Division 4—Other matters
80Q
Disclosure of information—offence
(1) A person (the first person)
commits an offence if:
(a) personal information that relates
to an individual is disclosed to the first person because of the operation of
this Part; and
(b) the first person subsequently
discloses the personal information; and
(c) the first person is not responsible
for the individual (within the meaning of subclause 2.5 of Schedule 3).
Penalty: 60 penalty units or imprisonment for 1 year, or
both.
(2) Subsection (1) does not apply to the
following disclosures:
(a) if the first person is an agency—a
disclosure permitted under an Information Privacy Principle;
(b) if the first person is an
organisation—a disclosure permitted under an approved privacy code or a
National Privacy Principle;
(c) a disclosure permitted under
section 80P;
(d) a disclosure made with the consent
of the individual to whom the personal information relates;
(e) a disclosure to the individual to
whom the personal information relates;
(f) a disclosure to a court;
(g) a disclosure prescribed by the
regulations.
Note: A defendant bears an evidential burden in
relation to a matter in subsection (2) (see subsection 13.3(3) of the
Criminal Code).
(3) If a disclosure of personal information
is covered by subsection (2), the disclosure is authorised by this
section.
(4) For the purposes of paragraph (2)(f),
court includes any tribunal, authority or person having power to
require the production of documents or the answering of questions.
80R
Operation of Part
(1) The operation of this Part is not limited
by a secrecy provision of any other law of the Commonwealth (whether made
before or after the commencement of this Act) except to the extent that the
secrecy provision expressly excludes the operation of this section.
Note: Section 3 provides for the concurrent
operation of State and Territory laws.
(1A) The operation of this Part is not limited
by a secrecy provision of a Norfolk Island enactment (whether made before or
after the commencement of this subsection) except to the extent that the
secrecy provision expressly excludes the operation of this subsection.
(2) Nothing in this Part is to be taken to
require an entity to collect, use or disclose personal information.
80S
Severability—additional effect of Part
(1) Without limiting its effect apart from
each of the following subsections of this section, this Part has effect in
relation to a collection, use or disclosure as provided by that subsection.
(2) This Part has the effect it would have if
its operation in relation to a collection, use or disclosure were expressly
confined to a collection, use or disclosure by a corporation.
(3) This Part also has the effect it would
have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure taking place in the
course of, or in relation to, trade or commerce:
(a) between Australia and places
outside Australia; or
(b) among the States; or
(c) within a Territory, between a
State and a Territory or between 2 Territories.
(4) This Part also has the effect it would
have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure using a postal,
telegraphic, telephonic or other like service within the meaning of paragraph 51(v)
of the Constitution.
(5) This Part also has the effect it would
have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure taking place in a
Territory.
(6) This Part also has the effect it would
have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure taking place in a place
acquired by the Commonwealth for public purposes.
(7) This Part also has the effect it would have
if its operation in relation to a collection, use or disclosure were expressly
confined to a collection, use or disclosure by an agency.
(8) This Part also has the effect it would
have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure for purposes relating to
the defence of the Commonwealth.
(9) This Part also has the effect that it
would have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure taking place outside Australia.
(10) This Part also has the effect that it
would have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure:
(a) in relation to which the
Commonwealth is under an obligation under an international agreement; or
(b) that is of international concern.
(11) This Part also has the effect that it
would have if its operation in relation to a collection, use or disclosure were
expressly confined to a collection, use or disclosure in relation to an
emergency of national significance.
80T
Compensation for acquisition of property—constitutional safety net
(1) If the operation of this Part would
result in an acquisition of property from a person otherwise than on just
terms, the Commonwealth is liable to pay a reasonable amount of compensation to
the person.
(2) If the Commonwealth and the person do not
agree on the amount of the compensation, the person may institute proceedings in
a court of competent jurisdiction for the recovery from the Commonwealth of
such reasonable amount of compensation as the court determines.
(3) In this
section:
acquisition of property has the same meaning
as in paragraph 51(xxxi) of the Constitution.
just terms has the same meaning as in
paragraph 51(xxxi) of the Constitution.
Part VII—Privacy Advisory
Committee
81
Interpretation
In this Part, unless the contrary
intention appears:
Advisory Committee means the Privacy Advisory
Committee established by subsection 82(1).
member means a member of the Advisory
Committee.
82
Establishment and membership
(1) A Privacy Advisory Committee is
established.
(2) The Advisory Committee shall consist of:
(a) the Commissioner; and
(b) not more than 6 other members.
(3) A member other than the Commissioner:
(a) shall be appointed by the Governor‑General;
and
(b) shall be appointed as a part‑time
member.
(4) An appointed member holds office, subject
to this Act, for such period, not exceeding 5 years, as is specified in the
instrument of the member’s appointment, but is eligible for re‑appointment.
(5) The Commissioner shall be convenor of the
Committee.
(6) The Governor‑General shall so exercise
the power of appointment conferred by subsection (3) that a majority of
the appointed members are persons who are neither officers nor employees, nor
members of the staff of an authority or instrumentality, of the Commonwealth.
(7) Of the appointed members:
(a) at least one shall be a person who
has had at least 5 years’ experience at a high level in industry, commerce,
public administration or the service of a government or an authority of a
government;
(b) at least one shall be a person who
has had at least 5 years’ experience in the trade union movement;
(c) at least one shall be a person who
has had extensive experience in electronic data‑processing;
(d) at least one shall be appointed to
represent general community interests, including interests relating to social
welfare; and
(e) at least one shall be a person who
has had extensive experience in the promotion of civil liberties.
(10) An appointed member holds office on such
terms and conditions (if any) in respect of matters not provided for by this
Act as are determined, in writing, by the Governor‑General.
(11) The performance of a function of the
Advisory Committee is not affected because of a vacancy or vacancies in the
membership of the Advisory Committee.
83
Functions
The functions of the Advisory Committee
are:
(a) on its own initiative, or when
requested by the Commissioner, to advise the Commissioner on matters relevant
to his or her functions;
(b) to recommend material to the
Commissioner for inclusion in guidelines to be issued by the Commissioner
pursuant to his or her functions; and
(c) subject to any direction given by
the Commissioner, to engage in and promote community education, and community
consultation, in relation to the protection of individual privacy.
84
Leave of absence
The convenor may, on such terms and
conditions as the convenor thinks fit, grant to another member leave to be
absent from a meeting of the Advisory Committee.
85
Removal and resignation of members
(1) The Governor‑General may terminate the
appointment of an appointed member for misbehaviour or physical or mental
incapacity.
(2) The Governor‑General shall terminate the
appointment of an appointed member if the member:
(a) becomes bankrupt, applies to take
the benefit of any law for the relief of bankrupt or insolvent debtors,
compounds with the member’s creditors or makes an assignment of the member’s
remuneration for their benefit;
(b) fails, without reasonable excuse,
to comply with the member’s obligations under section 86; or
(c) is absent, without the leave of
the convenor, from 3 consecutive meetings of the Advisory Committee.
(3) An appointed member may resign from
office by delivering a signed notice of resignation to the Governor‑General.
86
Disclosure of interests of members
(1) A member who has a direct or indirect
pecuniary interest in a matter being considered or about to be considered by
the Advisory Committee, being an interest that could conflict with the proper
performance of that member’s functions in relation to the consideration of the matter,
shall, as soon as practicable after the relevant facts have come to the
knowledge of that member, disclose the nature of that interest at a meeting of
the Advisory Committee.
(2) A disclosure under subsection (1) at
a meeting of the Advisory Committee shall be recorded in the minutes of the
meeting.
87
Meetings of Advisory Committee
(1) The convenor may convene such meetings of
the Advisory Committee as the convenor considers necessary for the performance
of the Committee’s functions.
(2) Meetings of the Advisory Committee shall
be held at such places and at such times as the convenor determines.
(3) The convenor shall preside at all
meetings of the Advisory Committee at which the convenor is present.
(4) If, at a meeting of the Advisory Committee,
the convenor is not present, the members who are present shall elect one of
their number to preside at the meeting.
(5) At a meeting of the Advisory Committee:
(a) 3 members constitute a quorum;
(b) all questions shall be decided by
a majority of votes of the members present and voting; and
(c) the person presiding has a
deliberative vote and, in the event of an equality of votes, also has a casting
vote.
(6) The Advisory Committee shall keep a
record of its proceedings.
88
Travel allowance
An appointed member is entitled to be
paid travelling allowance in accordance with the regulations.
Part VIII—Obligations of
confidence
89
Obligations of confidence to which Part applies
Unless the contrary intention appears, a
reference in this Part to an obligation of confidence is a reference to an
obligation of confidence:
(a) to which an agency or a
Commonwealth officer is subject, however the obligation arose; or
(b) that arises under or by virtue of
the law in force in the Australian Capital Territory; or
(c) that arises under or by virtue of
a Norfolk Island enactment that is in force.
90
Application of Part
(1) This Part applies where a person (in this
Part called a confidant) is subject to an obligation of
confidence to another person (in this Part called a confider) in
respect of personal information, whether the information relates to the
confider or to a third person, being an obligation in respect of a breach of
which relief may be obtained (whether in the exercise of a discretion or not)
in legal proceedings.
(2) This Part does not apply where a criminal
penalty only may be imposed in respect of the breach.
91
Effect of Part on other laws
This Part does not, except to the extent
that it does so expressly or by necessary implication, limit or restrict the
operation of any other law or of any principle or rule of the common law or of
equity, being a law, principle or rule:
(a) under or by virtue of which an
obligation of confidence exists; or
(b) that has the effect of restricting
or prohibiting, or imposing a liability (including a criminal liability) on a
person in respect of, a disclosure or use of information.
92
Extension of certain obligations of confidence
Where a person has acquired personal
information about another person and the first‑mentioned person knows or ought
reasonably to know that the person from whom he or she acquired the information
was subject to an obligation of confidence with respect to the information, the
first‑mentioned person, whether he or she is in the Australian Capital
Territory or not, is subject to a like obligation.
93
Relief for breach etc. of certain obligations of confidence
(1) A confider may recover damages from a
confidant in respect of a breach of an obligation of confidence with respect to
personal information.
(2) Subsection (1) does not limit or
restrict any other right that the confider has to relief in respect of the
breach.
(3) Where an obligation of confidence exists
with respect to personal information about a person other than the confider,
whether the obligation arose under a contract or otherwise, the person to whom
the information relates has the same rights against the confidant in respect of
a breach or threatened breach of the obligation as the confider has.
94
Jurisdiction of courts
(1) The jurisdiction of the courts of the Australian Capital Territory extends to matters arising under this Part.
(2) Subsection (1) does not deprive a
court of a State or of another Territory of any jurisdiction that it has.
Part IX—Miscellaneous
95
Medical research guidelines
(1) The CEO of the National Health and
Medical Research Council may, with the approval of the Commissioner, issue
guidelines for the protection of privacy in the conduct of medical research.
(2) The Commissioner shall not approve the
issue of guidelines unless he or she is satisfied that the public interest in
the promotion of research of the kind to which the guidelines relate outweighs
to a substantial degree the public interest in maintaining adherence to the
Information Privacy Principles.
(3) Guidelines shall be issued by being
published in the Gazette.
(4) Where:
(a) but for this subsection, an act
done by an agency would breach an Information Privacy Principle; and
(b) the act is done in the course of
medical research and in accordance with guidelines under subsection (1);
the act shall be regarded as not breaching that
Information Privacy Principle.
(5) Where the Commissioner refuses to approve
the issue of guidelines under subsection (1), an application may be made
to the Administrative Appeals Tribunal for review of the Commissioner’s
decision.
95A
Guidelines for National Privacy Principles about health information
Overview
(1) This section allows the Commissioner to
approve for the purposes of the National Privacy Principles (the NPPs)
guidelines that are issued by the CEO of the National Health and Medical
Research Council or a prescribed authority.
Approving guidelines for use and disclosure
(2) For the purposes of subparagraph 2.1(d)(ii)
of the NPPs, the Commissioner may, by notice in the Gazette, approve
guidelines that relate to the use and disclosure of health information for the
purposes of research, or the compilation or analysis of statistics, relevant to
public health or public safety.
Public interest test
(3) The Commissioner may give an approval
under subsection (2) only if satisfied that the public interest in the use
and disclosure of health information for the purposes mentioned in that
subsection in accordance with the guidelines substantially outweighs the public
interest in maintaining the level of privacy protection afforded by the NPPs
(other than paragraph 2.1(d)).
Approving guidelines for collection
(4) For the purposes of subparagraph 10.3(d)(iii)
of the NPPs, the Commissioner may, by notice in the Gazette, approve
guidelines that relate to the collection of health information for the purposes
of:
(a) research, or the compilation or
analysis of statistics, relevant to public health or public safety; or
(b) the management, funding or
monitoring of a health service.
Public interest test
(5) The Commissioner may give an approval
under subsection (4) only if satisfied that the public interest in the
collection of health information for the purposes mentioned in that subsection
in accordance with the guidelines substantially outweighs the public interest
in maintaining the level of privacy protection afforded by the NPPs (other than
paragraph 10.3(d)).
Revocation of approval
(6) The Commissioner may, by notice in the Gazette,
revoke an approval of guidelines under this section if he or she is no longer
satisfied of the matter that he or she had to be satisfied of to approve the
guidelines.
Review by AAT
(7) Application may be made to the
Administrative Appeals Tribunal for review of a decision of the Commissioner to
refuse to approve guidelines or to revoke an approval of guidelines.
95AA
Guidelines for National Privacy Principles about genetic information
Overview
(1) This section allows the Commissioner to
approve for the purposes of the National Privacy Principles (the NPPs)
guidelines that are issued by the National Health and Medical Research Council.
Approving guidelines for use and disclosure
(2) For the purposes of subparagraph 2.1(ea)(ii)
of the NPPs, the Commissioner may, by legislative instrument, approve
guidelines that relate to the use and disclosure of genetic information for the
purposes of lessening or preventing a serious threat to the life, health or
safety (whether or not the threat is imminent) of an individual who is a
genetic relative of the individual to whom the genetic information relates.
Review by AAT
(3) Application may be made to the
Administrative Appeals Tribunal for review of a decision of the Commissioner to
refuse to approve guidelines.
95B
Requirements for Commonwealth contracts
(1) This section requires an agency entering
into a Commonwealth contract to take contractual measures to ensure that a
contracted service provider for the contract does not do an act, or engage in a
practice, that would breach an Information Privacy Principle if done or engaged
in by the agency.
(2) The agency must ensure that the
Commonwealth contract does not authorise a contracted service provider for the
contract to do or engage in such an act or practice.
(3) The agency must also ensure that the
Commonwealth contract contains provisions to ensure that such an act or
practice is not authorised by a subcontract.
(4) For the purposes of subsection (3),
a subcontract is a contract under which a contracted service
provider for the Commonwealth contract is engaged to provide services to:
(a) another contracted service
provider for the Commonwealth contract; or
(b) any agency;
for the purposes (whether direct or indirect) of the
Commonwealth contract.
(5) This section applies whether the agency
is entering into the Commonwealth contract on behalf of the Commonwealth or in
the agency’s own right.
95C
Disclosure of certain provisions of Commonwealth contracts
If a person asks a party to a
Commonwealth contract to be informed of the content of provisions (if any) of
the contract that are inconsistent with an approved privacy code binding a
party to the contract or with a National Privacy Principle, the party requested
must inform the person in writing of that content (if any).
98
Injunctions
(1) Where a person has engaged, is engaging
or is proposing to engage in any conduct that constituted or would constitute a
contravention of this Act, the Federal Court or the Federal Circuit Court may,
on the application of the Commissioner or any other person, grant an injunction
restraining the person from engaging in the conduct and, if in the court’s
opinion it is desirable to do so, requiring the person to do any act or thing.
(2) Where:
(a) a person has refused or failed, or
is refusing or failing, or is proposing to refuse or fail, to do an act or
thing; and
(b) the refusal or failure was, is, or
would be a contravention of this Act;
the Federal Court or the Federal Circuit Court may, on the
application of the Commissioner or any other person, grant an injunction
requiring the first‑mentioned person to do that act or thing.
(3) Where an application is made to the court
for an injunction under this section, the court may, if in the court’s opinion
it is desirable to do so, before considering the application, grant an interim
injunction restraining a person from engaging in conduct of the kind referred
to in that subsection pending the determination of the application.
(4) The court may discharge or vary an
injunction granted under this section.
(5) The power
of the court to grant an injunction restraining a person from engaging in
conduct of a particular kind may be exercised:
(a) if the court is satisfied that the
person has engaged in conduct of that kind—whether or not it appears to the
court that the person intends to engage again, or to continue to engage, in
conduct of that kind; or
(b) if it appears to the court that,
in the event that an injunction is not granted, it is likely that the person
will engage in conduct of that kind—whether or not the person has previously
engaged in conduct of that kind and whether or not there is an imminent danger
of substantial damage to any person if the first‑mentioned person engages in
conduct of that kind.
(6) The power of the court to grant an
injunction requiring a person to do a particular act or thing may be exercised:
(a) if the court is satisfied that the
person has refused or failed to do that act or thing—whether or not it appears
to the court that the person intends to refuse or fail again, or to continue to
refuse or fail, to do that act or thing; or
(b) if it appears to the court that,
in the event that an injunction is not granted, it is likely that the person
will refuse or fail to do that act or thing—whether or not the person has
previously refused or failed to do that act or thing and whether or not there
is an imminent danger of substantial damage to any person if the first‑mentioned
person refuses or fails to do that act or thing.
(7) Where the Commissioner makes an
application to the court for the grant of an injunction under this section, the
court shall not require the Commissioner or any other person, as a condition of
the granting of an interim injunction, to give any undertakings as to damages.
(8) The powers conferred on the court under
this section are in addition to, and not in derogation of, any powers of the
court, whether conferred by this Act or otherwise.
99A
Conduct of directors, employees and agents
(1) Where, in proceedings for an offence
against this Act, it is necessary to establish the state of mind of a body
corporate in relation to particular conduct, it is sufficient to show:
(a) that the conduct was engaged in by
a director, employee or agent of the body corporate within the scope of his or
her actual or apparent authority; and
(b) that the director, employee or
agent had the state of mind.
(2) Any conduct engaged in on behalf of a
body corporate by a director, employee or agent of the body corporate within
the scope of his or her actual or apparent authority is to be taken, for the
purposes of a prosecution for an offence against this Act, to have been engaged
in also by the body corporate unless the body corporate establishes that the
body corporate took reasonable precautions and exercised due diligence to avoid
the conduct.
(3) Where, in
proceedings for an offence against this Act, it is necessary to establish the
state of mind of a person other than a body corporate in relation to particular
conduct, it is sufficient to show:
(a) that the conduct was engaged in by
an employee or agent of the person within the scope of his or her actual or
apparent authority; and
(b) that the employee or agent had the
state of mind.
(4) Any conduct engaged in on behalf of a
person other than a body corporate by an employee or agent of a person within
the scope of his or her actual or apparent authority is to be taken, for the
purposes of a prosecution for an offence against this Act, to have been engaged
in also by the first‑mentioned person unless the first‑mentioned person
establishes that the first‑mentioned person took reasonable precautions and
exercised due diligence to avoid the conduct.
(5) Where:
(a) a person other than a body
corporate is convicted of an offence; and
(b) the
person would not have been convicted of the offence if subsections (3) and
(4) had not been enacted;
the person is not liable to be punished by imprisonment for
that offence.
(6) A reference in subsection (1) or (3)
to the state of mind of a person includes a reference to:
(a) the knowledge, intention, opinion,
belief or purpose of the person; and
(b) the person’s reasons for the
intention, opinion, belief or purpose.
(7) A reference in this section to a director
of a body corporate includes a reference to a constituent member of a body
corporate incorporated for a public purpose by a law of the Commonwealth, of a
State or of a Territory.
(8) A reference in this section to engaging
in conduct includes a reference to failing or refusing to engage in conduct.
(9) A
reference in this section to an offence against this Act includes a reference
to an offence created by section 6 of the Crimes Act 1914, or section 11.1,
11.2, 11.2A, 11.4 or 11.5 of the Criminal Code, being an offence that
relates to this Act.
100
Regulations
(1) The Governor‑General may make
regulations, not inconsistent with this Act, prescribing matters:
(a) required or permitted by this Act
to be prescribed; or
(b) necessary or convenient to be
prescribed for carrying out or giving effect to this Act.
(2) Subject to subsection (3), before
the Governor‑General makes regulations for the purposes of subclause 7.1A
or paragraph 7.2(c) of the National Privacy Principles prescribing an
organisation, identifier and circumstances, the Minister must be satisfied
that:
(a) the agency or the principal
executive of the agency (if the agency has a principal executive) has agreed
that adoption, use or disclosure by the organisation of the identifier in the
circumstances is appropriate; and
(b) the agency or the principal
executive of the agency (if the agency has a principal executive) has consulted
the Commissioner about adoption, use or disclosure by the organisation of the
identifier in the circumstances; and
(c) adoption, use or disclosure by the
organisation of the identifier in the circumstances can only be for the benefit
of the individual concerned.
(3) Subsection (2) does not apply to the
making of regulations for the purposes of paragraph 7.2(c) of the National
Privacy Principles if:
(a) the regulations prescribe an
organisation, or class of organisations; and
(b) the regulations prescribe an
identifier, or class of identifiers, of a kind commonly used in the processing
of pay, or deductions from pay, of Commonwealth officers, or a class of
Commonwealth officers; and
(c) the circumstances prescribed by
the regulations for the use or disclosure by the organisation, or an
organisation in the class, of the identifier, or an identifier in the class,
relate to the provision by the organisation of superannuation services for the
benefit of Commonwealth officers; and
(d) before the regulations are made,
the Minister consults the Commissioner about the proposed regulations.
(4) In subsection (3):
superannuation services includes the
management, processing, allocation and transfer of superannuation
contributions.
Part X—Amendments of
other Acts
101
Amendments of other Acts
(1) The Acts specified in Schedule 1 are
amended as set out in Schedule 1.
(2) Section 27A of the Freedom of
Information Act 1982 as amended by this Act applies in relation to:
(a) a request that is received after
the commencement of this Act; and
(b) a request that was received before
that commencement if a decision to grant access under the Freedom of
Information Act 1982 to the document to which the request related had not
been made before that commencement by the officer or Minister dealing with the
request or a person reviewing, under section 54 of that Act, a decision
refusing to grant that access.
Schedule 1—Amendments of
other Acts
Section 101
Freedom of Information Act 1982
Subsection 19(4)
Omit “or 27”, substitute “, 27 or 27A”.
After section 27
Insert the following section:
27A Procedure on request in respect
of document relating to personal affairs
(1) Where:
(a) a request has been received by an
agency or Minister in respect of a document containing information relating to
the personal affairs of a person (including a deceased person); and
(b) it appears to the officer or
Minister dealing with the request, or to a person reviewing under section 54
a decision refusing the request, that the person referred to in paragraph (a),
or, if that person is deceased, the legal personal representative of that
person, might reasonably wish to contend that the document, so far as it
contains that information, is an exempt document under section 41;
a decision to grant access under this Act to the document,
so far as it contains that information, shall not be made unless, where it is
reasonably practicable to do so having regard to all the circumstances,
including the application of section 19:
(c) the agency or Minister has given
to that person or to the legal personal representative of that person, as the
case may be, a reasonable opportunity of making submissions in support of a
contention that the document, so far as it contains that information, is an
exempt document under section 41; and
(d) the person making the decision has
had regard to any submissions so made.
(2) Where, after any submissions have been
made in accordance with subsection (1), a decision is made that the
document, so far as it contains the information referred to in paragraph (1)(a),
is not an exempt document under section 41:
(a) the agency or Minister shall cause
notice in writing of the decision to be given to the person who made the
submissions, as well as to the person who made the request; and
(b) access shall not be given to the
document, so far as it contains the information referred to in paragraph (1)(a),
unless:
(i) the time for an
application to the Tribunal in accordance with section 59A by the person
who made the submissions has expired and such an application has not been made;
or
(ii) such an application
has been made and the Tribunal has confirmed the decision.
Section 38
Add at the end the following subsection:
(2) Where a person requests access to a
document, this section does not apply in relation to the document so far as it
contains information relating to the person’s personal affairs.
Section 48
(a) Omit
“section”, substitute “Part”.
(b) Omit
“provided to the claimant under this Act”, substitute “lawfully provided to the
claimant, whether under this Act or otherwise,”.
After section 59
Insert the following section:
59A Review of certain decisions in
respect of documents relating to personal affairs
(1) Where notice of a decision that a
document, so far as it contains certain information, is not an exempt document
under section 41 has been given, in accordance with subsection 27A(2),
to a person who made submissions in accordance with that section, that person
may apply to the Tribunal for a review of that decision.
(2) Where an application is made in accordance
with subsection (1):
(a) the provisions of this Part (other
than sections 55 and 61) apply in like manner as they apply in relation to
an application for review of a decision refusing to grant access to a document;
and
(b) the agency or Minister concerned
shall forthwith inform the person who made the request of the application.
(3) Where:
(a) upon a request referred to in
subsection 27A(1), a decision is made, after the making of submissions by
a person in accordance with that subsection, not to grant access to the
document to which the request relates, so far as it contains the information
referred to in paragraph 27A(1)(a); and
(b) an application is made to the
Tribunal for a review of the decision;
the agency or Minister concerned shall forthwith inform
the person who made the submissions of the application.
Human Rights and Equal Opportunity
Commission Act 1986
Subsection 3(1)
Insert the following definition:
Privacy Commissioner means the Privacy
Commissioner appointed under the Privacy Act 1988.
Paragraph 8(1)(c)
Omit “and”.
Paragraph 8(1)(d)
Omit the paragraph, substitute the following paragraphs:
(d) the Sex Discrimination
Commissioner; and
(e) the Privacy Commissioner.
Subsection 8(7)
Omit “or Sex Discrimination Commissioner”, substitute “, Sex
Discrimination Commissioner or Privacy Commissioner”.
Subsection 20(4)
After “shall” insert “, unless the complaint has been transferred
under subsection (4A),”.
After subsection 20(4)
Insert the following subsections:
(4A) Where:
(a) a complaint has been made to the
Commission in relation to an act or practice; and
(b) because the Commission is of the
opinion that the subject‑matter of the complaint could be more effectively or
conveniently dealt with by the Privacy Commissioner in the performance of the
functions referred to in paragraph 27(1)(a) or 28(1)(b) or (c) of the Privacy
Act 1988, the Commission decides not to inquire, or not to continue to
inquire, into that act or practice;
the Commission shall:
(c) transfer the complaint to the
Privacy Commissioner;
(d) forthwith give notice in writing
to the complainant stating that the complaint has been so transferred; and
(e) give to the Privacy Commissioner
any information or documents that relate to the complaint and are in the
possession, or under the control, of the Commission.
(4B) A complaint transferred under subsection (4A)
shall be taken to be a complaint made to the Privacy Commissioner under Part V
of the Privacy Act 1988.
After subsection 49(4)
Insert the following subsection:
(4A) Subsection (1) does not prevent the
Commission, or a person acting on behalf of the Commission, from giving
information or documents in accordance with paragraph 20(4A)(e).
Merit Protection (Australian
Government Employees) Act 1984
After subsection 49(1)
Insert the following subsections:
(1A) Where:
(a) an application has been made to
the Agency with respect to particular action; and
(b) because the Agency is of the
opinion that it is more appropriate that the action be dealt with by the
Privacy Commissioner in the performance of the functions referred to in
paragraph 27(1)(a) or 28(1)(b) or (c) of the Privacy Act 1988, the
Agency decides, under subparagraph (1)(b)(ii) of this section, not to
investigate the action, or not to investigate the action further;
the Agency shall:
(c) transfer the application to the
Privacy Commissioner;
(d) forthwith give notice in writing
to the applicant stating that the application has been so transferred; and
(e) give to the Privacy Commissioner
any information or documents that relate to the application and are in the
possession, or under the control, of the Agency.
(1B) An application transferred under subsection (1A)
shall be deemed to be a complaint made in writing to the Privacy Commissioner
under Part V of the Privacy Act 1988.
(1C) In subsections (1A) and (1B), Privacy
Commissioner means the Privacy Commissioner within the meaning of the Privacy
Act 1988.
Paragraph 49(3)(a)
After “further” insert “, and subsection (1A) does not
require the Agency to transfer the application”.
After subsection 84(4)
Insert the following subsection:
(4A) Subsection (2) does not prevent the
Agency, or an officer acting on behalf of the Agency, from giving information
or documents under paragraph 49(1A)(e).
Ombudsman Act 1976
After subsection 6(4)
Insert the following subsections:
(4A) Where, before the Ombudsman commences, or
after the Ombudsman has commenced, to investigate action taken by a Department
or by a prescribed authority, being action that is the subject matter of a
complaint, the Ombudsman becomes of the opinion that:
(a) a complaint with respect to the
action has been, or could have been, made by the complainant to the Privacy
Commissioner under Part V of the Privacy Act 1988; and
(b) the action could be more
conveniently or effectively dealt with by the Privacy Commissioner;
the Ombudsman may decide not to investigate the action, or
not to investigate the action further, as the case may be, and, if the
Ombudsman so decides, the Ombudsman shall:
(c) transfer the complaint to the
Privacy Commissioner;
(d) forthwith give notice in writing
to the complainant stating that the complaint has been so transferred; and
(e) give to the Privacy Commissioner
any information or documents that relate to the complaint and are in the
possession, or under the control, of the Ombudsman.
(4B) A complaint transferred under subsection (4A)
shall be deemed to be a complaint made to the Privacy Commissioner under Part V
of the Privacy Act 1988.
(4C) In subsections (4A) and (4B), Privacy
Commissioner means the Privacy Commissioner within the meaning of the Privacy
Act 1988.
After subsection 35(6)
Insert the following subsection:
(6A) Subsection (2) does not prevent the
Ombudsman, or an officer acting on behalf of the Ombudsman, from giving
information or documents under paragraph 6(4A)(e).
Schedule 3—National
Privacy Principles
Note: See section 6.
1
Collection
1.1 An organisation must not collect personal
information unless the information is necessary for one or more of its
functions or activities.
1.2 An organisation must collect personal
information only by lawful and fair means and not in an unreasonably intrusive
way.
1.3 At or before the time (or, if that is not
practicable, as soon as practicable after) an organisation collects personal
information about an individual from the individual, the organisation must take
reasonable steps to ensure that the individual is aware of:
(a) the identity of the organisation
and how to contact it; and
(b) the fact that he or she is able to
gain access to the information; and
(c) the purposes for which the
information is collected; and
(d) the organisations (or the types of
organisations) to which the organisation usually discloses information of that
kind; and
(e) any law that requires the
particular information to be collected; and
(f) the main consequences (if any)
for the individual if all or part of the information is not provided.
1.4 If it is reasonable and practicable to do so,
an organisation must collect personal information about an individual only from
that individual.
1.5 If an organisation collects personal
information about an individual from someone else, it must take reasonable
steps to ensure that the individual is or has been made aware of the matters
listed in subclause 1.3 except to the extent that making the individual
aware of the matters would pose a serious threat to the life or health of any
individual.
2 Use
and disclosure
2.1 An organisation must not use or disclose
personal information about an individual for a purpose (the secondary
purpose) other than the primary purpose of collection unless:
(a) both of the following apply:
(i) the secondary purpose
is related to the primary purpose of collection and, if the personal
information is sensitive information, directly related to the primary purpose
of collection;
(ii) the individual would
reasonably expect the organisation to use or disclose the information for the
secondary purpose; or
(b) the individual has consented to
the use or disclosure; or
(c) if the information is not
sensitive information and the use of the information is for the secondary
purpose of direct marketing:
(i) it is impracticable
for the organisation to seek the individual’s consent before that particular
use; and
(ii) the organisation will
not charge the individual for giving effect to a request by the individual to
the organisation not to receive direct marketing communications; and
(iii) the individual has not
made a request to the organisation not to receive direct marketing
communications; and
(iv) in each direct
marketing communication with the individual, the organisation draws to the
individual’s attention, or prominently displays a notice, that he or she may
express a wish not to receive any further direct marketing communications; and
(v) each written direct
marketing communication by the organisation with the individual (up to and
including the communication that involves the use) sets out the organisation’s
business address and telephone number and, if the communication with the
individual is made by fax, telex or other electronic means, a number or address
at which the organisation can be directly contacted electronically; or
(d) if the information is health
information and the use or disclosure is necessary for research, or the
compilation or analysis of statistics, relevant to public health or public
safety:
(i) it is impracticable
for the organisation to seek the individual’s consent before the use or
disclosure; and
(ii) the use or disclosure
is conducted in accordance with guidelines approved by the Commissioner under
section 95A for the purposes of this subparagraph; and
(iii) in the case of
disclosure—the organisation reasonably believes that the recipient of the
health information will not disclose the health information, or personal
information derived from the health information; or
(e) the organisation reasonably
believes that the use or disclosure is necessary to lessen or prevent:
(i) a serious and imminent
threat to an individual’s life, health or safety; or
(ii) a serious threat to
public health or public safety; or
(ea) if the information is genetic
information and the organisation has obtained the genetic information in the
course of providing a health service to the individual:
(i) the organisation
reasonably believes that the use or disclosure is necessary to lessen or
prevent a serious threat to the life, health or safety (whether or not the
threat is imminent) of an individual who is a genetic relative of the
individual to whom the genetic information relates; and
(ii) the use or disclosure
is conducted in accordance with guidelines approved by the Commissioner under
section 95AA for the purposes of this subparagraph; and
(iii) in the case of
disclosure—the recipient of the genetic information is a genetic relative of
the individual; or
(f) the organisation has reason to
suspect that unlawful activity has been, is being or may be engaged in, and
uses or discloses the personal information as a necessary part of its
investigation of the matter or in reporting its concerns to relevant persons or
authorities; or
(g) the use or disclosure is required
or authorised by or under law; or
(h) the organisation reasonably
believes that the use or disclosure is reasonably necessary for one or more of
the following by or on behalf of an enforcement body:
(i) the prevention,
detection, investigation, prosecution or punishment of criminal offences,
breaches of a law imposing a penalty or sanction or breaches of a prescribed
law;
(ii) the enforcement of
laws relating to the confiscation of the proceeds of crime;
(iii) the protection of the
public revenue;
(iv) the prevention,
detection, investigation or remedying of seriously improper conduct or
prescribed conduct;
(v) the
preparation for, or conduct of, proceedings before any court or tribunal, or
implementation of the orders of a court or tribunal.
Note 1: It is not intended to deter organisations from
lawfully co‑operating with agencies performing law enforcement functions in the
performance of their functions.
Note 2: Subclause 2.1 does not override any
existing legal obligations not to disclose personal information. Nothing in
subclause 2.1 requires an organisation to disclose personal information;
an organisation is always entitled not to disclose personal information in the
absence of a legal obligation to disclose it.
Note 3: An organisation is also subject to the
requirements of National Privacy Principle 9 if it transfers personal
information to a person in a foreign country.
2.2 If an organisation uses or discloses
personal information under paragraph 2.1(h), it must make a written note
of the use or disclosure.
2.3 Subclause 2.1 operates in relation to
personal information that an organisation that is a body corporate has
collected from a related body corporate as if the organisation’s primary
purpose of collection of the information were the primary purpose for which the
related body corporate collected the information.
2.4 Despite subclause 2.1, an
organisation that provides a health service to an individual may disclose
health information about the individual to a person who is responsible for the
individual if:
(a) the individual:
(i) is physically or
legally incapable of giving consent to the disclosure; or
(ii) physically cannot
communicate consent to the disclosure; and
(b) a natural person (the carer)
providing the health service for the organisation is satisfied that either:
(i) the disclosure is
necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made
for compassionate reasons; and
(c) the disclosure is not contrary to
any wish:
(i) expressed by the
individual before the individual became unable to give or communicate consent;
and
(ii) of which the carer is
aware, or of which the carer could reasonably be expected to be aware; and
(d) the disclosure is limited to the
extent reasonable and necessary for a purpose mentioned in paragraph (b).
2.5 For the purposes of subclause 2.4, a
person is responsible for an individual if the person is:
(a) a parent of the individual; or
(b) a child or sibling of the
individual and at least 18 years old; or
(c) a spouse or de facto partner
of the individual; or
(d) a relative of the individual, at least
18 years old and a member of the individual’s household; or
(e) a guardian of the individual; or
(f) exercising an enduring power of
attorney granted by the individual that is exercisable in relation to decisions
about the individual’s health; or
(g) a person who has an intimate
personal relationship with the individual; or
(h) a person nominated by the
individual to be contacted in case of emergency.
2.6 In subclause 2.5:
child: without limiting who is a child of an
individual for the purposes of this clause, each of the following is the child
of an individual:
(a) an adopted child, stepchild,
exnuptial child or foster child of the individual; and
(b) someone who is a child of the
individual within the meaning of the Family Law Act 1975.
de facto partner has the meaning
given by the Acts Interpretation Act 1901.
parent: without limiting who is a parent of
an individual for the purposes of this clause, someone is the parent of
an individual if the individual is his or her child because of the definition
of child in this subclause.
relative of an individual means a
grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.
sibling of an individual includes a half‑brother,
half‑sister, adoptive brother, adoptive sister, step‑brother, step‑sister,
foster‑brother and foster‑sister, of the individual.
stepchild: without limiting who is a
stepchild of an individual for the purposes of this clause, someone is the stepchild
of an individual if he or she would be the individual’s stepchild
except that the individual is not legally married to the individual’s de facto partner.
2.7 For the purposes of the definition of relative
in subclause 2.6, relationships to an individual may also be traced to or
through another individual who is:
(a) a de facto partner
of the first individual; or
(b) the child of the first individual
because of the definition of child in that subclause.
2.8 For the
purposes of the definition of sibling in subclause 2.6, an
individual is also a sibling of another individual if a relationship referred
to in that definition can be traced through a parent of either or both of them.
3 Data
quality
An organisation must take reasonable
steps to make sure that the personal information it collects, uses or discloses
is accurate, complete and up‑to‑date.
4 Data
security
4.1 An organisation must take reasonable steps
to protect the personal information it holds from misuse and loss and from
unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps
to destroy or permanently de‑identify personal information if it is no longer
needed for any purpose for which the information may be used or disclosed under
National Privacy Principle 2.
5
Openness
5.1 An organisation must set out in a document
clearly expressed policies on its management of personal information. The
organisation must make the document available to anyone who asks for it.
5.2 On request by a person, an organisation
must take reasonable steps to let the person know, generally, what sort of
personal information it holds, for what purposes, and how it collects, holds,
uses and discloses that information.
6
Access and correction
6.1 If an organisation holds personal
information about an individual, it must provide the individual with access to
the information on request by the individual, except to the extent that:
(a) in the case of personal
information other than health information—providing access would pose a serious
and imminent threat to the life or health of any individual; or
(b) in the case of health
information—providing access would pose a serious threat to the life or health
of any individual; or
(c) providing access would have an
unreasonable impact upon the privacy of other individuals; or
(d) the request for access is
frivolous or vexatious; or
(e) the information relates to
existing or anticipated legal proceedings between the organisation and the
individual, and the information would not be accessible by the process of
discovery in those proceedings; or
(f) providing access would reveal the
intentions of the organisation in relation to negotiations with the individual
in such a way as to prejudice those negotiations; or
(g) providing access would be
unlawful; or
(h) denying access is required or
authorised by or under law; or
(i) providing access would be likely
to prejudice an investigation of possible unlawful activity; or
(j) providing access would be likely
to prejudice:
(i) the prevention,
detection, investigation, prosecution or punishment of criminal offences,
breaches of a law imposing a penalty or sanction or breaches of a prescribed
law; or
(ii) the enforcement of
laws relating to the confiscation of the proceeds of crime; or
(iii) the protection of the
public revenue; or
(iv) the prevention, detection,
investigation or remedying of seriously improper conduct or prescribed conduct;
or
(v) the preparation for, or
conduct of, proceedings before any court or tribunal, or implementation of its
orders;
by or on behalf of an
enforcement body; or
(k) an enforcement body performing a
lawful security function asks the organisation not to provide access to the
information on the basis that providing access would be likely to cause damage
to the security of Australia.
6.2 However, where providing access would
reveal evaluative information generated within the organisation in connection
with a commercially sensitive decision‑making process, the organisation may
give the individual an explanation for the commercially sensitive decision
rather than direct access to the information.
Note: An organisation breaches subclause 6.1 if
it relies on subclause 6.2 to give an individual an explanation for a
commercially sensitive decision in circumstances where subclause 6.2 does
not apply.
6.3 If the organisation is not required to
provide the individual with access to the information because of one or more of
paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable,
consider whether the use of mutually agreed intermediaries would allow
sufficient access to meet the needs of both parties.
6.4 If an organisation charges for providing
access to personal information, those charges:
(a) must not be excessive; and
(b) must not apply to lodging a
request for access.
6.5 If an organisation holds personal
information about an individual and the individual is able to establish that
the information is not accurate, complete and up‑to‑date, the organisation must
take reasonable steps to correct the information so that it is accurate,
complete and up‑to‑date.
6.6 If the individual and the organisation
disagree about whether the information is accurate, complete and up‑to‑date,
and the individual asks the organisation to associate with the information a
statement claiming that the information is not accurate, complete or up‑to‑date,
the organisation must take reasonable steps to do so.
6.7 An organisation must provide reasons for
denial of access or a refusal to correct personal information.
7
Identifiers
7.1 An organisation must not adopt as its own
identifier of an individual an identifier of the individual that has been
assigned by:
(a) an agency; or
(b) an agent of an agency acting in
its capacity as agent; or
(c) a contracted service provider for
a Commonwealth contract acting in its capacity as contracted service provider
for that contract.
7.1A However, subclause 7.1 does not apply
to the adoption by a prescribed organisation of a prescribed identifier in
prescribed circumstances.
Note: There are prerequisites that must be satisfied
before those matters are prescribed: see subsection 100(2).
7.2 An organisation must not use or disclose
an identifier assigned to an individual by an agency, or by an agent or
contracted service provider mentioned in subclause 7.1, unless:
(a) the use or disclosure is necessary
for the organisation to fulfil its obligations to the agency; or
(b) one or more of paragraphs 2.1(e)
to 2.1(h) (inclusive) apply to the use or disclosure; or
(c) the use or disclosure is by a
prescribed organisation of a prescribed identifier in prescribed circumstances.
Note: There are prerequisites that must be satisfied
before the matters mentioned in paragraph (c) are prescribed: see
subsections 100(2)
and (3).
7.3 In this clause:
identifier includes a number assigned by an
organisation to an individual to identify uniquely the individual for the
purposes of the organisation’s operations. However, an individual’s name or ABN
(as defined in the A New Tax System (Australian Business Number) Act 1999)
is not an identifier.
8
Anonymity
Wherever it is lawful and practicable,
individuals must have the option of not identifying themselves when entering
transactions with an organisation.
9
Transborder data flows
An organisation in Australia or an external Territory may transfer personal information about an individual to
someone (other than the organisation or the individual) who is in a foreign
country only if:
(a) the organisation reasonably
believes that the recipient of the information is subject to a law, binding
scheme or contract which effectively upholds principles for fair handling of
the information that are substantially similar to the National Privacy
Principles; or
(b) the individual consents to the
transfer; or
(c) the transfer is necessary for the
performance of a contract between the individual and the organisation, or for
the implementation of pre‑contractual measures taken in response to the
individual’s request; or
(d) the transfer is necessary for the
conclusion or performance of a contract concluded in the interest of the
individual between the organisation and a third party; or
(e) all
of the following apply:
(i) the transfer is for
the benefit of the individual;
(ii) it is impracticable to
obtain the consent of the individual to that transfer;
(iii) if it were practicable
to obtain such consent, the individual would be likely to give it; or
(f) the organisation has taken
reasonable steps to ensure that the information which it has transferred will
not be held, used or disclosed by the recipient of the information
inconsistently with the National Privacy Principles.
10
Sensitive information
10.1 An organisation must not collect sensitive
information about an individual unless:
(a) the individual has consented; or
(b) the collection is required by law;
or
(c) the collection is necessary to
prevent or lessen a serious and imminent threat to the life or health of any
individual, where the individual whom the information concerns:
(i) is physically or
legally incapable of giving consent to the collection; or
(ii) physically cannot
communicate consent to the collection; or
(d) if the information is collected in
the course of the activities of a non‑profit organisation—the following
conditions are satisfied:
(i) the information
relates solely to the members of the organisation or to individuals who have
regular contact with it in connection with its activities;
(ii) at or before the time
of collecting the information, the organisation undertakes to the individual
whom the information concerns that the organisation will not disclose the
information without the individual’s consent; or
(e) the collection is necessary for
the establishment, exercise or defence of a legal or equitable claim.
10.2 Despite
subclause 10.1, an organisation may collect health information about an
individual if:
(a) the information is necessary to
provide a health service to the individual; and
(b) the information is collected:
(i) as required or
authorised by or under law (other than this Act); or
(ii) in accordance with
rules established by competent health or medical bodies that deal with
obligations of professional confidentiality which bind the organisation.
10.3 Despite subclause 10.1, an
organisation may collect health information about an individual if:
(a) the collection is necessary for
any of the following purposes:
(i) research relevant to
public health or public safety;
(ii) the compilation or
analysis of statistics relevant to public health or public safety;
(iii) the management,
funding or monitoring of a health service; and
(b) that purpose cannot be served by
the collection of information that does not identify the individual or from
which the individual’s identity cannot reasonably be ascertained; and
(c) it is impracticable for the
organisation to seek the individual’s consent to the collection; and
(d) the information is collected:
(i) as required by law
(other than this Act); or
(ii) in accordance with
rules established by competent health or medical bodies that deal with
obligations of professional confidentiality which bind the organisation; or
(iii) in accordance with
guidelines approved by the Commissioner under section 95A for the purposes
of this subparagraph.
10.4 If an organisation collects health information
about an individual in accordance with subclause 10.3, the organisation
must take reasonable steps to permanently de‑identify the information before
the organisation discloses it.
10.5 In this
clause:
non‑profit organisation means a non‑profit
organisation that has only racial, ethnic, political, religious, philosophical,
professional, trade, or trade union aims.
Endnotes
Endnote 1—Legislation history
This endnote sets out details of the legislation history of
the Privacy Act 1988.
Act
|
Number and year
|
Assent date
|
Commencement
date
|
Application, saving and transitional
provisions
|
Privacy Act 1988
|
119, 1988
|
14
Dec 1988
|
1 Jan 1989 (see Gazette 1988, No. S399)
|
|
Law and Justice Legislation
Amendment Act 1989
|
11, 1990
|
17 Jan 1990
|
Part 1 (ss. 1, 2)
and Part 3 (ss. 6, 7): Royal Assent
ss. 8–10: 17 July 1990
ss. 12, 13 and 51(1)(b), (2): 17 Jan 1990 (see
s. 2(5))
Remainder: 14 Feb 1990
|
—
|
Defence Legislation
Amendment Act 1990
|
75, 1990
|
22 Oct 1990
|
s. 5: Royal Assent (a)
|
—
|
Privacy Amendment Act 1990
|
116, 1990
|
24 Dec 1990
|
24 Sept 1991
|
s. 25 (ad. by 136, 1991, s. 21)
|
as
amended by
|
|
|
|
|
Law
and Justice Legislation Amendment Act 1991
|
136, 1991
|
12 Sept 1991
|
Part 4 (s. 21): 24 Sept 1991 (b)
|
—
|
Law and Justice Legislation
Amendment Act (No. 3) 1992
|
165, 1992
|
11 Dec 1992
|
s. 4: (c)
|
—
|
Data‑matching Program
(Assistance and Tax) Act 1990
|
20, 1991
|
23 Jan 1991
|
23 Jan 1991
|
—
|
Crimes Legislation Amendment
Act 1991
|
28, 1991
|
4 Mar 1991
|
s. 74(1): Royal Assent (d)
|
—
|
Industrial Relations
Legislation Amendment Act 1991
|
122, 1991
|
27 June 1991
|
ss. 4(1), 10(b) and 15–20: 1 Dec 1988
ss. 28(b)–(e), 30 and 31: 10 Dec 1991 (see Gazette 1991, No. S332)
Remainder: Royal Assent
|
s. 31(2)
|
Law and Justice Legislation
Amendment Act 1991
|
136, 1991
|
12 Sept 1991
|
Part 3 (ss. 10–20):
(e)
|
—
|
Social Security Legislation
Amendment Act (No. 4) 1991
|
194, 1991
|
13 Dec 1991
|
Schedule 5 (Part 2):
(f)
|
—
|
Law and Justice Legislation
Amendment Act (No. 4) 1992
|
143, 1992
|
7 Dec 1992
|
7 Dec 1992
|
—
|
National Health Amendment
Act 1993
|
28, 1993
|
9 June 1993
|
9 June 1993
|
—
|
Law and Justice Legislation
Amendment Act 1993
|
13, 1994
|
18 Jan 1994
|
s. 22: 13 Jan 1993 Part 6 (ss. 27–41): 11 Apr 1994 (see Gazette 1994, No. S126) Remainder:
Royal Assent
|
s. 16
|
Law and Justice Legislation
Amendment Act 1994
|
84, 1994
|
23 June 1994
|
s. 71: Royal Assent (g)
|
—
|
Australian Capital Territory
Government Service (Consequential Provisions) Act 1994
|
92, 1994
|
29 June 1994
|
1 July 1994 (see
Gazette 1994, No. S256)
|
—
|
Employment Services
(Consequential Amendments) Act 1994
|
177, 1994
|
19 Dec 1994
|
ss. 1, 2(1), (3) and Part 2
(ss. 3–8): 19 Dec 1994 (see s. 2(1))
s. 2(2) and Div. 4 of Part 6 (ss. 32–39): Royal Assent
Remainder: 1 Jan 1995 (see s. 2(3) and Gazette 1994, No. S472)
|
s. 19
|
Human Rights Legislation
Amendment Act 1995
|
59, 1995
|
28 June 1995
|
Schedule (item 25): 30
Oct 1992
Remainder: Royal Assent
|
ss. 4, 5
|
Statute Law Revision Act
1996
|
43, 1996
|
25 Oct 1996
|
Schedule 4 (item 122):
Royal Assent (h)
|
—
|
Law and Justice Legislation
Amendment Act 1997
|
34, 1997
|
17 Apr 1997
|
Schedule 13: Royal
Assent (i)
|
—
|
Hearing Services and AGHS
Reform Act 1997
|
82, 1997
|
18 June 1997
|
Schedule 4 (items 1,
2, 4–12): Royal Assent (j)
Schedule 4 (item 3): (j)
|
Sch. 4 (item 12)
|
as
amended by
|
|
|
|
|
Statute
Law Revision Act 2005
|
100, 2005
|
6 July 2005
|
Schedule 2 (item 20):
(ja)
|
—
|
Statute Law Revision Act
2006
|
9, 2006
|
23 Mar 2006
|
Schedule 2 (item 19):
(see 9, 2006 below)
|
—
|
Financial Sector Reform
(Consequential Amendments) Act 1998
|
48, 1998
|
29 June 1998
|
Schedule 1 (item 133):
1 July 1998 (see Gazette 1998, No. S316) (k)
|
—
|
Financial Sector Reform
(Amendments and Transitional Provisions) Act (No. 1) 1999
|
44, 1999
|
17 June 1999
|
Schedule 7 (items 126–128):
(l)
|
—
|
Public Employment
(Consequential and Transitional) Amendment Act 1999
|
146, 1999
|
11 Nov 1999
|
Schedule 1 (items 738–747):
5 Dec 1999 (see Gazette 1999, No. S584) (m)
|
—
|
Australian Security
Intelligence Organisation Legislation Amendment Act 1999
|
161, 1999
|
10 Dec 1999
|
Schedule 3 (items 1,
49): (n)
|
—
|
Privacy Amendment (Office of
the Privacy Commissioner) Act 2000
|
2, 2000
|
29 Feb 2000
|
1 July 2000 (see
Gazette 2000, No. S229)
|
Sch. 1 (item 15) (am.
by 70, 2009, Sch. 3 [items 58, 59])
|
as
amended by
|
|
|
|
|
Disability
Discrimination and Other Human Rights Legislation Amendment Act 2009
|
70, 2009
|
8 July 2009
|
Schedule 3 (items 58,
59): 5 Aug 2009
|
—
|
Australian Federal Police
Legislation Amendment Act 2000
|
9, 2000
|
7 Mar 2000
|
2 July 2000 (see
Gazette 2000, No. S328)
|
Sch. 3 (items 20, 29,
34, 35)
|
Privacy Amendment (Private
Sector) Act 2000
|
155, 2000
|
21 Dec 2000
|
Schedule 3: Royal Assent
Remainder: 21 Dec 2001
|
Sch. 1 (items 37, 53,
57, 76, 100, 124, 130) and Sch. 3 (item 4)
|
Law and Justice Legislation
Amendment (Application of Criminal Code) Act 2001
|
24, 2001
|
6 Apr 2001
|
s. 4(1), (2) and Schedule 40
(items 1–9, 11–13): (o) Schedule 40 (item 10): (o)
|
s. 4(1), (2)
|
Corporations (Repeals,
Consequentials and Transitionals) Act 2001
|
55, 2001
|
28 June 2001
|
ss. 4–14 and Schedule 3
(item 437): 15 July 2001 (see Gazette 2001, No. S285) (p)
Schedule 3 (item 438): (p)
|
s. 2(8) (am. by 116, 2003,
Sch. 4 [item 1])
ss. 4–14
|
as
amended by
|
|
|
|
|
Financial
Sector Legislation Amendment Act (No. 1) 2003
|
116, 2003
|
27 Nov 2003
|
Schedule 4 (item 1):
(q)
|
—
|
National Crime Authority
Legislation Amendment Act 2001
|
135, 2001
|
1 Oct 2001
|
Schedules 1–7 and 9–12:
12 Oct 2001 (see Gazette 2001, No. S428)
Schedule 8: 13 Oct 2001 (see Gazette 2001, No. S428)
Remainder: Royal Assent
|
—
|
Abolition of Compulsory Age
Retirement (Statutory Officeholders) Act 2001
|
159, 2001
|
1 Oct 2001
|
29 Oct 2001
|
Sch. 1 (item 97)
|
Australian Crime Commission
Establishment Act 2002
|
125, 2002
|
10 Dec 2002
|
Schedule 2 (items 99–106):
1 Jan 2003
|
—
|
Defence Legislation
Amendment Act 2003
|
135, 2003
|
17 Dec 2003
|
Schedule 2 (item 39):
17 June 2004
|
—
|
Privacy Amendment Act 2004
|
49, 2004
|
21 Apr 2004
|
21 Apr 2004
|
Sch. 1 (items 3, 5)
|
as
amended by
|
|
|
|
|
Statute
Law Revision Act 2006
|
9, 2006
|
23 Mar 2006
|
Schedule 2 (item 21):
(see 9, 2006 below)
|
—
|
Administrative Appeals
Tribunal Amendment Act 2005
|
38, 2005
|
1 Apr 2005
|
Schedule 1 (item 229):
16 May 2005
|
—
|
Statute Law Revision Act
2005
|
100, 2005
|
6 July 2005
|
Schedule 1 (item 38):
Royal Assent
|
—
|
Intelligence Services
Legislation Amendment Act 2005
|
128, 2005
|
4 Nov 2005
|
Schedules 1–8: 2 Dec
2005
Remainder: Royal Assent
|
—
|
Statute Law Revision Act
2006
|
9, 2006
|
23 Mar 2006
|
Schedule 1 (item 21)
and Schedule 2 (items 19, 21): (r)
|
—
|
Postal Industry Ombudsman
Act 2006
|
25, 2006
|
6 Apr 2006
|
Schedule 1 (items 17–19,
20(2)): 6 Oct 2006
|
Sch. 1 (item 20(2))
|
as
amended by
|
|
|
|
|
Statute
Law Revision Act 2008
|
73, 2008
|
3 July 2008
|
Schedule 2 (item 24):
(s)
|
—
|
National Health and Medical
Research Council Amendment Act 2006
|
50, 2006
|
9 June 2006
|
Schedule 1: 1 July
2006
Remainder: Royal Assent
|
—
|
Law Enforcement Integrity
Commissioner (Consequential Amendments) Act 2006
|
86, 2006
|
30 June 2006
|
Schedule 1 (items 48–53):
30 Dec 2006 (see s. 2(1))
|
—
|
Privacy Legislation
Amendment Act 2006
|
99, 2006
|
14 Sept 2006
|
14 Sept 2006
|
—
|
Privacy Legislation
Amendment (Emergencies and Disasters) Act 2006
|
148, 2006
|
6 Dec 2006
|
7 Dec 2006
|
—
|
Anti‑Money Laundering and
Counter‑Terrorism Financing (Transitional Provisions and Consequential
Amendments) Act 2006
|
170, 2006
|
12 Dec 2006
|
Schedule 1 (item 152):
13 Dec 2006 (see s. 2(1))
|
—
|
Quarantine Amendment
(Commission of Inquiry) Act 2007
|
158, 2007
|
24 Sept 2007
|
24 Sept 2007
|
—
|
Archives Amendment Act 2008
|
113, 2008
|
31 Oct 2008
|
1 Nov 2008
|
—
|
Same‑Sex Relationships
(Equal Treatment in Commonwealth Laws–General Law Reform) Act 2008
|
144, 2008
|
9 Dec 2008
|
Schedule 13: 1 July
2009
|
—
|
Customs Legislation
Amendment (Name Change) Act 2009
|
33, 2009
|
22 May 2009
|
Schedule 2 (item 46):
23 May 2009
|
—
|
Fair Work (State Referral
and Consequential and Other Amendments) Act 2009
|
54, 2009
|
25 June 2009
|
Schedule 16 (items 1–3):
(t)
|
—
|
Disability Discrimination
and Other Human Rights Legislation Amendment Act 2009
|
70, 2009
|
8 July 2009
|
Schedule 3 (items 47–57):
5 Aug 2009
|
—
|
Offshore Petroleum and
Greenhouse Gas Storage Legislation Amendment Act 2009
|
102, 2009
|
8 Oct 2009
|
Schedule 1 (items 62M,
62N): 9 Oct 2009
|
—
|
Personal Property Securities
(Consequential Amendments) Act 2009
|
131, 2009
|
14 Dec 2009
|
Schedule 5 (items 25–30):
30 Jan 2012 (see F2011L02397)
|
—
|
Crimes Legislation Amendment
(Serious and Organised Crime) Act (No. 2) 2010
|
4, 2010
|
19 Feb 2010
|
Schedule 10 (item 23):
20 Feb 2010
|
—
|
Statute Law Revision Act
2010
|
8, 2010
|
1 Mar 2010
|
Schedule 5 (items 77,
78): Royal Assent
|
—
|
Freedom of Information
Amendment (Reform) Act 2010
|
51, 2010
|
31 May 2010
|
Schedule 3 (item 38),
Schedule 5 (items 52–58) and Schedule 7: (u)
|
Sch. 7
|
Healthcare Identifiers
(Consequential Amendments) Act 2010
|
73, 2010
|
28 June 2010
|
Schedule 2 (items 1–7):
29 June 2010 (see s. 2(1))
Schedule 2 (items 8–11): (v)
|
—
|
Territories Law Reform Act
2010
|
139, 2010
|
10 Dec 2010
|
Schedule 1 (item 76):
11 Dec 2010
Schedule 1 (items 244–297): 1 Jan 2011
|
Sch. 1 (item 297)
|
Tax Laws Amendment
(Confidentiality of Taxpayer Information) Act 2010
|
145, 2010
|
16 Dec 2010
|
Schedule 2 (items 62,
63): 17 Dec 2010
|
—
|
Law and Justice Legislation
Amendment (Identity Crimes and Other Measures) Act 2011
|
3, 2011
|
2 Mar 2011
|
Schedule 7 (item 4):
3 Mar 2011
|
—
|
Statute Law Revision Act
2011
|
5, 2011
|
22 Mar 2011
|
Schedule 1 (items 93–95):
Royal Assent
|
—
|
Education Services for
Overseas Students Legislation Amendment Act 2011
|
11, 2011
|
8 Apr 2011
|
Schedule 2 (items 5–7):
9 Apr 2011
|
—
|
Acts Interpretation
Amendment Act 2011
|
46, 2011
|
27 June 2011
|
Schedule 2 (items 915–922)
and Schedule 3 (items 10, 11): 27 Dec 2011
|
Sch. 3 (items 10, 11)
|
Combating the Financing of
People Smuggling and Other Measures Act 2011
|
60, 2011
|
28 June 2011
|
Schedule 3 (items 11–20):
Royal Assent
|
—
|
Crimes Legislation Amendment
(Powers and Offences) Act 2012
|
24, 2012
|
4 Apr 2012
|
Schedule 4 (item 52):
5 Apr 2012
|
—
|
Telecommunications
Interception and Other Legislation Amendment (State Bodies) Act 2012
|
74, 2012
|
27 June 2012
|
Schedule 1 (items 2,
28): 10 Feb 2013 (see s. 2(1))
|
Sch. 1 (item 28)
|
Freedom of Information
Amendment (Parliamentary Budget Office) Act 2012
|
177, 2012
|
4 Dec 2012
|
Schedule 1 (item 13):
Royal Assent
|
—
|
Privacy Amendment (Enhancing
Privacy Protection) Act 2012
|
197, 2012
|
12 Dec 2012
|
Schedules 1–4: [see
Endnote 3]
|
—
|
Public Service Amendment Act
2013
|
2, 2013
|
14 Feb 2013
|
Schedule 3 (items 14,
15): 1 July 2013 (see F2013L00484)
|
—
|
Federal Circuit Court of Australia
(Consequential Amendments) Act 2013
|
13, 2013
|
14 Mar 2013
|
Schedule 1 (items 468,
469): 12 Apr 2013 (see s. 2(1))
Schedule 2 (item 1): (w)
Schedule 3 (items 83–91):
[see (w) and Endnote 3]
|
—
|
(a) The Privacy Act 1988 was
amended by section 5 only of the Defence Legislation Amendment Act 1990,
subsection 2(1) of which provides as follows:
(1) Subject to this section, this
Act commences on the day on which it receives the Royal Assent.
(b) The Privacy Amendment Act 1990 was
amended by Part 4 (section 21) only of the Law and Justice
Legislation Amendment Act 1991, subsection 2(3) of which provides as
follows:
(3) Part 4 commences on 24 September
1991.
(c) The Privacy Amendment Act 1990
was amended by section 4 only of the Law and Justice Legislation
Amendment Act (No. 3) 1992, subsection 2(6) of which provides as
follows:
(6) The amendment of the Privacy
Amendment Act 1990 made by this Act is taken to have commenced immediately
after the commencement of section 18 of that Act.
Section 18 commenced on 24 September
1991.
(d) The Privacy Act 1988 was
amended by subsection 74(1) only of the Crimes Legislation Amendment
Act 1991, subsection 2(1) of which provides as follows:
(1) Subject to this section, this
Act commences on the day on which it receives the Royal Assent.
(e) The Privacy Act 1988 was
amended by Part 3 (sections 10–20) only of the Law and Justice
Legislation Amendment Act 1991, subsection 2(2) of which provides as
follows:
(2) Part 3 commences
immediately after the commencement of the Privacy Amendment Act 1990.
The Privacy Amendment Act 1990 came
into operation on 24 September 1991.
(f) The Privacy Act 1988 was
amended by Schedule 5 (Part 2) only of the Social Security
Legislation Amendment Act (No. 4) 1991, subsection 2(13) of which
provides as follows:
(13) Part 2 of Schedule 5
is taken to have commenced immediately after the commencement of the Data‑matching
Program (Assistance and Tax) Act 1990.
The Data‑matching Program (Assistance
and Tax) Act 1990 came into operation on 23 January 1991.
(g) The Privacy Act 1988 was
amended by section 71 only of the Law and Justice Legislation Amendment
Act 1994, subsection 2(1) of which provides as follows:
(1) Subject to this section, this
Act commences on the day on which it receives the Royal Assent.
(h) The Privacy Act 1988 was
amended by Schedule 4 (item 122) only of the Statute Law Revision
Act 1996, subsection 2(1) of which provides as follows:
(1) Subject to subsections (2)
and (3), this Act commences on the day on which it receives the Royal Assent.
(i) The Privacy Act 1988 was
amended by Schedule 13 only of the Law and Justice Legislation
Amendment Act 1997, subsection 2(1) of which provides as follows:
(1) Subject to this section, this
Act commences on the day on which it receives the Royal Assent.
(j) The Privacy Act 1988 was
amended by Schedule 4 (items 1–12) only of the Hearing Services
and AGHS Reform Act 1997, subsections 2(1) and (3) of which provide as
follows:
(1) Subject to this section, this
Act commences on the day on which it receives the Royal Assent.
(3) If Schedule 2 to the Reform
of Employment Services (Consequential Provisions) Act 1997 does not
commence before the day on which this Act receives the Royal Assent, the
amendment of the definition of eligible employment services provider
in subsection 6(1) of the Privacy Act 1988 made by this Act
commences immediately after the commencement of Schedule 2 to the Reform
of Employment Services (Consequential Provisions) Act 1997.
The Reform of Employment
Services (Consequential Provisions) Bill was never enacted. Therefore this
amendment does not commence.
(ja) Subsection 2(1) (item 38)
of the Statute Law Revision Act 2005 provides as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Commencement information
|
Column 1
|
Column 2
|
Column 3
|
Provision(s)
|
Commencement
|
Date/Details
|
38.
Schedule 2, item 20
|
Immediately
after the time specified in the Hearing Services and AGHS Reform Act 1997
for the commencement of item 6 of Schedule 4 to that Act.
|
18 June
1997
|
(k) The Privacy Act 1988 was amended
by Schedule 1 (item 133) only of the Financial Sector Reform
(Consequential Amendments) Act 1998, subsection 2(2) of which provides
as follows:
(2) Subject to subsections (3)
to (14), Schedules 1, 2 and 3 commence on the commencement of the Australian
Prudential Regulation Authority Act 1998.
(l) The Privacy Act 1988 was
amended by Schedule 7 (items 126–128) only of the Financial Sector
Reform (Amendments and Transitional Provisions) Act (No. 1) 1999,
subsections 3(2)(e) and (16) of which provide as follows:
(2) The following provisions
commence on the transfer date:
(e) subject to subsection (12),
Schedule 7, other than items 43, 44, 118, 205 and 207 (the
commencement of those items is covered by subsections (10), (11) and
(13)).
(16) The Governor‑General may, by
Proclamation published in the Gazette, specify the date that is to be
the transfer date for the purposes of this Act.
The transfer date was 1 July 1999
(see Gazette 1999, No. S283).
(m) The Privacy Act 1988 was
amended by Schedule 1 (items 738–747) only of the Public
Employment (Consequential and Transitional) Amendment Act 1999, subsections 2(1)
and (2) of which provide as follows:
(1) In this Act, commencing
time means the time when the Public Service Act 1999 commences.
(2) Subject to this section, this
Act commences at the commencing time.
(n) The Privacy Act 1988 was
amended by Schedule 3 (items 1 and 49) only of the Australian
Security Intelligence Organisation Legislation Amendment Act 1999,
subsection 2(2) of which provides as follows:
(2) Subject to subsections (3)
to (6), Schedule 3 commences immediately after the commencement of the
other Schedules to this Act.
The other Schedules commenced on Royal
Assent.
(o) The Privacy Act 1988 was
amended by Schedule 40 only of the Law and Justice Legislation
Amendment (Application of Criminal Code) Act 2001, subsections 2(1)(a)
and (7) of which provide as follows:
(1) Subject to this section, this
Act commences at the later of the following times:
(a) immediately after
the commencement of item 15 of Schedule 1 to the Criminal Code
Amendment (Theft, Fraud, Bribery and Related Offences) Act 2000;
(7) If item 106 of Schedule 1
to the Privacy Amendment (Private Sector) Act 2000 has not commenced
before the commencement of section 1 of this Act, item 10 of Schedule 40
to this Act commences immediately after the commencement of the first‑mentioned
item.
Schedule 1 (item 15)
commenced on 24 May 2001.
Schedule 1 (item 106)
commenced on 21 December 2001.
(p) The Privacy Act 1988 was
amended by Schedule 3 (items 437 and 438) only of the Corporations
(Repeals, Consequentials and Transitionals) Act 2001, subsections 2(3)
and (8) of which provide as follows:
(3) Subject to subsections (4)
to (10), Schedule 3 commences, or is taken to have commenced, at the same
time as the Corporations Act 2001.
(8) Item 438 of Schedule 3
commences at the same time as item 35 of Schedule 1 to the Privacy
Amendment (Private Sector) Act 2000 commences.
(q) Subsection 2(1) (item 5)
of the Financial Sector Legislation Amendment Act (No. 1) 2003 provides
as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, on
the day or at the time specified in column 2 of the table.
Provision(s)
|
Commencement
|
Date/Details
|
5. Schedule 4, item 1
|
Immediately after the time specified in the
Corporations (Repeals, Consequentials and Transitionals) Act 2001 for
the commencement of subsection 2(8) of that Act
|
15 July 2001
|
(r) Subsection 2(1) (items 13,
34 and 36) of the Statute Law Revision Act 2006 provides as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Provision(s)
|
Commencement
|
Date/Details
|
13.
Schedule 1, item 21
|
Immediately
after the commencement of Schedule 1 to the Privacy Amendment
(Private Sector) Act 2000.
|
21 December
2001
|
34.
Schedule 2, item 19
|
Immediately
after the time specified in the Hearing Services and AGHS Reform Act 1997
for the commencement of item 6 of Schedule 4 to that Act.
|
18 June
1997
|
36.
Schedule 2, item 21
|
Immediately
after the time specified in the Privacy Amendment Act 2004 for the
commencement of item 11 of Schedule 1 to that Act.
|
21 April
2004
|
(s) Subsection 2(1) (item 59)
of the Statute Law Revision Act 2008 provides as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Provision(s)
|
Commencement
|
Date/Details
|
59. Schedule 2, item 24
|
Immediately after the time specified
in the Postal Industry Ombudsman Act 2006 for the commencement of item 18
of Schedule 1 to that Act.
|
6 October 2006
|
(t) Subsection 2(1) (item 39)
of the Fair Work (State Referral and Consequential and Other Amendments) Act
2009 provides as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Provision(s)
|
Commencement
|
Date/Details
|
39. Schedule 16
|
Immediately after the commencement of
Part 2‑4 of the Fair Work Act 2009.
|
1 July 2009
|
(u) Subsection 2(1) (items 6
and 7) of the Freedom of Information Amendment (Reform) Act 2010 provides
as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Provision(s)
|
Commencement
|
Date/Details
|
6.
Schedule 3, items 16 to 40
|
Immediately
after the commencement of section 3 of the Australian Information
Commissioner Act 2010.
However,
if section 3 of the Australian Information Commissioner Act 2010
does not commence, the provision(s) do not commence at all.
|
1 November
2010
|
7.
Schedules 4 to 7
|
Immediately
after the commencement of section 3 of the Australian Information
Commissioner Act 2010.
However,
if section 3 of the Australian Information Commissioner Act 2010
does not commence, the provision(s) do not commence at all.
|
1 November
2010
|
(v) Subsection 2(1) (item 4)
of the Healthcare Identifiers (Consequential Amendments) Act 2010 provides
as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Provision(s)
|
Commencement
|
Date/Details
|
4. Schedule 2, Part 2
|
The later of:
(a) immediately after the commencement of
item 26 of Schedule 5 to the Personal Property Securities (Consequential
Amendments) Act 2009; and
(b) immediately after the commencement of
the Healthcare Identifiers Act 2010.
However, the provision(s) do not
commence at all if the event mentioned in paragraph (b) does not occur.
|
30 January 2012
(paragraph (a) applies)
|
(w) Subsection 2(1) (items 2,
3 and 16) of the Federal Circuit Court of Australia (Consequential
Amendments) Act 2013 provides as follows:
(1) Each provision of this Act
specified in column 1 of the table commences, or is taken to have commenced, in
accordance with column 2 of the table. Any other statement in column 2 has
effect according to its terms.
Provision(s)
|
Commencement
|
Date/Details
|
2. Schedule 1
|
At the same time as item 1 of
Schedule 1 to the Federal Circuit Court of Australia Legislation
Amendment Act 2012 commences.
|
12 April 2013
|
3. Schedule 2
|
Immediately after the commencement of
the provision(s) covered by table item 2.
|
12 April 2013
|
16.
Schedule 3, Part 5
|
Immediately
after the commencement of Schedule 1 to the Privacy Amendment
(Enhancing Privacy Protection) Act 2012.
However,
the provision(s) do not commence at all if Schedule 1 to the Privacy
Amendment (Enhancing Privacy Protection) Act 2012 commences before the
time Schedule 1 to this Act commences.
|
[see Endnote 3]
|
Endnote
2—Amendment history
This endnote sets out the amendment history of the Privacy Act 1988.
ad. = added or inserted am. =
amended rep. = repealed rs. = repealed and substituted exp. =
expired or ceased to have effect
|
Provision affected
|
How affected
|
Preamble.............................
|
am. No. 70, 2009
|
Part I
|
|
s. 3......................................
|
am. No. 116, 1990; No. 155,
2000
|
Note to s. 3.........................
|
ad. No. 155, 2000
|
s. 3A...................................
|
ad. No. 24, 2001
|
s. 4......................................
|
am. No. 92, 1994
|
s. 5A...................................
|
ad. No. 116, 1990
|
s. 5B...................................
|
ad. No. 155, 2000
|
|
am. No. 49, 2004
|
Part II
|
|
s. 6......................................
|
am. Nos. 11 and 116, 1990;
Nos. 28 and 136, 1991; No. 143, 1992; Nos. 13, 92 and 177, 1994; Nos. 34
and 82, 1997; No. 48, 1998; Nos. 44, 146 and 161, 1999; No. 155,
2000; No. 55, 2001; No. 125, 2002; No. 135, 2003; No. 100,
2005; Nos. 86 and 99, 2006; No. 158, 2007; Nos. 113 and 144, 2008; Nos. 33,
54 and 102, 2009; Nos. 51, 73 and 139, 2010; Nos. 3 and 60, 2011; No. 74,
2012; No. 13, 2013
|
Subhead. to s. 6A(3) ..........
|
am. No. 113, 2008
|
s. 6A...................................
|
ad. No. 155, 2000
|
|
am. No. 113, 2008
|
Subhead. to s. 6B(3) ..........
|
am. No. 113, 2008
|
s. 6B...................................
|
ad. No. 155, 2000
|
|
am. No. 113, 2008
|
s. 6C...................................
|
ad. No. 155, 2000
|
|
am. No. 139, 2010; No. 46,
2011
|
s. 6D...................................
|
ad. No. 155, 2000
|
s. 6DA................................
|
ad. No. 155, 2000
|
Subhead. to s. 6E(3) ..........
|
rs. No. 54, 2009; No. 46,
2011
|
s. 6E...................................
|
ad. No. 155, 2000
|
|
am. No. 170, 2006; No. 54,
2009; Nos. 46 and 60, 2011
|
Note 2 to s. 6E(1) ..............
|
am. No. 46, 2011
|
Note 2 to s. 6E(2) ..............
|
am. No. 46, 2011
|
s. 6EA.................................
|
ad. No. 155, 2000
|
s. 6F....................................
|
ad. No. 155, 2000
|
|
am. No. 46, 2011
|
Note 2 to s. 6F(1) ...............
|
am. No. 46, 2011
|
Heading to s. 7....................
|
am. No. 155, 2000
|
s. 7......................................
|
am. Nos. 75 and 116, 1990;
Nos. 13, 84, 92 and 177, 1994; No. 82, 1997 (as am. by No. 100,
2005 and No. 9, 2006); No. 155, 2000; No. 125, 2002; No. 128,
2005; No. 86, 2006; No. 158, 2007; No. 102, 2009; No. 139,
2010
|
s. 7A...................................
|
ad. No. 155, 2000
|
|
am. No. 46, 2011
|
ss. 7B, 7C...........................
|
ad. No. 155, 2000
|
Heading to s. 8....................
|
am. No. 155, 2000
|
s. 8......................................
|
am. No. 116, 1990; No. 28,
1991; No. 155, 2000; No. 139, 2010
|
s. 9......................................
|
am. No. 28, 1991; No. 139,
2010
|
s. 10....................................
|
am. No. 28, 1991; No. 113,
2008; No. 139, 2010
|
s. 11....................................
|
am. No. 28, 1991; No. 139,
2010
|
s. 11A.................................
|
ad. No. 116, 1990
|
s. 11B.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991; No. 143,
1992; No. 34, 1997; No. 44, 1999
|
s. 12A.................................
|
ad. No. 116, 1990
|
s. 12B.................................
|
ad. No. 155, 2000
|
Note to s. 12B(2) ...............
|
am. No. 8, 2010
|
Part III
|
|
Division 1
|
|
Heading to Div. 1 of............
Part III
|
ad. No. 155, 2000
|
s. 13....................................
|
am. No. 116, 1990; Nos.
20 and 194, 1991; No. 28, 1993; No. 155, 2000; No. 131, 2009
|
Note to s. 13.......................
Renumbered Note 1.........
|
ad. No. 73, 2010
No. 60, 2011
|
Note 2 to s. 13....................
|
ad. No. 60, 2011
|
Note to s. 13.......................
|
ad. No. 131, 2009
|
s. 13A.................................
|
ad. No. 155, 2000
|
Note to s. 13A(1)
Renumbered Note 1.........
|
No. 60, 2011
|
Note 2 to s. 13A(1) ............
|
ad. No. 60, 2011
|
ss. 13B–13F........................
|
ad. No. 155, 2000
|
Division 2
|
|
Heading to Div. 2 of............
Part III
|
ad. No. 155, 2000
|
s. 15....................................
|
am. No. 139, 2010
|
s. 15B.................................
|
ad. No. 139, 2010
|
Division 3
|
|
Div. 3 of Part III.................
|
ad. No. 155, 2000
|
ss. 16A–16F.......................
|
ad. No. 155, 2000
|
Division 4
|
|
Heading to Div. 4 of............
Part III
|
ad. No. 155, 2000
|
s. 17....................................
|
am. No. 116, 1990; No. 145,
2010; No. 5, 2011
|
Division 5
|
|
Heading to Div. 5 of............
Part III
|
ad. No. 155, 2000
|
s. 18A.................................
|
ad. No. 116, 1990
|
|
am. No. 155, 2000
|
s. 18B.................................
|
ad. No. 116, 1990
|
Part IIIAA
|
|
Part IIIAA ..........................
|
ad. No. 155, 2000
|
s. 18BA...............................
|
ad. No. 155, 2000
|
s. 18BAA............................
|
ad. No. 49, 2004
|
ss. 18BB–18BI....................
|
ad. No. 155, 2000
|
Part IIIA
|
|
Part IIIA .............................
|
ad. No. 116, 1990
|
ss. 18C, 18D.......................
|
ad. No. 116, 1990
|
|
am. No. 24, 2001
|
ss. 18E, 18F........................
|
ad. No. 116, 1990
|
|
am. No. 143, 1992; No. 34,
1997
|
s. 18G.................................
|
ad. No. 116, 1990
|
s. 18H.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991
|
s. 18J..................................
|
ad. No. 116, 1990
|
s. 18K.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991; No. 143,
1992; No. 24, 2001
|
Note to s. 18K(5) ...............
|
ad. No. 135, 2001
|
|
am. No. 125, 2002; No. 86,
2006; No. 24, 2012
|
s. 18L.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991; No. 143,
1992; No. 24, 2001
|
s. 18M................................
|
ad. No. 116, 1990
|
|
rs. No. 136, 1991
|
|
am. No. 143, 1992
|
s. 18N.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991; No. 143,
1992; No. 13, 1994; No. 24, 2001
|
s. 18NA..............................
|
ad. No. 34, 1997
|
s. 18P..................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991; No. 143,
1992
|
s. 18Q.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991; No. 143,
1992; No. 24, 2001
|
ss. 18R, 18S........................
|
ad. No. 116, 1990
|
|
am. No. 24, 2001
|
ss. 18T, 18U.......................
|
ad. No. 116, 1990
|
s. 18V.................................
|
ad. No. 116, 1990
|
|
am. No. 136, 1991
|
Part IV
|
|
Heading to Part IV...............
|
rs. No. 2, 2000; No. 51,
2010
|
Heading to Div. 1 of............
Part IV
|
rs. No. 2, 2000
rep. No. 51, 2010
|
Div. 1 of Part IV.................
|
rep. No. 51, 2010
|
s. 19....................................
|
ad. No. 2, 2000
|
|
rep. No. 51, 2010
|
s. 19....................................
Renumbered s. 19A.........
|
am. No. 59, 1995
No. 2, 2000
|
s. 19A.................................
|
rep. No. 51, 2010
|
s. 20....................................
|
am. No. 159, 2001
|
|
rep. No. 51, 2010
|
s. 21....................................
|
am. No. 59, 1995
|
|
rep. No. 51, 2010
|
s. 22....................................
|
rs. No. 122, 1991
|
|
am. No. 146, 1999
|
|
rep. No. 51, 2010
|
ss. 23, 24............................
|
rep. No. 51, 2010
|
s. 25....................................
|
am. No. 122, 1991
|
|
rep. No. 51, 2010
|
s. 26....................................
|
rep. No. 51, 2010
|
s. 26A.................................
|
ad. No. 2, 2000
|
|
am. No. 146, 1999
|
|
rep. No. 51, 2010
|
Part IV
|
|
Division 2
|
|
s. 27....................................
|
am. No. 20, 1991; No. 28,
1993; No. 155, 2000; No. 49, 2004; No. 139, 2010
|
s. 27A.................................
|
ad. No. 73, 2010
|
|
am. No. 73, 2010
|
s. 28....................................
|
am. No. 116, 1990; No. 131,
2009; No. 73, 2010
|
s. 28A.................................
|
ad. No. 116, 1990
|
|
am. No. 131, 2009; No. 73,
2010
|
s. 28B.................................
|
ad. No. 131, 2009
|
|
am. No. 73, 2010
|
s. 29....................................
|
am. No. 116, 1990; No. 155,
2000
|
Division 3
|
|
s. 30....................................
|
am. No. 116, 1990; No. 155,
2000; No. 139, 2010
|
s. 31....................................
|
am. No. 20, 1991; No. 155,
2000; No. 51, 2010
|
s. 32....................................
|
am. No. 116, 1990 (as
am. by No. 165, 1992); No. 20, 1991; No. 49, 2004 (as am. by
No. 9, 2006); No. 51, 2010
|
s. 33....................................
|
am. No. 92, 1994; No. 139,
2010
|
s. 33B.................................
|
ad. No. 139, 2010
|
Division 4
|
|
s. 34....................................
|
am. Nos. 51 and 139, 2010;
No. 177, 2012
|
Part V
|
|
Division 1
|
|
s. 36....................................
|
am. No. 11, 1990; No. 13,
1994; Nos. 2 and 155, 2000; No. 51, 2010
|
s. 37....................................
|
am. Nos. 92 and 177, 1994;
No. 82, 1997; No. 155, 2000; No. 139, 2010
|
s. 38....................................
|
rs. No. 13, 1994
|
|
am. No. 155, 2000
|
ss. 38A–38C.......................
|
ad. No. 13, 1994
|
s. 39....................................
|
rs. No. 13, 1994
|
s. 40....................................
|
am. No. 155, 2000
|
s. 40A.................................
|
ad. No. 155, 2000
|
s. 41....................................
|
am. No. 155, 2000; No. 49,
2004
|
s. 42....................................
|
am. No. 155, 2000
|
s. 43....................................
|
am. No. 155, 2000; No. 139,
2010
|
s. 44....................................
|
am. No. 34, 1997
|
s. 46....................................
|
am. No. 155, 2000; No. 24,
2001
|
s. 48....................................
|
am. No. 155, 2000
|
s. 49....................................
|
am. No. 116, 1990; No. 24,
2001; No. 73, 2010; No. 60, 2011
|
s. 49A.................................
|
ad. No. 131, 2009
|
s. 50....................................
|
am. No. 146, 1999; No. 25,
2006 (as am. by No. 73, 2008); No. 70, 2009; No. 139, 2010;
No. 11, 2011; No. 2, 2013
|
s. 50A.................................
|
ad. No. 155, 2000
|
Division 2
|
|
s. 52....................................
|
am. No. 116, 1990; No. 13,
1994; No. 155, 2000
|
s. 53....................................
|
rs. No. 13, 1994
|
ss. 53A, 53B.......................
|
ad. No. 155, 2000
|
Division 3
|
|
Heading to Div. 3 of............
Part V
|
rs. No. 155, 2000
|
Div. 3 of Part V...................
|
rs. No. 13, 1994; No. 59,
1995
|
s. 54....................................
|
rs. No. 13, 1994
|
|
am. No. 177, 1994
|
|
rs. No. 59, 1995
|
|
am. No. 82, 1997; No. 155,
2000
|
Note to s. 54(1A) ...............
|
am. No. 9, 2006
|
s. 55....................................
|
rs. No. 13, 1994; No. 59,
1995; No. 155, 2000
|
Heading to s. 55A...............
|
rs. No. 13, 2013
|
s. 55A.................................
|
ad. No. 155, 2000
|
|
am. No. 13, 2013
|
s. 55B.................................
|
ad. No. 155, 2000
|
s. 56....................................
|
rs. No. 13, 1994
|
|
rep. No. 59, 1995
|
Division 4
|
|
Heading to Div. 4 of............
Part V
|
am. No. 116, 1990
rs. No. 13, 1994
|
Div. 4 of Part V ..................
|
rs. No. 13, 1994
|
s. 57....................................
|
rs. No. 13, 1994
|
|
am. No. 177, 1994;
No. 82, 1997
|
ss. 58, 59............................
|
rs. No. 13, 1994
|
s. 60....................................
|
am. No. 116, 1990
|
|
rs. No. 13, 1994
|
|
am. No. 139, 2010
|
s. 61....................................
|
rs. No. 13, 1994
|
|
am. No. 38, 2005
|
s. 62....................................
|
rs. No. 13, 1994
|
|
am. No. 155, 2000;
No. 13, 2013
|
Division 5
|
|
s. 63....................................
|
rs. No. 13, 1994
|
|
am. No. 59, 1995;
No. 155, 2000; No. 13, 2013
|
Heading to s. 64..................
|
am. No. 155, 2000
|
s. 64....................................
|
am. No. 155, 2000
|
s. 65....................................
|
am. No. 24, 2001
|
s. 66....................................
|
am. No. 155, 2000;
No. 24, 2001; No. 139, 2010
|
s. 67....................................
|
am. No. 155, 2000
|
s. 68....................................
|
am. No. 116, 1990;
No. 155, 2000; No. 139, 2010
|
s. 68A.................................
|
ad. No. 155, 2000
|
s. 69....................................
|
am. No. 155, 2000
|
s. 70....................................
|
am. No. 125, 2002;
No. 86, 2006; No. 139, 2010
|
ss. 70A, 70B.......................
|
ad. No. 155, 2000
|
Part VI
|
|
Heading to Part VI...............
|
rs. No. 155, 2000
|
Division 1
|
|
Heading to Div. 1 of............
Part VI
|
ad. No. 155, 2000
|
Subhead. to s. 72(1) ...........
|
ad. No. 155, 2000
|
s. 72....................................
|
am. No. 155, 2000
|
Heading to s. 73 .................
|
am. No. 155, 2000
|
s. 73....................................
|
am. No. 155, 2000;
No. 50, 2006
|
ss. 75–77............................
|
am. No. 155, 2000
|
s. 79....................................
|
am. No. 155, 2000
|
s. 80....................................
|
am. No. 5, 2011
|
Division 2
|
|
Heading to Div. 2 of............
Part VI
|
ad. No. 155, 2000
|
ss. 80A–80D.......................
|
ad. No. 155, 2000
|
Division 3
|
|
Heading to Div. 3 of............
Part VI
|
ad. No. 155, 2000
|
s. 80E.................................
|
ad. No. 155, 2000
|
Part VIA
|
|
Part VIA..............................
|
ad. No. 148, 2006
|
Division 1
|
|
s. 80F..................................
|
ad. No. 148, 2006
|
s. 80G.................................
|
ad. No. 148, 2006
|
|
am. No. 139, 2010;
No. 46, 2011
|
s. 80H.................................
|
ad. No. 148, 2006
|
Division 2
|
|
ss. 80J, 80K........................
|
ad. No. 148, 2006
|
s. 80L.................................
|
ad. No. 148, 2006
|
|
am. No. 8, 2010
|
ss. 80M, 80N......................
|
ad. No. 148, 2006
|
Division 3
|
|
s. 80P..................................
|
ad. No. 148, 2006
|
Division 4
|
|
s. 80Q.................................
|
ad. No. 148, 2006
|
s. 80R.................................
|
ad. No. 148, 2006
|
|
am. No. 139, 2010
|
ss. 80S, 80T........................
|
ad. No. 148, 2006
|
Part VII
|
|
s. 82....................................
|
am. No. 159, 2001
|
s. 83....................................
|
am. No. 2, 2000
|
Part VIII
|
|
s. 89....................................
|
am. No. 139, 2010
|
Part IX
|
|
s. 95....................................
|
am. No. 50, 2006
|
s. 95A.................................
|
ad. No. 155, 2000
|
|
am. No. 50, 2006
|
s. 95AA..............................
|
ad. No. 99, 2006
|
ss. 95B, 95C.......................
|
ad. No. 155, 2000
|
s. 96....................................
|
am. No. 2, 2000
|
|
rep. No. 51, 2010
|
Note to s. 96(1) ..................
|
ad. No. 2, 2000
|
|
rep. No. 51, 2010
|
s. 97....................................
|
am. No. 155, 2000
|
|
rep. No. 51, 2010
|
s. 98....................................
|
am. No. 155, 2000;
No. 13, 2013
|
s. 99....................................
|
am. No. 11, 1990;
No. 2, 2000
|
|
rep. No. 51, 2010
|
Heading to s. 99A ..............
|
am. No. 155, 2000
|
s. 99A.................................
|
ad. No. 116, 1990
|
|
am. No. 155, 2000;
No. 24, 2001; No. 4, 2010
|
s. 100..................................
|
am. No. 155, 2000;
No. 49, 2004
|
Schedule 2..........................
|
rep. No. 145, 2010
|
Introduction........................
|
am. No. 51, 2010
|
|
rep. No. 145, 2010
|
Cc. 1–5...............................
|
rep. No. 145, 2010
|
C. 6.....................................
|
am. No. 51, 2010
|
|
rep. No. 145, 2010
|
C. 7.....................................
|
rep. No. 145, 2010
|
Schedule 3
|
|
Schedule 3 .........................
|
ad. No. 155, 2000
|
C. 1.....................................
|
ad. No. 155, 2000
|
C. 2.....................................
|
ad. No. 155, 2000
|
|
am. No. 99, 2006;
No. 144, 2008
|
Cc. 3–7...............................
|
ad. No. 155, 2000
|
Note to c. 7.2......................
|
am. No. 49, 2004
|
Cc. 8, 9...............................
|
ad. No. 155, 2000
|
C. 10...................................
|
ad. No. 155, 2000
|
|
am. No. 99, 2006
|
Endnote 3—Uncommenced amendments
This endnote sets out amendments of the Privacy Act 1988 that have not yet commenced.
Privacy Amendment (Enhancing
Privacy Protection) Act 2012 (No. 197, 2012)
Schedule 1
1 Section 3
Omit “, disclosure or transfer”, substitute “or disclosure”.
2 Section 3 (note)
Omit “National”, substitute “Australian”.
3 Section 5
Repeal the section.
4 Subsection 6(1) (paragraph (i) of the definition of agency)
Repeal the paragraph.
5 Subsection 6(1)
Insert:
APP complaint means a complaint about an act
or practice that, if established, would be an interference with the privacy of
an individual because it breached an Australian Privacy Principle.
6 Subsection 6(1)
Insert:
APP entity means an agency or organisation.
7 Subsection 6(1)
Insert:
APP privacy policy has the meaning given by
Australian Privacy Principle 1.3.
8 Subsection 6(1)
Insert:
Australian law means:
(a) an Act of the Commonwealth or of a
State or Territory; or
(b) regulations, or any other
instrument, made under such an Act; or
(c) a Norfolk Island enactment; or
(d) a rule of common law or equity.
9 Subsection 6(1)
Insert:
Australian Privacy Principle has the meaning
given by section 14.
10 Subsection 6(1)
Insert:
collects: an entity collects
personal information only if the entity collects the personal information for
inclusion in a record or generally available publication.
11 Subsection 6(1)
Insert:
Commonwealth record has the same meaning as
in the Archives Act 1983.
12 Subsection 6(1)
Insert:
court/tribunal order means an order,
direction or other instrument made by:
(a) a court; or
(b) a tribunal; or
(c) a judge (including a judge acting
in a personal capacity) or a person acting as a judge; or
(d) a magistrate (including a
magistrate acting in a personal capacity) or a person acting as a magistrate;
or
(e) a member or an officer of a
tribunal;
and includes an order, direction or other instrument that
is of an interim or interlocutory nature.
13 Subsection 6(1)
Insert:
de facto partner of an individual
has the meaning given by the Acts Interpretation Act 1901.
14 Subsection 6(1)
Insert:
de‑identified: personal information is de‑identified
if the information is no longer about an identifiable individual or an
individual who is reasonably identifiable.
15 Subsection 6(1) (definition of eligible case manager)
Repeal the definition.
16 Subsection 6(1) (after paragraph (b) of the
definition of enforcement body)
Insert:
(ba) the CrimTrac Agency; or
17 Subsection 6(1) (after paragraph (c) of the
definition of enforcement body)
Insert:
(ca) the Immigration Department; or
18 Subsection 6(1) (after paragraph (e) of the
definition of enforcement body)
Insert:
(ea) the Office of the Director of
Public Prosecutions, or a similar body established under a law of a State or
Territory; or
19 Subsection 6(1) (after paragraph (l) of the
definition of enforcement body)
Insert:
(la) the Corruption and Crime
Commission of Western Australia; or
20 Subsection 6(1)
Insert:
enforcement related activity means:
(a) the prevention, detection,
investigation, prosecution or punishment of:
(i) criminal offences; or
(ii) breaches of a law
imposing a penalty or sanction; or
(b) the conduct of surveillance
activities, intelligence gathering activities or monitoring activities; or
(c) the conduct of protective or
custodial activities; or
(d) the enforcement of laws relating
to the confiscation of the proceeds of crime; or
(e) the protection of the public
revenue; or
(f) the prevention, detection,
investigation or remedying of misconduct of a serious nature, or other conduct
prescribed by the regulations; or
(g) the preparation for, or conduct
of, proceedings before any court or tribunal, or the implementation of
court/tribunal orders.
21 Subsection 6(1)
Insert:
entity means:
(a) an agency; or
(b) an organisation; or
(c) a small business operator.
22 Subsection 6(1) (definition of generally available
publication)
Repeal the definition, substitute:
generally available publication means a
magazine, book, article, newspaper or other publication that is, or will be,
generally available to members of the public:
(a) whether or not it is published in
print, electronically or in any other form; and
(b) whether or not it is available on
the payment of a fee.
23 Subsection 6(1)
Insert:
government related identifier of an
individual means an identifier of the individual that has been assigned by:
(a) an agency; or
(b) a State or Territory authority; or
(c) an agent of an agency, or a State
or Territory authority, acting in its capacity as agent; or
(d) a contracted service provider for
a Commonwealth contract, or a State contract, acting in its capacity as
contracted service provider for that contract.
24 Subsection 6(1)
Insert:
holds: an entity holds personal
information if the entity has possession or control of a record that contains
the personal information.
Note: See section 10 for when an agency is
taken to hold a record.
25 Subsection 6(1)
Insert:
identifier of an individual means a number,
letter or symbol, or a combination of any or all of those things, that is used
to identify the individual or to verify the identity of the individual, but
does not include:
(a) the individual’s name; or
(b) the individual’s ABN (within the
meaning of the A New Tax System (Australian Business Number) Act 1999);
or
(c) anything else prescribed by the
regulations.
26 Subsection 6(1)
Insert:
Immigration Department means the Department
administered by the Minister administering the Migration Act 1958.
27 Subsection 6(1) (definition of Information Privacy
Principle)
Repeal the definition.
28 Subsection 6(1) (definition of IPP complaint)
Repeal the definition.
29 Subsection 6(1)
Insert:
misconduct includes fraud, negligence,
default, breach of trust, breach of duty, breach of discipline or any other
misconduct in the course of duty.
30 Subsection 6(1) (definition of National Privacy
Principle)
Repeal the definition.
31 Subsection 6(1)
Insert:
non‑profit organisation means an
organisation:
(a) that is a non‑profit organisation;
and
(b) that engages in activities for
cultural, recreational, political, religious, philosophical, professional,
trade or trade union purposes.
32 Subsection 6(1) (definition of NPP complaint)
Repeal the definition.
33 Subsection 6(1)
Insert:
overseas recipient, in relation to personal
information, has the meaning given by Australian Privacy Principle 8.1.
34 Subsection 6(1)
Insert:
permitted general situation has the meaning
given by section 16A.
35 Subsection 6(1)
Insert:
permitted health situation has the meaning
given by section 16B.
36 Subsection 6(1) (definition of personal information)
Repeal the definition, substitute:
personal information means information or an
opinion about an identified individual, or an individual who is reasonably
identifiable:
(a) whether the information or opinion
is true or not; and
(b) whether the information or opinion
is recorded in a material form or not.
37 Subsection 6(1) (definition of record)
Omit “means”, substitute “includes”.
38 Subsection 6(1) (paragraphs (b) and (c) of the
definition of record)
Repeal the paragraphs, substitute:
(b) an electronic or other device;
39 Subsection 6(1) (at the end of the definition of record)
Add:
Note: For document, see
section 2B of the Acts Interpretation Act 1901.
40 Subsection 6(1)
Insert:
responsible person has the meaning given by
section 6AA.
41 Subsection 6(1) (subparagraph (a)(viii) of the
definition of sensitive information)
Omit “preferences”, substitute “orientation”.
42 Subsection 6(1) (at the end of the definition of sensitive
information)
Add:
; or (d) biometric information that is to be
used for the purpose of automated biometric verification or biometric
identification; or
(e) biometric templates.
43 Subsection 6(1) (definition of solicit)
Repeal the definition.
44 Subsection 6(1)
Insert:
solicits: an entity solicits
personal information if the entity requests another entity to provide the
personal information, or to provide a kind of information in which that
personal information is included.
45 Subsection 6(1) (definition of use)
Repeal the definition.
46 Subsection 6(2)
Repeal the subsection.
47 Paragraph 6(7)(a)
Omit “IPP”, substitute “APP”.
48 Paragraph 6(7)(d)
Repeal the paragraph.
49 Paragraph 6(7)(f)
Omit “NPP”, substitute “APP”.
50 Subsection 6(10)
Omit “and 16E”, substitute “and 16”.
51 Paragraph 6(10)(a)
Omit “(within the meaning of the Acts Interpretation Act 1901)”.
52 After section 6
Insert:
6AA
Meaning of responsible person
(1) A responsible person for an
individual is:
(a) a parent of the individual; or
(b) a child or sibling of the
individual if the child or sibling is at least 18 years old; or
(c) a spouse
or de facto partner of the individual; or
(d) a relative of the individual if
the relative is:
(i) at least 18 years old;
and
(ii) a member of the
individual’s household; or
(e) a guardian of the individual; or
(f) a person exercising an enduring
power of attorney granted by the individual that is exercisable in relation to
decisions about the individual’s health; or
(g) a person who has an intimate
personal relationship with the individual; or
(h) a person nominated by the
individual to be contacted in case of emergency.
(2) In this section:
child: without limiting who is a child of an
individual for the purposes of subsection (1), each of the following is a child
of an individual:
(a) an adopted child, stepchild,
exnuptial child or foster child of the individual;
(b) someone who is a child of the
individual within the meaning of the Family Law Act 1975.
parent: without limiting who is a parent of
an individual for the purposes of subsection (1), someone is a parent
of an individual if the individual is his or her child because of the
definition of child in this subsection.
relative of an individual (the first
individual) means a grandparent, grandchild, uncle, aunt, nephew or niece
of the first individual and for this purpose, relationships to the first
individual may also be traced to or through another individual who is:
(a) a de facto partner
of the first individual; or
(b) the child of the first individual
because of the definition of child in this subsection.
sibling of an individual includes:
(a) a half‑brother, half‑sister,
adoptive brother, adoptive sister, step‑brother, step‑sister, foster‑brother
and foster‑sister of the individual; and
(b) another individual if a relationship
referred to in paragraph (a) can be traced through a parent of either or
both of the individuals.
stepchild: without limiting who is a
stepchild of an individual, someone is a stepchild of an
individual if he or she would be the individual’s stepchild except that the
individual is not legally married to the
individual’s de facto partner.
53 Section 6A (heading)
Repeal the heading, substitute:
6A
Breach of an Australian Privacy Principle
54 Subsection 6A(1) (heading)
Repeal the heading.
55 Subsection 6A(1)
Omit “a National”, substitute “an Australian”.
56 Subsection 6A(1)
Omit “that National Privacy Principle”, substitute “that
principle”.
57 Subsection 6A(2)
Omit “a National”, substitute “an Australian”.
58 Paragraph 6A(2)(b)
Omit “the Principle”, substitute “the principle”.
59 Subsections 6A(3) and (4)
Omit “a National”, substitute “an Australian”.
60 Subparagraphs 6C(4)(b)(ii) and (iii)
Omit “, disclosure and transfer”, substitute “and disclosure”.
61 Subsection 6EA(1)
Omit “(except section 16D)”.
62 Paragraph 6F(3)(b)
Omit “, disclosure and transfer”, substitute “and disclosure”.
63 Paragraph 7(1)(a)
Omit “an eligible case manager or”.
64 Paragraph 7(1)(cb)
Repeal the paragraph.
65 Paragraphs 7(1)(d) and (e)
Omit “, an eligible hearing service provider or an eligible case
manager”, substitute “or an eligible hearing service provider”.
66 Paragraphs 7(1)(ea) and (eb)
Repeal the paragraphs.
67 Subsection 7(2)
Omit “Information Privacy Principles, the National”, substitute
“Australian”.
68 Subsection 7B(1) (note)
Omit “section 16E”, substitute “section 16”.
69 Subsections 7B(1) and (2) (notes)
Omit “National”, substitute “Australian”.
70 Paragraph 8(2)(b)
Omit “is not the record‑keeper in relation to”, substitute “does
not hold”.
71 Subsection 8(2)
Omit “of the record‑keeper in relation to”, substitute “of the
agency that holds”.
72 Section 9
Repeal the section.
73 Section 10 (heading)
Repeal the heading, substitute:
10
Agencies that are taken to hold a record
74 Subsections 10(1) to (3)
Repeal the subsections.
75 Subsections 10(4) and (5)
Omit “as the record‑keeper in relation to”, substitute “to be the
agency that holds”.
76 Section 12
Repeal the section.
77 Subsection 13B(1) (note)
Omit “National” (wherever occurring), substitute “Australian”.
78 Subsection 13B(1) (note)
Omit “Principle 2”, substitute “Principle 6”.
79 Subsection 13B(1A) (note)
Omit “National”, substitute “Australian”.
80 Subsection 13C(1) (note)
Omit “National” (wherever occurring), substitute “Australian”.
81 Subsection 13C(1) (note)
Omit “Principle 2”, substitute “Principle 6”.
82 Divisions 2 and 3 of Part III
Repeal the Divisions, substitute:
Division 2—Australian Privacy Principles
14 Australian
Privacy Principles
(1) The Australian Privacy Principles
are set out in the clauses of Schedule 1.
(2) A reference in any Act to an Australian
Privacy Principle by a number is a reference to the Australian Privacy
Principle with that number.
15 APP
entities must comply with Australian Privacy Principles
An APP entity must not do an act, or
engage in a practice, that breaches an Australian Privacy Principle.
16
Personal, family or household affairs
Nothing in the Australian Privacy
Principles applies to:
(a) the collection, holding, use or
disclosure of personal information by an individual; or
(b) personal information held by an
individual;
only for the purposes of, or in connection with, his or
her personal, family or household affairs.
16A
Permitted general situations in relation to the collection, use or disclosure
of personal information
(1) A permitted general situation
exists in relation to the collection, use or disclosure by an APP entity of
personal information about an individual, or of a government related identifier
of an individual, if:
(a) the entity is an entity of a kind
specified in an item in column 1 of the table; and
(b) the item in column 2 of the table
applies to the information or identifier; and
(c) such conditions as are specified
in the item in column 3 of the table are satisfied.
Permitted general
situations
|
Item
|
Column 1
Kind of entity
|
Column 2
Item applies to
|
Column 3
Condition(s)
|
1
|
APP entity
|
(a) personal information; or
(b) a government related identifier.
|
(a) it is unreasonable or impracticable to obtain the
individual’s consent to the collection, use or disclosure; and
(b) the entity reasonably believes that the collection, use
or disclosure is necessary to lessen or prevent a serious threat to the life,
health or safety of any individual, or to public health or safety.
|
2
|
APP entity
|
(a) personal information; or
(b) a government related identifier.
|
(a) the entity has reason to suspect that unlawful activity,
or misconduct of a serious nature, that relates to the entity’s functions or
activities has been, is being or may be engaged in; and
(b) the entity reasonably believes that the collection, use
or disclosure is necessary in order for the entity to take appropriate action
in relation to the matter.
|
3
|
APP entity
|
Personal information
|
(a) the entity reasonably believes that the collection, use
or disclosure is reasonably necessary to assist any APP entity, body or
person to locate a person who has been reported as missing; and
(b) the collection, use or disclosure complies with the rules
made under subsection (2).
|
4
|
APP entity
|
Personal information
|
The collection, use or disclosure is reasonably necessary
for the establishment, exercise or defence of a legal or equitable claim.
|
5
|
APP entity
|
Personal information
|
The collection, use or disclosure is reasonably necessary
for the purposes of a confidential alternative dispute resolution process.
|
6
|
Agency
|
Personal information
|
The entity reasonably believes that the collection, use or
disclosure is necessary for the entity’s diplomatic or consular functions or
activities.
|
7
|
Defence Force
|
Personal information
|
The entity reasonably believes that the collection, use or
disclosure is necessary for any of the following occurring outside Australia
and the external Territories:
(a) war or warlike operations;
(b) peacekeeping or peace enforcement;
(c) civil aid, humanitarian assistance, medical or civil
emergency or disaster relief.
|
(2) The Commissioner may, by legislative
instrument, make rules relating to the collection, use or disclosure of
personal information that apply for the purposes of item 3 of the table in
subsection (1).
16B
Permitted health situations in relation to the collection, use or disclosure of
health information
Collection—provision of a health service
(1) A permitted health situation
exists in relation to the collection by an organisation of health information
about an individual if:
(a) the information is necessary to
provide a health service to the individual; and
(b) either:
(i) the collection is required
or authorised by or under an Australian law (other than this Act); or
(ii) the information is
collected in accordance with rules established by competent health or medical
bodies that deal with obligations of professional confidentiality which bind
the organisation.
Collection—research etc.
(2) A permitted health situation
exists in relation to the collection by an organisation of health information
about an individual if:
(a) the collection is necessary for
any of the following purposes:
(i) research relevant to
public health or public safety;
(ii) the compilation or
analysis of statistics relevant to public health or public safety;
(iii) the management,
funding or monitoring of a health service; and
(b) that purpose cannot be served by
the collection of information about the individual that is de‑identified
information; and
(c) it is impracticable for the
organisation to obtain the individual’s consent to the collection; and
(d) any of the following apply:
(i) the collection is
required by or under an Australian law (other than this Act);
(ii) the information is
collected in accordance with rules established by competent health or medical
bodies that deal with obligations of professional confidentiality which bind
the organisation;
(iii) the information is
collected in accordance with guidelines approved under section 95A for the
purposes of this subparagraph.
Use or disclosure—research etc.
(3) A permitted health situation
exists in relation to the use or disclosure by an organisation of health
information about an individual if:
(a) the use or disclosure is necessary
for research, or the compilation or analysis of statistics, relevant to public
health or public safety; and
(b) it is impracticable for the
organisation to obtain the individual’s consent to the use or disclosure; and
(c) the use or disclosure is conducted
in accordance with guidelines approved under section 95A for the purposes
of this paragraph; and
(d) in the case of disclosure—the
organisation reasonably believes that the recipient of the information will not
disclose the information, or personal information derived from that
information.
Use or disclosure—genetic information
(4) A permitted health situation
exists in relation to the use or disclosure by an organisation of genetic
information about an individual (the first individual) if:
(a) the organisation has obtained the
information in the course of providing a health service to the first
individual; and
(b) the organisation reasonably
believes that the use or disclosure is necessary to lessen or prevent a serious
threat to the life, health or safety of another individual who is a genetic
relative of the first individual; and
(c) the use or disclosure is conducted
in accordance with guidelines approved under section 95AA; and
(d) in the case of disclosure—the
recipient of the information is a genetic relative of the first individual.
Disclosure—responsible person for an individual
(5) A permitted health situation
exists in relation to the disclosure by an organisation of health information
about an individual if:
(a) the organisation provides a health
service to the individual; and
(b) the recipient of the information
is a responsible person for the individual; and
(c) the individual:
(i) is physically or legally
incapable of giving consent to the disclosure; or
(ii) physically cannot
communicate consent to the disclosure; and
(d) another individual (the carer)
providing the health service for the organisation is satisfied that either:
(i) the disclosure is
necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made
for compassionate reasons; and
(e) the disclosure is not contrary to
any wish:
(i) expressed by the
individual before the individual became unable to give or communicate consent;
and
(ii) of which the carer is
aware, or of which the carer could reasonably be expected to be aware; and
(f) the disclosure is limited to the
extent reasonable and necessary for a purpose mentioned in paragraph (d).
16C Acts
and practices of overseas recipients of personal information
(1) This section applies if:
(a) an APP entity discloses personal
information about an individual to an overseas recipient; and
(b) Australian Privacy Principle 8.1
applies to the disclosure of the information; and
(c) the Australian Privacy Principles
do not apply, under this Act, to an act done, or a practice engaged in, by the
overseas recipient in relation to the information; and
(d) the overseas recipient does an
act, or engages in a practice, in relation to the information that would be a
breach of the Australian Privacy Principles (other than Australian Privacy
Principle 1) if those Australian Privacy Principles so applied to that act or
practice.
(2) The act done, or the practice engaged in,
by the overseas recipient is taken, for the purposes of this Act:
(a) to have been done, or engaged in,
by the APP entity; and
(b) to be a breach of those Australian
Privacy Principles by the APP entity.
83 Section 37 (table items 6 and 7)
Repeal the items.
84 Subsections 54(2) and 57(2) (definition of agency)
Omit “, an eligible hearing service provider or an eligible case
manager”, substitute “or an eligible hearing service provider”.
85 Paragraph 80H(2)(e)
Omit “people who are responsible (within the
meaning of subclause 2.5 of Schedule 3)”, substitute “responsible
persons”.
86 Subparagraph 80P(1)(c)(v)
Repeal the subparagraph, substitute:
(v) a responsible person
for the individual; and
87 Paragraph 80Q(1)(c)
Omit “responsible for the individual (within the
meaning of subclause 2.5 of Schedule 3)”, substitute “a responsible person
for the individual”.
88 Subsection 95(1)
After “privacy”, insert “by agencies”.
89 Subsections 95(2) and (4)
Omit “Information” (wherever occurring), substitute “Australian”.
90 Section 95A (heading)
Repeal the heading, substitute:
95A
Guidelines for Australian Privacy Principles about health information
91 Subsection 95A(1)
Omit “National Privacy Principles (the NPPs)”,
substitute “Australian Privacy Principles”.
92 Subsection 95A(2)
Omit “subparagraph 2.1(d)(ii) of the NPPs”, substitute “paragraph
16B(3)(c)”.
93 Subsection 95A(3)
Omit “NPPs (other than paragraph 2.1(d))”, substitute “Australian
Privacy Principles (disregarding subsection 16B(3))”.
94 Subsection 95A(4)
Omit “subparagraph 10.3(d)(iii) of the NPPs”, substitute
“subparagraph 16B(2)(d)(iii)”.
95 Subsection 95A(5)
Omit “NPPs (other than paragraph 10.3(d))”, substitute
“Australian Privacy Principles (disregarding subsection 16B(2))”.
96 Section 95AA (heading)
Repeal the heading, substitute:
95AA
Guidelines for Australian Privacy Principles about genetic information
97 Subsection 95AA(1)
Omit “National Privacy Principles (the NPPs)”,
substitute “Australian Privacy Principles”.
98 Subsection 95AA(2)
Omit “subparagraph 2.1(ea)(ii) of the NPPs”, substitute
“paragraph 16B(4)(c)”.
99 Subsection 95AA(2)
Omit “(whether or not the threat is imminent)”.
100 Subsection 95B(1)
Omit “Information”, substitute “Australian”.
101 Section 95C
Omit “a National”, substitute “an Australian”.
102 Subsections 100(2) to (4)
Repeal the subsections, substitute:
(2) Before the Governor‑General makes
regulations for the purposes of Australian Privacy Principle 9.3 prescribing a
government related identifier, an organisation or a class of organisations, and
circumstances, the Minister must be satisfied that:
(a) the relevant agency or State or
Territory authority or, if the relevant agency or State or Territory authority
has a principal executive, the principal executive:
(i) has agreed that the
adoption, use or disclosure of the identifier by the organisation, or the class
of organisations, in the circumstances is appropriate; and
(ii) has consulted the
Commissioner about that adoption, use or disclosure; and
(b) the adoption, use or disclosure of
the identifier by the organisation, or the class of organisations, in the
circumstances can only be for the benefit of the individual to whom the
identifier relates.
(3) Subsection (2) does not apply to the
making of regulations for the purposes of Australian Privacy Principle 9.3 that
relate to the use or disclosure of a government related identifier by an
organisation, or a class of organisations, in particular circumstances if:
(a) the identifier is a kind commonly
used in the processing of pay, or deductions from pay, of Commonwealth
officers, or a class of Commonwealth officers; and
(b) the circumstances of the use or
disclosure of the identifier relate to the provision by:
(i) the organisation; or
(ii) the class of
organisations;
of superannuation services
(including the management, processing, allocation and transfer of
superannuation contributions) for the benefit of Commonwealth officers or the
class of Commonwealth officers; and
(c) before the regulations are made,
the Minister consults the Commissioner about the proposed regulations.
103 Part X
Repeal the Part.
104 Schedules 1 and 3
Repeal the Schedules, substitute:
Schedule 1—Australian Privacy Principles
Note: See section 14.
Overview of the Australian Privacy
Principles
Overview
This Schedule sets out the Australian
Privacy Principles.
Part 1
sets out principles that require APP entities to consider the privacy of
personal information, including ensuring that APP entities manage personal information
in an open and transparent way.
Part 2 sets out principles that
deal with the collection of personal information including unsolicited personal
information.
Part 3 sets out principles about
how APP entities deal with personal information and government related
identifiers. The Part includes principles about the use and disclosure of
personal information and those identifiers.
Part 4 sets out principles about
the integrity of personal information. The Part includes principles about the
quality and security of personal information.
Part 5 sets out principles that
deal with requests for access to, and the correction of, personal information.
Australian Privacy Principles
The Australian Privacy Principles are:
Australian Privacy
Principle 1—open and transparent management of personal information
Australian Privacy
Principle 2—anonymity and pseudonymity
Australian Privacy
Principle 3—collection of solicited personal information
Australian Privacy
Principle 4—dealing with unsolicited personal information
Australian Privacy
Principle 5—notification of the collection of personal information
Australian Privacy
Principle 6—use or disclosure of personal information
Australian Privacy
Principle 7—direct marketing
Australian Privacy
Principle 8—cross‑border disclosure of personal information
Australian Privacy
Principle 9—adoption, use or disclosure of government related identifiers
Australian Privacy
Principle 10—quality of personal information
Australian Privacy
Principle 11—security of personal information
Australian Privacy
Principle 12—access to personal information
Australian Privacy
Principle 13—correction of personal information
Part 1—Consideration of personal information privacy
1
Australian Privacy Principle 1—open and transparent management of personal
information
1.1 The object of this principle is to ensure
that APP entities manage personal information in an open and transparent way.
Compliance with the Australian Privacy Principles etc.
1.2 An APP entity must take such steps as are
reasonable in the circumstances to implement practices, procedures and systems
relating to the entity’s functions or activities that:
(a) will ensure that the entity
complies with the Australian Privacy Principles and a registered APP code (if
any) that binds the entity; and
(b) will enable the entity to deal
with inquiries or complaints from individuals about the entity’s compliance
with the Australian Privacy Principles or such a code.
APP Privacy policy
1.3 An APP entity must have a clearly
expressed and up‑to‑date policy (the APP privacy policy) about
the management of personal information by the entity.
1.4 Without limiting subclause 1.3, the APP
privacy policy of the APP entity must contain the following information:
(a) the kinds of personal information
that the entity collects and holds;
(b) how the entity collects and holds
personal information;
(c) the purposes for which the entity
collects, holds, uses and discloses personal information;
(d) how an individual may access
personal information about the individual that is held by the entity and seek
the correction of such information;
(e) how an individual may complain
about a breach of the Australian Privacy Principles, or a registered APP code
(if any) that binds the entity, and how the entity will deal with such a
complaint;
(f) whether the entity is likely to
disclose personal information to overseas recipients;
(g) if the entity is likely to
disclose personal information to overseas recipients—the countries in which
such recipients are likely to be located if it is practicable to specify those
countries in the policy.
Availability of APP privacy policy etc.
1.5 An APP entity must take such steps as are
reasonable in the circumstances to make its APP privacy policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: An APP entity will usually make its APP
privacy policy available on the entity’s website.
1.6 If a person or body requests a copy of the
APP privacy policy of an APP entity in a particular form, the entity must take
such steps as are reasonable in the circumstances to give the person or body a
copy in that form.
2
Australian Privacy Principle 2—anonymity and pseudonymity
2.1 Individuals must have the option of not
identifying themselves, or of using a pseudonym, when dealing with an APP
entity in relation to a particular matter.
2.2 Subclause 2.1 does not apply if, in
relation to that matter:
(a) the APP entity is required or
authorised by or under an Australian law, or a court/tribunal order, to deal
with individuals who have identified themselves; or
(b) it is impracticable for the APP
entity to deal with individuals who have not identified themselves or who have used a pseudonym.
Part 2—Collection of personal information
3
Australian Privacy Principle 3—collection of solicited personal information
Personal information other than sensitive information
3.1 If an APP entity is an agency, the entity
must not collect personal information (other than sensitive information) unless
the information is reasonably necessary for, or directly related to, one or
more of the entity’s functions or activities.
3.2 If an APP entity is an organisation, the
entity must not collect personal information (other than sensitive information)
unless the information is reasonably necessary for one or more of the entity’s
functions or activities.
Sensitive information
3.3 An APP entity must not collect sensitive
information about an individual unless:
(a) the individual consents to the
collection of the information and:
(i) if the entity is an
agency—the information is reasonably necessary for, or directly related to, one
or more of the entity’s functions or activities; or
(ii) if the entity is an
organisation—the information is reasonably necessary for one or more of the
entity’s functions or activities; or
(b) subclause 3.4 applies in relation
to the information.
3.4 This subclause applies in relation to
sensitive information about an individual if:
(a) the collection of the information
is required or authorised by or under an Australian law or a court/tribunal
order; or
(b) a permitted general situation
exists in relation to the collection of the information by the APP entity; or
(c) the APP entity is an organisation
and a permitted health situation exists in relation to the collection of the
information by the entity; or
(d) the APP entity is an enforcement
body and the entity reasonably believes that:
(i) if the entity is the
Immigration Department—the collection of the information is reasonably
necessary for, or directly related to, one or more enforcement related
activities conducted by, or on behalf of, the entity; or
(ii) otherwise—the
collection of the information is reasonably necessary for, or directly related
to, one or more of the entity’s functions or activities; or
(e) the APP entity is a non‑profit
organisation and both of the following apply:
(i) the information
relates to the activities of the organisation;
(ii) the information relates
solely to the members of the organisation, or to individuals who have regular
contact with the organisation in connection with its activities.
Note: For permitted general situation,
see section 16A. For permitted health situation, see
section 16B.
Means of collection
3.5 An APP entity must collect personal
information only by lawful and fair means.
3.6 An APP entity must collect personal
information about an individual only from the individual unless:
(a) if the entity is an agency:
(i) the individual
consents to the collection of the information from someone other than the
individual; or
(ii) the entity is required
or authorised by or under an Australian law, or a court/tribunal order, to
collect the information from someone other than the individual; or
(b) it is unreasonable or
impracticable to do so.
Solicited personal information
3.7 This principle applies to the collection
of personal information that is solicited by an APP entity.
4
Australian Privacy Principle 4—dealing with unsolicited personal information
4.1 If:
(a) an APP entity receives personal
information; and
(b) the entity did not solicit the
information;
the entity must, within a reasonable period after
receiving the information, determine whether or not the entity could have
collected the information under Australian Privacy Principle 3 if the
entity had solicited the information.
4.2 The APP entity may use or disclose the
personal information for the purposes of making the determination under
subclause 4.1.
4.3 If:
(a) the APP entity determines that the
entity could not have collected the personal information; and
(b) the information is not contained
in a Commonwealth record;
the entity must, as soon as practicable but only if it is
lawful and reasonable to do so, destroy the information or ensure that the
information is de‑identified.
4.4 If subclause 4.3 does not apply in
relation to the personal information, Australian Privacy Principles 5 to 13
apply in relation to the information as if the entity had collected the information
under Australian Privacy Principle 3.
5
Australian Privacy Principle 5—notification of the collection of personal
information
5.1 At or before the time or, if that is not
practicable, as soon as practicable after, an APP entity collects personal
information about an individual, the entity must take such steps (if any) as
are reasonable in the circumstances:
(a) to notify the individual of such
matters referred to in subclause 5.2 as are reasonable in the circumstances; or
(b) to otherwise ensure that the
individual is aware of any such matters.
5.2 The matters for the purposes of subclause
5.1 are as follows:
(a) the identity and contact details
of the APP entity;
(b) if:
(i) the APP entity
collects the personal information from someone other than the individual; or
(ii) the individual may not
be aware that the APP entity has collected the personal information;
the fact that the entity so
collects, or has collected, the information and the circumstances of that
collection;
(c) if the collection of the personal
information is required or authorised by or under an Australian law or a
court/tribunal order—the fact that the collection is so required or authorised
(including the name of the Australian law, or details of the court/tribunal order,
that requires or authorises the collection);
(d) the purposes for which the APP
entity collects the personal information;
(e) the main consequences (if any) for
the individual if all or some of the personal information is not collected by
the APP entity;
(f) any other APP entity, body or
person, or the types of any other APP entities, bodies or persons, to which the
APP entity usually discloses personal information of the kind collected by the
entity;
(g) that the APP privacy policy of the
APP entity contains information about how the individual may access the
personal information about the individual that is held by the entity and seek
the correction of such information;
(h) that the APP privacy policy of the
APP entity contains information about how the individual may complain about a
breach of the Australian Privacy Principles, or a registered APP code (if any)
that binds the entity, and how the entity will deal with such a complaint;
(i) whether the APP entity is likely
to disclose the personal information to overseas recipients;
(j) if the APP entity is likely to
disclose the personal information to overseas recipients—the countries in which
such recipients are likely to be located if it is practicable to specify those
countries in the notification or to otherwise make the individual aware of
them.
Part 3—Dealing with personal information
6
Australian Privacy Principle 6—use or disclosure of personal information
Use or disclosure
6.1 If an APP entity holds personal
information about an individual that was collected for a particular purpose
(the primary purpose), the entity must not use or disclose the
information for another purpose (the secondary purpose) unless:
(a) the individual has consented to
the use or disclosure of the information; or
(b) subclause 6.2 or 6.3 applies in
relation to the use or disclosure of the information.
Note: Australian Privacy Principle 8 sets out
requirements for the disclosure of personal information to a person who is not
in Australia or an external Territory.
6.2 This subclause applies in relation to the
use or disclosure of personal information about an individual if:
(a) the individual would reasonably
expect the APP entity to use or disclose the information for the secondary
purpose and the secondary purpose is:
(i) if the information is
sensitive information—directly related to the primary purpose; or
(ii) if the information is
not sensitive information—related to the primary purpose; or
(b) the use or disclosure of the
information is required or authorised by or under an Australian law or a
court/tribunal order; or
(c) a permitted general situation
exists in relation to the use or disclosure of the information by the APP
entity; or
(d) the APP entity is an organisation
and a permitted health situation exists in relation to the use or disclosure of
the information by the entity; or
(e) the APP entity reasonably believes
that the use or disclosure of the information is reasonably necessary for one
or more enforcement related activities conducted by, or on behalf of, an
enforcement body.
Note: For permitted general situation,
see section 16A. For permitted health situation, see
section 16B.
6.3 This subclause applies in relation to the
disclosure of personal information about an individual by an APP entity that is
an agency if:
(a) the agency is not an enforcement
body; and
(b) the information is biometric
information or biometric templates; and
(c) the recipient of the information
is an enforcement body; and
(d) the disclosure is conducted in
accordance with the guidelines made by the Commissioner for the purposes of
this paragraph.
6.4 If:
(a) the APP entity is an organisation;
and
(b) subsection 16B(2) applied in
relation to the collection of the personal information by the entity;
the entity must take such steps as are reasonable in the
circumstances to ensure that the information is de‑identified before the entity
discloses it in accordance with subclause 6.1 or 6.2.
Written note of use or disclosure
6.5 If an APP entity uses or discloses
personal information in accordance with paragraph 6.2(e), the entity must make
a written note of the use or disclosure.
Related bodies corporate
6.6 If:
(a) an APP entity is a body corporate;
and
(b) the entity collects personal
information from a related body corporate;
this principle applies as if the entity’s primary purpose
for the collection of the information were the primary purpose for which the
related body corporate collected the information.
Exceptions
6.7 This principle does not apply to the use
or disclosure by an organisation of:
(a) personal information for the
purpose of direct marketing; or
(b) government related identifiers.
7
Australian Privacy Principle 7—direct marketing
Direct marketing
7.1 If an organisation holds personal information
about an individual, the organisation must not use or disclose the information
for the purpose of direct marketing.
Note: An act or practice of an agency may be treated
as an act or practice of an organisation, see section 7A.
Exceptions—personal information other than sensitive
information
7.2 Despite subclause 7.1, an organisation may
use or disclose personal information (other than sensitive information) about
an individual for the purpose of direct marketing if:
(a) the organisation collected the
information from the individual; and
(b) the individual would reasonably
expect the organisation to use or disclose the information for that purpose;
and
(c) the organisation provides a simple
means by which the individual may easily request not to receive direct
marketing communications from the organisation; and
(d) the individual has not made such a
request to the organisation.
7.3 Despite subclause 7.1, an organisation may
use or disclose personal information (other than sensitive information) about
an individual for the purpose of direct marketing if:
(a) the organisation collected the
information from:
(i) the individual and the
individual would not reasonably expect the organisation to use or disclose the
information for that purpose; or
(ii) someone other than the
individual; and
(b) either:
(i) the individual has
consented to the use or disclosure of the information for that purpose; or
(ii) it is impracticable to
obtain that consent; and
(c) the organisation provides a simple
means by which the individual may easily request not to receive direct
marketing communications from the organisation; and
(d) in each direct marketing
communication with the individual:
(i) the organisation
includes a prominent statement that the individual may make such a request; or
(ii) the organisation
otherwise draws the individual’s attention to the fact that the individual may
make such a request; and
(e) the individual has not made such a
request to the organisation.
Exception—sensitive information
7.4 Despite subclause 7.1, an organisation may
use or disclose sensitive information about an individual for the purpose of
direct marketing if the individual has consented to the use or disclosure of
the information for that purpose.
Exception—contracted service providers
7.5 Despite subclause 7.1, an organisation may
use or disclose personal information for the purpose of direct marketing if:
(a) the organisation is a contracted
service provider for a Commonwealth contract; and
(b) the organisation collected the
information for the purpose of meeting (directly or indirectly) an obligation
under the contract; and
(c) the use or disclosure is necessary
to meet (directly or indirectly) such an obligation.
Individual may request not to receive direct marketing
communications etc.
7.6 If an organisation (the first
organisation) uses or discloses personal information about an
individual:
(a) for the purpose of direct
marketing by the first organisation; or
(b) for the purpose of facilitating
direct marketing by other organisations;
the individual may:
(c) if paragraph (a)
applies—request not to receive direct marketing communications from the first
organisation; and
(d) if paragraph (b)
applies—request the organisation not to use or disclose the information for the
purpose referred to in that paragraph; and
(e) request the first organisation to
provide its source of the information.
7.7 If an individual makes a request under
subclause 7.6, the first organisation must not charge the individual for the
making of, or to give effect to, the request and:
(a) if the request is of a kind
referred to in paragraph 7.6(c) or (d)—the first organisation must give effect
to the request within a reasonable period after the request is made; and
(b) if the request is of a kind
referred to in paragraph 7.6(e)—the organisation must, within a reasonable
period after the request is made, notify the individual of its source unless it
is impracticable or unreasonable to do so.
Interaction with other legislation
7.8 This principle does not apply to the
extent that any of the following apply:
(a) the Do Not Call Register Act
2006;
(b) the Spam Act 2003;
(c) any other Act of the Commonwealth,
or a Norfolk Island enactment, prescribed by the regulations.
8
Australian Privacy Principle 8—cross‑border disclosure of personal information
8.1 Before an APP entity discloses personal
information about an individual to a person (the overseas recipient):
(a) who is not in Australia or an
external Territory; and
(b) who is not the entity or the
individual;
the entity must take such steps as are reasonable in the
circumstances to ensure that the overseas recipient does not breach the
Australian Privacy Principles (other than Australian Privacy Principle 1) in
relation to the information.
Note: In certain circumstances, an act done, or a
practice engaged in, by the overseas recipient is taken, under
section 16C, to have been done, or engaged in, by the APP entity and to be
a breach of the Australian Privacy Principles.
8.2 Subclause 8.1 does not apply to the
disclosure of personal information about an individual by an APP entity to the
overseas recipient if:
(a) the entity reasonably believes
that:
(i) the recipient of the
information is subject to a law, or binding scheme, that has the effect of
protecting the information in a way that, overall, is at least substantially
similar to the way in which the Australian Privacy Principles protect the
information; and
(ii) there are mechanisms
that the individual can access to take action to enforce that protection of the
law or binding scheme; or
(b) both of the following apply:
(i) the entity expressly
informs the individual that if he or she consents to the disclosure of the
information, subclause 8.1 will not apply to the disclosure;
(ii) after being so
informed, the individual consents to the disclosure; or
(c) the disclosure of the information
is required or authorised by or under an Australian law or a court/tribunal
order; or
(d) a permitted general situation
(other than the situation referred to in item 4 or 5 of the table in
subsection 16A(1)) exists in relation to the disclosure of the information by
the APP entity; or
(e) the entity is an agency and the
disclosure of the information is required or authorised by or under an
international agreement relating to information sharing to which Australia is a
party; or
(f) the entity is an agency and both
of the following apply:
(i) the entity reasonably
believes that the disclosure of the information is reasonably necessary for one
or more enforcement related activities conducted by, or on behalf of, an
enforcement body;
(ii) the recipient is a
body that performs functions, or exercises powers, that are similar to those
performed or exercised by an enforcement body.
Note: For permitted general situation,
see section 16A.
9
Australian Privacy Principle 9—adoption, use or disclosure of government
related identifiers
Adoption of government related identifiers
9.1 An organisation must not adopt a
government related identifier of an individual as its own identifier of the
individual unless:
(a) the adoption of the government
related identifier is required or authorised by or under an Australian law or a
court/tribunal order; or
(b) subclause 9.3 applies in relation
to the adoption.
Note: An act or practice of an agency may be treated
as an act or practice of an organisation, see section 7A.
Use or disclosure of government related identifiers
9.2 An organisation must not use or disclose a
government related identifier of an individual unless:
(a) the use or disclosure of the
identifier is reasonably necessary for the organisation to verify the identity
of the individual for the purposes of the organisation’s activities or
functions; or
(b) the use or disclosure of the
identifier is reasonably necessary for the organisation to fulfil its
obligations to an agency or a State or Territory authority; or
(c) the use or disclosure of the
identifier is required or authorised by or under an Australian law or a
court/tribunal order; or
(d) a permitted general situation
(other than the situation referred to in item 4 or 5 of the table in
subsection 16A(1)) exists in relation to the use or disclosure of the
identifier; or
(e) the organisation reasonably
believes that the use or disclosure of the identifier is reasonably necessary
for one or more enforcement related activities conducted by, or on behalf of,
an enforcement body; or
(f) subclause 9.3 applies in relation
to the use or disclosure.
Note 1: An act or
practice of an agency may be treated as an act or practice of an organisation,
see section 7A.
Note 2: For permitted general situation,
see section 16A.
Regulations about adoption, use or disclosure
9.3 This subclause applies in relation to the
adoption, use or disclosure by an organisation of a government related
identifier of an individual if:
(a) the identifier is prescribed by
the regulations; and
(b) the organisation is prescribed by
the regulations, or is included in a class of organisations prescribed by the
regulations; and
(c) the adoption, use or disclosure
occurs in the circumstances prescribed by the regulations.
Note: There are prerequisites that must be satisfied
before the matters mentioned in this subclause are prescribed, see subsections
100(2) and (3).
Part 4—Integrity of personal information
10
Australian Privacy Principle 10—quality of personal information
10.1 An APP entity must take such steps (if any)
as are reasonable in the circumstances to ensure that the personal information
that the entity collects is accurate, up‑to‑date and complete.
10.2 An APP entity must take such steps (if any)
as are reasonable in the circumstances to ensure that the personal information
that the entity uses or discloses is, having regard to the purpose of the use
or disclosure, accurate, up‑to‑date, complete and relevant.
11
Australian Privacy Principle 11—security of personal information
11.1 If an APP entity holds personal
information, the entity must take such steps as are reasonable in the
circumstances to protect the information:
(a) from misuse, interference and
loss; and
(b) from unauthorised access,
modification or disclosure.
11.2 If:
(a) an APP entity holds personal
information about an individual; and
(b) the entity no longer needs the
information for any purpose for which the information may be used or disclosed
by the entity under this Schedule; and
(c) the information is not contained
in a Commonwealth record; and
(d) the entity is not required by or
under an Australian law, or a court/tribunal order, to retain the information;
the entity must take such steps as are reasonable in the
circumstances to destroy the information or to ensure that the information is
de‑identified.
Part 5—Access to, and correction of, personal information
12
Australian Privacy Principle 12—access to personal information
Access
12.1 If an APP entity holds personal information
about an individual, the entity must, on request by the individual, give the
individual access to the information.
Exception to access—agency
12.2 If:
(a) the APP entity is an agency; and
(b) the entity is required or
authorised to refuse to give the individual access to the personal information
by or under:
(i) the Freedom of
Information Act; or
(ii) any other Act of the
Commonwealth, or a Norfolk Island enactment, that provides for access by
persons to documents;
then, despite subclause 12.1, the entity is not required
to give access to the extent that the entity is required or authorised to
refuse to give access.
Exception to access—organisation
12.3 If the APP entity is an organisation then,
despite subclause 12.1, the entity is not required to give the individual
access to the personal information to the extent that:
(a) the entity reasonably believes
that giving access would pose a serious threat to the life, health or safety of
any individual, or to public health or public safety; or
(b) giving access would have an
unreasonable impact on the privacy of other individuals; or
(c) the request for access is
frivolous or vexatious; or
(d) the information relates to
existing or anticipated legal proceedings between the entity and the
individual, and would not be accessible by the process of discovery in those
proceedings; or
(e) giving access would reveal the
intentions of the entity in relation to negotiations with the individual in
such a way as to prejudice those negotiations; or
(f) giving access would be unlawful;
or
(g) denying access is required or
authorised by or under an Australian law or a court/tribunal order; or
(h) both of the following apply:
(i) the entity has reason
to suspect that unlawful activity, or misconduct of a serious nature, that
relates to the entity’s functions or activities has been, is being or may be
engaged in;
(ii) giving access would be
likely to prejudice the taking of appropriate action in relation to the matter;
or
(i) giving access would be likely to
prejudice one or more enforcement related activities conducted by, or on behalf
of, an enforcement body; or
(j) giving access would reveal evaluative
information generated within the entity in connection with a commercially
sensitive decision‑making process.
Dealing with requests for access
12.4 The APP entity must:
(a) respond to the request for access
to the personal information:
(i) if the entity is an
agency—within 30 days after the request is made; or
(ii) if the entity is an
organisation—within a reasonable period after the request is made; and
(b) give access to the information in
the manner requested by the individual, if it is reasonable and practicable to
do so.
Other means of access
12.5 If the APP entity refuses:
(a) to give access to the personal
information because of subclause 12.2 or 12.3; or
(b) to give access in the manner
requested by the individual;
the entity must take such steps (if any) as are reasonable
in the circumstances to give access in a way that meets the needs of the entity
and the individual.
12.6 Without limiting subclause 12.5, access may
be given through the use of a mutually agreed intermediary.
Access charges
12.7 If the APP entity is an agency, the entity
must not charge the individual for the making of the request or for giving
access to the personal information.
12.8 If:
(a) the APP entity is an organisation;
and
(b) the entity charges the individual
for giving access to the personal information;
the charge must not be excessive and must not apply to the
making of the request.
Refusal to give access
12.9 If the APP entity refuses to give access to
the personal information because of subclause 12.2 or 12.3, or to give access
in the manner requested by the individual, the entity must give the individual
a written notice that sets out:
(a) the reasons for the refusal except
to the extent that, having regard to the grounds for the refusal, it would be
unreasonable to do so; and
(b) the mechanisms available to
complain about the refusal; and
(c) any other matter prescribed by the
regulations.
12.10 If the APP entity refuses to give access to
the personal information because of paragraph 12.3(j), the reasons for the
refusal may include an explanation for the commercially sensitive decision.
13
Australian Privacy Principle 13—correction of personal information
Correction
13.1 If:
(a) an APP entity holds personal
information about an individual; and
(b) either:
(i) the entity is
satisfied that, having regard to a purpose for which the information is
held, the information is inaccurate, out‑of‑date, incomplete, irrelevant or
misleading; or
(ii) the individual
requests the entity to correct the information;
the entity must take such steps (if any) as are reasonable
in the circumstances to correct that information to ensure that, having regard
to the purpose for which it is held, the information is accurate, up‑to‑date,
complete, relevant and not misleading.
Notification of correction to third parties
13.2 If:
(a) the APP entity corrects personal
information about an individual that the entity previously disclosed to another
APP entity; and
(b) the individual requests the entity
to notify the other APP entity of the correction;
the entity must take such steps (if any) as are reasonable
in the circumstances to give that notification unless it is impracticable or
unlawful to do so.
Refusal to correct information
13.3 If the APP entity refuses to correct the
personal information as requested by the individual, the entity must give the
individual a written notice that sets out:
(a) the reasons for the refusal except
to the extent that it would be unreasonable to do so; and
(b) the mechanisms available to
complain about the refusal; and
(c) any other matter prescribed by the
regulations.
Request to associate a statement
13.4 If:
(a) the APP entity refuses to correct
the personal information as requested by the individual; and
(b) the individual requests the entity
to associate with the information a statement that the information is
inaccurate, out‑of‑date, incomplete, irrelevant or misleading;
the entity must take such steps as are reasonable in the
circumstances to associate the statement in such a way that will make the
statement apparent to users of the information.
Dealing with requests
13.5 If a request is made under subclause 13.1
or 13.4, the APP entity:
(a) must respond to the request:
(i) if the entity is an
agency—within 30 days after the request is made; or
(ii) if the entity is an
organisation—within a reasonable period after the request is made; and
(b) must not charge the individual for
the making of the request, for correcting the personal information or for
associating the statement with the personal information (as the case may be).
Schedule 2
1 Before section 6
Insert:
Division 1—General definitions
2 Subsection 6(1)
Insert:
access seeker has the meaning given by
subsection 6L(1).
3 Subsection 6(1)
Insert:
affected information recipient means:
(a) a mortgage insurer; or
(b) a trade insurer; or
(c) a body corporate referred to in
paragraph 21G(3)(b); or
(d) a person referred to in paragraph
21G(3)(c); or
(e) an entity or adviser referred to
in paragraph 21N(2)(a).
4 Subsection 6(1)
Insert:
amount of credit has the meaning given by
subsection 6M(2).
5 Subsection 6(1)
Insert:
Bankruptcy Act means the Bankruptcy Act
1966.
6 Subsection 6(1)
Insert:
ban period has the meaning given by
subsection 20K(3).
7 Subsection 6(1) (definition of commercial credit)
Repeal the definition, substitute:
commercial credit means credit (other than
consumer credit) that is applied for by, or provided to, a person.
8 Subsection 6(1)
Insert:
commercial credit related purpose of a credit
provider in relation to a person means the purpose of:
(a) assessing an application for
commercial credit made by the person to the provider; or
(b) collecting payments that are
overdue in relation to commercial credit provided by the provider to the
person.
9 Subsection 6(1)
Insert:
consumer credit means credit:
(a) for which an application has been
made by an individual to a credit provider, or that has been provided to an
individual by a credit provider, in the course of the provider carrying on a
business or undertaking as a credit provider; and
(b) that is intended to be used wholly
or primarily:
(i) for personal, family
or household purposes; or
(ii) to acquire, maintain,
renovate or improve residential property for investment purposes; or
(iii) to refinance consumer
credit that has been provided wholly or primarily to acquire, maintain,
renovate or improve residential property for investment purposes.
10 Subsection 6(1)
Insert:
consumer credit liability information: if a
credit provider provides consumer credit to an individual, the following
information about the consumer credit is consumer credit liability
information about the individual:
(a) the name of the provider;
(b) whether the provider is a
licensee;
(c) the type of consumer credit;
(d) the day on which the consumer
credit is entered into;
(e) the terms or conditions of the
consumer credit:
(i) that relate to the
repayment of the amount of credit; and
(ii) that are prescribed by
the regulations;
(f) the maximum amount of credit
available under the consumer credit;
(g) the day on which the consumer
credit is terminated or otherwise ceases to be in force.
11 Subsection 6(1)
Insert:
consumer credit related purpose of a credit
provider in relation to an individual means the purpose of:
(a) assessing an application for
consumer credit made by the individual to the provider; or
(b) collecting payments that are
overdue in relation to consumer credit provided by the provider to the
individual.
12 Subsection 6(1)
Insert:
court proceedings information about an
individual means information about a judgement of an Australian court:
(a) that is made, or given, against
the individual in proceedings (other than criminal proceedings); and
(b) that relates to any credit that
has been provided to, or applied for by, the individual.
13 Subsection 6(1)
Insert:
CP derived information about an individual
means any personal information (other than sensitive information) about the individual:
(a) that is derived from credit
reporting information about the individual that was disclosed to a credit
provider by a credit reporting body under Division 2 of Part IIIA;
and
(b) that has any bearing on the
individual’s credit worthiness; and
(c) that is used, has been used or
could be used in establishing the individual’s eligibility for consumer credit.
14 Subsection 6(1)
Insert:
CRB derived information about an individual
means any personal information (other than sensitive information) about the
individual:
(a) that is derived by a credit
reporting body from credit information about the individual that is held by the
body; and
(b) that has any bearing on the
individual’s credit worthiness; and
(c) that is used, has been used or
could be used in establishing the individual’s eligibility for consumer credit.
15 Subsection 6(1) (definition of credit)
Repeal the definition, substitute:
credit has the meaning given by subsections
6M(1) and (3).
16 Subsection 6(1) (definition of credit card)
Omit “loans” (wherever occurring), substitute “credit”.
17 Subsection 6(1)
Insert:
credit eligibility information about an
individual means:
(a) credit reporting information about
the individual that was disclosed to a credit provider by a credit reporting
body under Division 2 of Part IIIA; or
(b) CP derived information about the
individual.
18 Subsection 6(1) (definition of credit enhancement)
Omit “a loan”, substitute “credit”.
19 Subsection 6(1) (paragraphs (a) and (b) of the
definition of credit enhancement)
Omit “the loan”, substitute “the credit”.
20 Subsection 6(1)
Insert:
credit guarantee purpose of a credit provider
in relation to an individual means the purpose of assessing whether to accept
the individual as a guarantor in relation to:
(a) credit provided by the provider to
a person other than the individual; or
(b) credit for which an application
has been made to the provider by a person other than the individual.
21 Subsection 6(1)
Insert:
credit information has the meaning given by
section 6N.
22 Subsection 6(1) (definition of credit information file)
Repeal the definition.
23 Subsection 6(1) (definition of credit provider)
Omit “section 11B”, substitute “sections 6G to 6K”.
24 Subsection 6(1) (definition of credit report)
Repeal the definition.
25 Subsection 6(1) (definition of credit reporting agency)
Repeal the definition.
26 Subsection 6(1)
Insert:
credit reporting body means:
(a) an organisation; or
(b) an agency prescribed by the
regulations;
that carries on a credit reporting business.
27 Subsection 6(1) (definition of credit reporting
business)
Repeal the definition, substitute:
credit reporting business has the meaning
given by section 6P.
28 Subsection 6(1)
Insert:
credit reporting information about an
individual means credit information, or CRB derived information, about the
individual.
29 Subsection 6(1)
Insert:
credit worthiness of an individual means the
individual’s:
(a) eligibility to be provided with
consumer credit; or
(b) history in relation to consumer
credit; or
(c) capacity to repay an amount of
credit that relates to consumer credit.
30 Subsection 6(1) (definition of current credit
provider)
Repeal the definition.
31 Subsection 6(1)
Insert:
default information has the meaning given by
section 6Q.
32 Subsection 6(1) (definition of eligible communications
service)
Repeal the definition.
33 Subsection 6(1) (definition of guarantee)
Repeal the definition, substitute:
guarantee includes an indemnity given against
the default of a person in making a payment in relation to credit that has been
applied for by, or provided to, the person.
34 Subsection 6(1)
Insert:
identification information about an
individual means:
(a) the individual’s full name; or
(b) an alias or previous name of the
individual; or
(c) the individual’s date of birth; or
(d) the individual’s sex; or
(e) the individual’s current or last
known address, and 2 previous addresses (if any); or
(f) the name of the individual’s
current or last known employer; or
(g) if the individual holds a driver’s
licence—the individual’s driver’s licence number.
35 Subsection 6(1)
Insert:
information request has the meaning given by
section 6R.
36 Subsection 6(1)
Insert:
interested party has the meaning given by
subsections 20T(3) and 21V(3).
37 Subsection 6(1)
Insert:
licensee has the meaning given by the National
Consumer Credit Protection Act 2009.
38 Subsection 6(1) (definition of loan)
Repeal the definition.
39 Subsection 6(1)
Insert:
managing credit does not include the act of
collecting overdue payments in relation to credit.
40 Subsection 6(1) (definition of mortgage credit)
Repeal the definition, substitute:
mortgage credit means consumer credit:
(a) that is provided in connection
with the acquisition, maintenance, renovation or improvement of real property;
and
(b) in relation to which the real
property is security.
41 Subsection 6(1)
Insert:
mortgage insurance purpose of a mortgage
insurer in relation to an individual is the purpose of assessing:
(a) whether to provide insurance to,
or the risk of providing insurance to, a credit provider in relation to
mortgage credit:
(i) provided by the
provider to the individual; or
(ii) for which an
application to the provider has been made by the individual; or
(b) the risk of the individual
defaulting on mortgage credit in relation to which the insurer has provided
insurance to a credit provider; or
(c) the risk of the individual being
unable to meet a liability that might arise under a guarantee provided, or
proposed to be provided, in relation to mortgage credit provided by a credit
provider to another person.
42 Subsection 6(1) (definition of mortgage insurer)
Repeal the definition, substitute:
mortgage insurer means an organisation, or
small business operator, that carries on a business or undertaking that
involves providing insurance to credit providers in relation to mortgage credit
provided by providers to other persons.
43 Subsection 6(1)
Insert:
National Personal Insolvency Index has the
meaning given by the Bankruptcy Act.
44 Subsection 6(1)
Insert:
new arrangement information has the meaning
given by section 6S.
45 Subsection 6(1)
Insert:
payment information has the meaning given by
section 6T.
46 Subsection 6(1)
Insert:
penalty unit has the meaning given by
section 4AA of the Crimes Act 1914.
47 Subsection 6(1)
Insert:
pending correction request in relation to
credit information or CRB derived information means:
(a) a request made under subsection
20T(1) in relation to the information if a notice has not been given under subsection
20U(2) or (3) in relation to the request; or
(b) a request made under subsection
21V(1) in relation to the information if:
(i) the credit reporting
body referred to in subsection 20V(3) has been consulted about the request
under subsection 21V(3); and
(ii) a notice has not been
given under subsection 21W(2) or (3) in relation to the request.
48 Subsection 6(1)
Insert:
pending dispute in relation to credit
information or CRB derived information means:
(a) a complaint made under
section 23A that relates to the information if a decision about the
complaint has not been made under subsection 23B(4); or
(b) a matter that relates to the
information and that is still being dealt with by a recognised external dispute
resolution scheme; or
(c) a complaint made to the
Commissioner under Part V that relates to the information and that is
still being dealt with.
49 Subsection 6(1)
Insert:
permitted CP disclosure has the meaning given
by sections 21J to 21N.
50 Subsection 6(1)
Insert:
permitted CP use has the meaning given by
section 21H.
51 Subsection 6(1)
Insert:
permitted CRB disclosure has the meaning
given by section 20F.
52 Subsection 6(1)
Insert:
personal insolvency information has the
meaning given by section 6U.
53 Subsection 6(1)
Insert:
pre‑screening assessment means an assessment
made under paragraph 20G(2)(d).
54 Subsection 6(1)
Insert:
purchase, in relation to credit, includes the
purchase of rights to receive payments relating to the credit.
55 Subsection 6(1)
Insert:
regulated information of an affected
information recipient means:
(a) if the recipient is a mortgage
insurer or trade insurer—personal information disclosed to the recipient under
Division 2 or 3 of Part IIIA; or
(b) if the recipient is a body
corporate referred to in paragraph 21G(3)(b)—credit eligibility information
disclosed to the recipient under that paragraph; or
(c) if the recipient is a person
referred to in paragraph 21G(3)(c)—credit eligibility information disclosed to
the recipient under that paragraph; or
(d) if the recipient is an entity or
adviser referred to in paragraph 21N(2)(a)—credit eligibility information
disclosed to the recipient under subsection 21N(2).
56 Subsection 6(1)
Insert:
repayment history information has the meaning
given by subsection 6V(1).
57 Subsection 6(1)
Insert:
residential property has the meaning given by
section 204 of the National Credit Code (within the meaning of the National
Consumer Credit Protection Act 2009).
58 Subsection 6(1)
Insert:
respondent for a complaint made under
section 23A means the credit reporting body or credit provider to which
the complaint is made.
59 Subsection 6(1)
Insert:
retention period has the meaning given by
sections 20W and 20X.
60 Subsection 6(1) (subparagraphs (a)(i) and (ii) of
the definition of securitisation arrangement)
Repeal the subparagraphs, substitute:
(i) credit that has been,
or is to be, provided by a credit provider; or
(ii) the purchase of credit
by a credit provider;
61 Subsection 6(1) (paragraph (b) of the definition of securitisation
arrangement)
Omit “loans”, substitute “credit”.
62 Subsection 6(1)
Insert:
securitisation related purpose of a credit
provider in relation to an individual is the purpose of:
(a) assessing the risk in purchasing,
by means of a securitisation arrangement, credit that has been provided to, or
applied for by:
(i) the individual; or
(ii) a person for whom the
individual is, or is proposing to be, a guarantor; or
(b) assessing the risk in undertaking
credit enhancement in relation to credit:
(i) that is, or is
proposed to be, purchased or funded by means of a securitisation arrangement;
and
(ii) that has been provided
to, or applied for by, the individual or a person for whom the individual is,
or is proposing to be, a guarantor.
63 Subsection 6(1) (definition of serious credit
infringement)
Repeal the definition, substitute:
serious credit infringement means:
(a) an act done by an individual that
involves fraudulently obtaining consumer credit, or attempting fraudulently to
obtain consumer credit; or
(b) an act done by an individual that
involves fraudulently evading the individual’s obligations in relation to
consumer credit, or attempting fraudulently to evade those obligations; or
(c) an act done by an individual if:
(i) a reasonable person
would consider that the act indicates an intention, on the part of the
individual, to no longer comply with the individual’s obligations in relation
to consumer credit provided by a credit provider; and
(ii) the provider has,
after taking such steps as are reasonable in the circumstances, been unable to
contact the individual about the act; and
(iii) at least 6 months have
passed since the provider last had contact with the individual.
64 Subsection 6(1)
Insert:
trade insurance purpose of a trade insurer in
relation to an individual is the purpose of assessing:
(a) whether to provide insurance to,
or the risk of providing insurance to, a credit provider in relation to
commercial credit provided by the provider to the individual or another person;
or
(b) the risk of a person defaulting on
commercial credit in relation to which the insurer has provided insurance to a
credit provider.
65 Subsection 6(1) (definition of trade insurer)
Repeal the definition, substitute:
trade insurer means an organisation, or small
business operator, that carries on a business or undertaking that involves
providing insurance to credit providers in relation to commercial credit
provided by providers to other persons.
66 Subsections 6(5A) to (5D)
Repeal the subsections.
67 Subsection 6(10)
Omit “credit”, substitute “consumer credit”.
68 At the end of subsection 6D(4)
Add:
; or (f) is a credit reporting body.
69 After section 6F
Insert:
Division 2—Key definitions relating to credit reporting
Subdivision A—Credit provider
6G Meaning of credit
provider
General
(1) Each of the following is a credit
provider:
(a) a bank;
(b) an organisation or small business
operator if:
(i) the organisation or
operator carries on a business or undertaking; and
(ii) a substantial part of
the business or undertaking is the provision of credit;
(c) an organisation or small business
operator:
(i) that carries on a
retail business; and
(ii) that, in the course of
the business, issues credit cards to individuals in connection with the sale of
goods, or the supply of services, by the organisation or operator (as the case
may be);
(d) an agency, organisation or small
business operator:
(i) that carries on a
business or undertaking that involves providing credit; and
(ii) that is prescribed by
the regulations.
Other credit providers
(2) If:
(a) an organisation or small business
operator (the supplier) carries on a business or undertaking in
the course of which the supplier provides credit in connection with the sale of
goods, or the supply of services, by the supplier; and
(b) the repayment, in full or in part,
of the amount of credit is deferred for at least 7 days; and
(c) the supplier is not a credit
provider under subsection (1);
then the supplier is a credit provider but
only in relation to the credit.
(3) If:
(a) an organisation or small business
operator (the lessor) carries on a business or undertaking in the
course of which the lessor provides credit in connection with the hiring,
leasing or renting of goods; and
(b) the credit is in force for at
least 7 days; and
(c) no amount, or an amount less than
the value of the goods, is paid as a deposit for the return of the goods; and
(d) the lessor is not a credit provider
under subsection (1);
then the lessor is a credit provider but
only in relation to the credit.
(4) An organisation or small business
operator is a credit provider if subsection 6H(1), 6J(1) or 6K(1)
provides that the organisation or operator is a credit provider.
Exclusions
(5) Despite subsections (1) to (4) of
this section, an organisation or small business operator acting in the capacity
of:
(a) a real estate agent; or
(b) a general insurer (within the
meaning of the Insurance Act 1973); or
(c) an employer of an individual;
is not a credit provider while acting in
that capacity.
(6) Despite subsections (1) to (4) of
this section, an organisation or small business operator is not a credit
provider if it is included in a class of organisations or operators
prescribed by the regulations.
6H
Agents of credit providers
(1) If an organisation or small business
operator (the agent) is acting as an agent of a credit provider
(the principal) in performing, on behalf of the principal, a task
that is reasonably necessary:
(a) in processing an application for
credit made to the principal; or
(b) in managing credit provided by the
principal;
then, while the agent is so acting, the agent is a credit
provider.
(2) Subsection (1) does not apply if the
principal is an organisation or small business operator that is a credit
provider because of a previous application of that subsection.
(3) If subsection (1) applies in
relation to credit that has been provided by the principal, the credit is
taken, for the purposes of this Act, to have been provided by both the
principal and the agent.
(4) If subsection (1) applies in
relation to credit for which an application has been made to the principal, the
application is taken, for the purposes of this Act, to have been made to both
the principal and the agent.
6J
Securitisation arrangements etc.
(1) If:
(a) an organisation or small business
operator (the securitisation entity) carries on a business that
is involved in either or both of the following:
(i) a securitisation
arrangement;
(ii) managing credit that
is the subject of a securitisation arrangement; and
(b) the securitisation entity performs
a task that is reasonably necessary for:
(i) purchasing, funding or
managing, or processing an application for, credit by means of a securitisation
arrangement; or
(ii) undertaking credit
enhancement in relation to credit; and
(c) the credit has been provided by,
or is credit for which an application has been made to, a credit provider (the original
credit provider);
then, while the securitisation entity performs such a
task, the securitisation entity is a credit provider.
(2) Subsection (1) does not apply if the
original credit provider is an organisation or small business operator that is
a credit provider because of a previous application of that subsection.
(3) If subsection (1) applies in
relation to credit that has been provided by the original credit provider, the
credit is taken, for the purposes of this Act, to have been provided by both
the original credit provider and the securitisation entity.
(4) If subsection (1) applies in
relation to credit for which an application has been made to the original
credit provider, the application is taken, for the purposes of this Act, to
have been made to both the original credit provider and the securitisation
entity.
6K
Acquisition of the rights of a credit provider
(1) If:
(a) an organisation or small business
operator (the acquirer) acquires, whether by assignment,
subrogation or any other means, the rights of a credit provider (the original
credit provider) in relation to the repayment of an amount of credit;
and
(b) the acquirer is not a credit
provider under subsection 6G(1);
then the acquirer is a credit provider but
only in relation to the credit.
(2) If subsection (1) of this section
applies in relation to credit that has been provided by the original credit
provider, the credit is taken, for the purposes of this Act, to have been
provided by the acquirer.
(3) If subsection (1) of this section
applies in relation to credit for which an application has been made to the
original credit provider, the application is taken, for the purposes of this
Act, to have been made to the acquirer.
Subdivision B—Other definitions
6L
Meaning of access seeker
(1) An access seeker in
relation to credit reporting information, or credit eligibility information,
about an individual is:
(a) the individual; or
(b) a person:
(i) who is assisting the
individual to deal with a credit reporting body or credit provider; and
(ii) who is authorised, in
writing, by the individual to make a request in relation to the information
under subsection 20R(1) or 21T(1).
(2) An individual must not authorise a person
under subparagraph (1)(b)(ii) if the person is:
(a) a credit provider; or
(b) a mortgage insurer; or
(c) a trade insurer; or
(d) a person who is prevented from
being a credit provider by subsection 6G(5) or (6).
(3) Subparagraph (1)(b)(ii) does not
apply to a person who provides the National Relay Service or a person prescribed by the regulations.
6M
Meaning of credit and amount of credit
(1) Credit is a contract,
arrangement or understanding under which:
(a) payment of a debt owed by one person
to another person is deferred; or
(b) one person incurs a debt to
another person and defers the payment of the debt.
(2) The amount of credit is the
amount of the debt that is actually deferred, or that may be deferred, but does
not include any fees or charges payable in connection with the deferral of the
debt.
(3) Without limiting subsection (1), credit
includes:
(a) a hire‑purchase agreement; and
(b) a contract, arrangement or
understanding of a kind referred to in that subsection that is for the hire,
lease or rental of goods, or for the supply of services, other than a contract,
arrangement or understanding under which:
(i) full payment is made
before, or at the same time as, the goods or services are provided; and
(ii) in the case of
goods—an amount greater than, or equal to, the value of the goods is paid as a
deposit for the return of the goods.
6N
Meaning of credit information
Credit information about
an individual is personal information (other than sensitive information) that
is:
(a) identification information about
the individual; or
(b) consumer credit liability
information about the individual; or
(c) repayment history information
about the individual; or
(d) a statement that an information
request has been made in relation to the individual by a credit provider,
mortgage insurer or trade insurer; or
(e) the type of consumer credit or
commercial credit, and the amount of credit, sought in an application:
(i) that has been made by
the individual to a credit provider; and
(ii) in connection with
which the provider has made an information request in relation to the
individual; or
(f) default information about the
individual; or
(g) payment information about the
individual; or
(h) new arrangement information about
the individual; or
(i) court proceedings information
about the individual; or
(j) personal insolvency information
about the individual; or
(k) publicly available information
about the individual:
(i) that relates to the
individual’s activities in Australia or the external Territories and the
individual’s credit worthiness; and
(ii) that is not court
proceedings information about the individual or information about the
individual that is entered or recorded on the National Personal Insolvency
Index; or
(l) the opinion of a credit provider
that the individual has committed, in circumstances specified by the provider,
a serious credit infringement in relation to consumer credit provided by the
provider to the individual.
6P
Meaning of credit reporting business
(1) A credit reporting business
is a business or undertaking that involves collecting, holding, using or
disclosing personal information about individuals for the purpose of, or for
purposes including the purpose of, providing an entity with information about the
credit worthiness of an individual.
(2) Subsection (1) applies whether or
not the information about the credit worthiness of an individual is:
(a) provided for profit or reward; or
(b) provided, or intended to be
provided, for the purposes of assessing an application for consumer credit.
(3) In determining whether a business or
undertaking carried on by a credit provider is a credit reporting business,
disregard the provision of information about the credit worthiness of an
individual to a related body corporate by the provider.
(4) Despite subsection (1), a business
or undertaking is not a credit reporting business if the business
or undertaking is included in a class of businesses or undertakings prescribed
by the regulations.
6Q
Meaning of default information
Consumer credit defaults
(1) Default information about
an individual is information about a payment (including a payment that
is wholly or partly a payment of interest) that the individual is overdue in
making in relation to consumer credit that has been provided by a credit
provider to the individual if:
(a) the individual is at least 60 days
overdue in making the payment; and
(b) the provider has given a written
notice to the individual informing the individual of the overdue payment and requesting
that the individual pay the amount of the overdue payment; and
(c) the provider is not prevented by a
statute of limitations from recovering the amount of the overdue payment; and
(d) the amount of the overdue payment
is equal to or more than:
(i) $150; or
(ii) such higher amount as
is prescribed by the regulations.
Guarantor defaults
(2) Default information about
an individual is information about a payment that the individual is
overdue in making as a guarantor under a guarantee given against any default by
a person (the borrower) in repaying all or any of the debt
deferred under consumer credit provided by a credit provider to the borrower
if:
(a) the provider has given the
individual written notice of the borrower’s default that gave rise to the
individual’s obligation to make the overdue payment; and
(b) the notice requests that the
individual pay the amount of the overdue payment; and
(c) at least 60 days have passed since
the day on which the notice was given; and
(d) in addition to giving the notice,
the provider has taken other steps to recover the amount of the overdue payment
from the individual; and
(e) the provider is not prevented by a
statute of limitations from recovering the amount of the overdue payment.
6R
Meaning of information request
Credit provider
(1) A credit provider has made an information
request in relation to an individual if the provider has sought
information about the individual from a credit reporting body:
(a) in connection with an application
for consumer credit made by the individual to the provider; or
(b) in connection with an application
for commercial credit made by a person to the provider; or
(c) for a credit guarantee purpose of
the provider in relation to the individual; or
(d) for a securitisation related
purpose of the provider in relation to the individual.
Mortgage insurer
(2) A mortgage insurer has made an information
request in relation to an individual if:
(a) the insurer has sought information
about the individual from a credit reporting body; and
(b) the information was sought in
connection with the provision of insurance to a credit provider in relation to
mortgage credit provided by the provider to:
(i) the individual; or
(ii) a person for whom the
individual is, or is proposing to be, a guarantor.
Trade insurer
(3) A trade insurer has made an information
request in relation to an individual if:
(a) the insurer has sought information
about the individual from a credit reporting body; and
(b) the information was sought in connection
with the provision of insurance to a credit provider in relation to commercial
credit provided by the provider to the individual or another person.
6S
Meaning of new arrangement information
Consumer credit defaults
(1) If:
(a) a credit provider has disclosed
default information about an individual to a credit reporting body; and
(b) the default information relates to
a payment that the individual is overdue in making in relation to consumer
credit (the original consumer credit) that has been provided by
the provider to the individual; and
(c) because of the individual being so
overdue:
(i) the terms or
conditions of the original consumer credit that relate to the repayment of the
amount of credit are varied; or
(ii) the individual is
provided with other consumer credit (the new consumer credit) by
a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the
individual is a statement that those terms or conditions of the original consumer
credit have been varied, or that the individual has been provided with the new
consumer credit.
Serious credit infringements
(2) If:
(a) a credit provider is of the
opinion that an individual has committed a serious credit infringement in
relation to consumer credit (the original consumer credit)
provided by the provider to the individual; and
(b) the provider has disclosed the
opinion to a credit reporting body; and
(c) because of the provider having
that opinion:
(i) the terms or
conditions of the original consumer credit that relate to the repayment of the
amount of credit are varied; or
(ii) the individual is
provided with other consumer credit (the new consumer credit) by
a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the
individual is a statement that those terms or conditions of the original
consumer credit have been varied, or that the individual has been provided with
the new consumer credit.
6T
Meaning of payment information
If:
(a) a credit provider has disclosed
default information about an individual to a credit reporting body; and
(b) on a day after the default
information was disclosed, the amount of the overdue payment to which the
information relates is paid;
then payment information about the
individual is a statement that the amount of the overdue payment has been paid
on that day.
6U
Meaning of personal insolvency information
(1) Personal insolvency information
about an individual is information:
(a) that is entered or recorded in the
National Personal Insolvency Index; and
(b) that relates to:
(i) a bankruptcy of the
individual; or
(ii) a debt agreement
proposal given by the individual; or
(iii) a debt agreement made
by the individual; or
(iv) a personal insolvency
agreement executed by the individual; or
(v) a direction given, or
an order made, under section 50 of the Bankruptcy Act that relates to the
property of the individual; or
(vi) an authority signed
under section 188 of that Act that relates to the property of the
individual.
(2) Despite subparagraph (1)(b)(i),
personal insolvency information about an individual must not relate to:
(a) the presentation of a creditor’s
petition against the individual; or
(b) an administration under
Part XI of the Bankruptcy Act of the individual’s estate.
(3) An expression used in
paragraph (1)(b) or (2)(a) that is also used in the Bankruptcy Act has the
same meaning in that paragraph as it has in that Act.
6V
Meaning of repayment history information
(1) If a credit provider provides consumer
credit to an individual, the following information about the consumer credit is
repayment history information about the individual:
(a) whether or not the individual has
met an obligation to make a monthly payment that is due and payable in relation
to the consumer credit;
(b) the day on which the monthly
payment is due and payable;
(c) if the individual makes the
monthly payment after the day on which the payment is due and payable—the day
on which the individual makes that payment.
(2) The regulations may make provision in
relation to:
(a) whether or not an individual has
met an obligation to make a monthly payment that is due and payable in relation
to consumer credit; and
(b) whether or not a payment is a monthly
payment.
Division 3—Other matters
70 Paragraphs 7(1)(a) and 8(1)(a)
Omit “credit reporting agency” (wherever occurring), substitute
“credit reporting body”.
71 Sections 11A and 11B
Repeal the sections.
72 Part IIIA
Repeal the Part, substitute:
Part IIIA—Credit reporting
Division 1—Introduction
19
Guide to this Part
In general, this Part deals with the
privacy of information relating to credit reporting.
Divisions 2 and 3 contain rules
that apply to credit reporting bodies and credit providers in relation to their
handling of information relating to credit reporting.
Division 4 contains rules that
apply to affected information recipients in relation to their handling of their
regulated information.
Division 5 deals with complaints
to credit reporting bodies or credit providers about acts or practices that may
be a breach of certain provisions of this Part or the registered CR code.
Division 6 deals with entities
that obtain credit reporting information or credit eligibility information by
false pretence, or when they are not authorised to do so under this Part.
Division 7 provides for
compensation orders, and other orders, to be made by the Federal Court or
Federal Magistrates Court.
Division 2—Credit reporting bodies
Subdivision A—Introduction and application of this Division etc.
20
Guide to this Division
This Division sets out rules that
apply to credit reporting bodies in relation to their handling of the
following:
(a) credit
reporting information;
(b) CP derived
information;
(c) credit reporting
information that is de‑identified;
(d) a pre‑screening
assessment.
The rules apply in relation to that
kind of information or assessment instead of the Australian Privacy Principles.
20A
Application of this Division and the Australian Privacy Principles to credit
reporting bodies
(1) This Division applies to a credit
reporting body in relation to the following:
(a) credit reporting information;
(b) CP derived information;
(c) credit reporting information that
is de‑identified;
(d) a pre‑screening assessment.
(2) The Australian Privacy Principles do not
apply to a credit reporting body in relation to personal information that is:
(a) credit reporting information; or
(b) CP derived information; or
(c) a pre‑screening assessment.
Note: The Australian Privacy Principles apply to the
credit reporting body in relation to other kinds of personal information.
Subdivision B—Consideration of information privacy
20B
Open and transparent management of credit reporting information
(1) The object of this section is to ensure
that credit reporting bodies manage credit reporting information in an open and
transparent way.
Compliance with this Division etc.
(2) A credit reporting body must take such
steps as are reasonable in the circumstances to implement practices, procedures
and systems relating to the credit reporting business of the body that:
(a) will ensure that the body complies
with this Division and the registered CR code; and
(b) will enable the body to deal with
inquiries or complaints from individuals about the body’s compliance with this
Division or the registered CR code.
Policy about the management of credit reporting
information
(3) A credit reporting body must have a
clearly expressed and up‑to‑date policy about the management of credit
reporting information by the body.
(4) Without limiting subsection (3), the
policy of the credit reporting body must contain the following information:
(a) the kinds of credit information
that the body collects and how the body collects that information;
(b) the kinds of credit reporting
information that the body holds and how the body holds that information;
(c) the kinds of personal information
that the body usually derives from credit information that the body holds;
(d) the purposes for which the body
collects, holds, uses and discloses credit reporting information;
(e) information about the effect of
section 20G (which deals with direct marketing) and how the individual may
make a request under subsection (5) of that section;
(f) how an individual may access
credit reporting information about the individual that is held by the body and
seek the correction of such information;
(g) information about the effect of
section 20T (which deals with individuals requesting the correction of
credit information etc.);
(h) how an individual may complain
about a failure of the body to comply with this Division or the registered CR
code and how the body will deal with such a complaint.
Availability of policy etc.
(5) A credit reporting body must take such
steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: A credit reporting body will usually make the
policy available on the body’s website.
(6) If a person or body requests a copy, in a
particular form, of the policy of a credit reporting body, the credit reporting
body must take such steps as are reasonable in the circumstances to give the
person or body a copy in that form.
Subdivision C—Collection of credit information
20C
Collection of solicited credit information
Prohibition on collection
(1) A credit reporting body must not collect
credit information about an individual.
Civil penalty: 2,000 penalty units.
Exceptions
(2) Subsection (1) does not apply if the
collection of the credit information is required or authorised by or under an
Australian law or a court/tribunal order.
(3) Subsection (1) does not apply if:
(a) the credit reporting body collects
the credit information about the individual from a credit provider who is
permitted under section 21D to disclose the information to the body; and
(b) the body collects the information
in the course of carrying on a credit reporting business; and
(c) if the information is
identification information about the individual—the body also collects from the
provider, or already holds, credit information of another kind about the
individual.
(4) Subsection (1) does not apply if:
(a) the credit reporting body:
(i) collects the credit
information about the individual from an entity (other than a credit provider)
in the course of carrying on a credit reporting business; and
(ii) knows, or believes on
reasonable grounds, that the individual is at least 18 years old; and
(b) the information does not relate to
an act, omission, matter or thing that occurred or existed before the
individual turned 18; and
(c) if the information relates to
consumer credit or commercial credit—the credit is or has been provided, or
applied for, in Australia; and
(d) if the information is
identification information about the individual—the body also collects from the
entity, or already holds, credit information of another kind about the
individual; and
(e) if the information is repayment
history information about the individual—the body collects the information from
another credit reporting body that has an Australian link.
(5) Paragraph (4)(b) does not apply to
identification information about the individual.
(6) Despite paragraph (4)(b), consumer
credit liability information about the individual may relate to consumer credit
that was entered into on a day before the individual turned 18, so long as the
consumer credit was not terminated, or did not otherwise cease to be in force,
on a day before the individual turned 18.
Means of collection
(7) A credit reporting body must collect
credit information only by lawful and fair means.
Solicited credit information
(8) This section applies to the collection of
credit information that is solicited by a credit reporting body.
20D
Dealing with unsolicited credit information
(1) If:
(a) a credit reporting body receives
credit information about an individual; and
(b) the body did not solicit the
information;
the body must, within a reasonable period after receiving
the information, determine whether or not the body could have collected the
information under section
20C if the body had solicited the information.
(2) The credit reporting body may use or
disclose the credit information for the purposes of making the determination
under subsection (1).
(3) If the credit reporting body determines
that it could have collected the credit information, sections 20E to 20ZA
apply in relation to the information as if the body had collected the
information under section
20C.
(4) If the credit reporting body determines
that it could not have collected the credit information, the body must, as soon
as practicable, destroy the information.
Civil penalty: 1,000 penalty units.
(5) Subsection (4) does not apply if the
credit reporting body is required by or under an Australian law, or a
court/tribunal order, to retain the credit information.
Subdivision D—Dealing with credit reporting information etc.
20E
Use or disclosure of credit reporting information
Prohibition on use or disclosure
(1) If a credit reporting body holds credit
reporting information about an individual, the body must not use or disclose
the information.
Civil penalty: 2,000 penalty units.
Permitted uses
(2) Subsection (1) does not apply to the
use of credit reporting information about the individual if:
(a) the credit reporting body uses the
information in the course of carrying on the body’s credit reporting business;
or
(b) the use is required or authorised
by or under an Australian law or a court/tribunal order; or
(c) the use is a use prescribed by the
regulations.
Permitted disclosures
(3) Subsection (1) does
not apply to the disclosure of credit reporting information about the
individual if:
(a) the disclosure is a permitted CRB
disclosure in relation to the individual; or
(b) the disclosure is to another
credit reporting body that has an Australian link; or
(c) both of the following apply:
(i) the disclosure is for
the purposes of a recognised external dispute resolution scheme;
(ii) a credit reporting
body or credit provider is a member of the scheme; or
(d) both of the following apply:
(i) the disclosure is to
an enforcement body;
(ii) the credit reporting
body is satisfied that the body, or another enforcement body, believes on
reasonable grounds that the individual has committed a serious credit
infringement; or
(e) the disclosure is required or
authorised by or under an Australian law or a court/tribunal order; or
(f) the disclosure is a disclosure
prescribed by the regulations.
(4) However, if the credit reporting information
is, or was derived from, repayment history information about the individual,
the credit reporting body must not disclose the information under
paragraph (3)(a) or (f) unless the recipient of the information is:
(a) a credit provider who is a licensee
or is prescribed by the regulations; or
(b) a mortgage insurer.
Civil penalty: 2,000 penalty units.
(5) If a credit reporting body discloses
credit reporting information under this section, the body must make a written
note of that disclosure.
Civil penalty: 500 penalty units.
Note: Other Acts may provide that the note must not
be made (see for example the Australian Crime Commission Act 2002 and
the Law Enforcement Integrity Commissioner Act 2006).
No use or disclosure for the purposes of direct marketing
(6) This section does not apply to the use or
disclosure of credit reporting information for the purposes of direct
marketing.
Note: Section 20G deals with the use or
disclosure of credit reporting information for the purposes of direct marketing.
20F
Permitted CRB disclosures in relation to individuals
(1) A disclosure by a credit reporting body
of credit reporting information about an individual is a permitted CRB
disclosure in relation to the individual if:
(a) the disclosure is to an entity
that is specified in an item of the table and that has an Australian link; and
(b) such conditions as are specified
for the item are satisfied.
Permitted CRB
disclosures
|
Item
|
If the disclosure is to
...
|
the condition or
conditions are ...
|
1
|
a credit provider
|
the provider requests the information for a consumer
credit related purpose of the provider in relation to the individual.
|
2
|
a credit provider
|
(a) the provider requests the information for a commercial
credit related purpose of the provider in relation to a person; and
(b) the individual expressly consents to the disclosure of
the information to the provider for that purpose.
|
3
|
a credit provider
|
(a) the provider requests the information for a credit
guarantee purpose of the provider in relation to the individual; and
(b) the individual expressly consents, in writing, to the
disclosure of the information to the provider for that purpose.
|
4
|
a credit provider
|
the credit reporting body is satisfied that the provider,
or another credit provider, believes on reasonable grounds that the
individual has committed a serious credit infringement.
|
5
|
a credit provider
|
(a) the credit reporting body holds consumer credit liability
information that relates to consumer credit provided by the provider to the
individual; and
(b) the consumer credit has not been terminated, or has not
otherwise ceased to be in force.
|
6
|
a credit provider under subsection 6J(1)
|
the provider requests the information for a securitisation
related purpose of the provider in relation to the individual.
|
7
|
a mortgage insurer
|
the insurer requests the information for a mortgage
insurance purpose of the insurer in relation to the individual.
|
8
|
a trade insurer
|
(a) the insurer requests the information for a trade
insurance purpose of the insurer in relation to the individual; and
(b) the individual expressly consents, in writing, to the
disclosure of the information to the insurer for that purpose.
|
(2) The consent of the individual under
paragraph (b) of item 2 of the table in subsection (1) must be
given in writing unless:
(a) the credit provider referred to in
that item requests the information for the purpose of assessing an application
for commercial credit made by a person to the provider; and
(b) the application has not been made
in writing.
20G
Use or disclosure of credit reporting information for the purposes of direct
marketing
Prohibition on direct marketing
(1) If a credit reporting body holds credit
reporting information about an individual, the body must not use or disclose
the information for the purposes of direct marketing.
Civil penalty: 2,000 penalty units.
Permitted use for pre‑screening
(2) Subsection (1) does not apply to the
use by the credit reporting body of credit information about the individual for
the purposes of direct marketing by, or on behalf of, a credit provider if:
(a) the provider has an Australian
link and is a licensee; and
(b) the direct marketing is about
consumer credit that the provider provides in Australia; and
(c) the information is not consumer
credit liability information, or repayment history information, about the
individual; and
(d) the body uses the information to
assess whether or not the individual is eligible to receive the direct
marketing communications of the credit provider; and
(e) the individual has not made a
request under subsection (5); and
(f) the body complies with any
requirements that are set out in the registered CR code.
(3) In assessing under paragraph (2)(d)
whether or not the individual is eligible to receive the direct marketing
communications of the credit provider, the credit reporting body must have
regard to the eligibility requirements nominated by the provider.
(4) An assessment under paragraph (2)(d)
is not credit reporting information about the individual.
Request not to use information for pre‑screening
(5) An individual may request a credit
reporting body that holds credit information about the individual not to use
the information under subsection (2).
(6) If the individual makes a request under
subsection (5), the credit reporting body must not charge the individual
for the making of the request or to give effect to the request.
Written note of use
(7) If a credit reporting body uses credit
information under subsection (2), the body must make a written note of
that use.
Civil penalty: 500 penalty units.
20H
Use or disclosure of pre‑screening assessments
Use or disclosure by credit reporting bodies
(1) If a credit reporting body makes a pre‑screening
assessment in relation to direct marketing by, or on behalf of, a credit
provider, the body must not use or disclose the assessment.
Civil penalty: 2,000 penalty units.
(2) Subsection (1) does not apply if:
(a) the credit reporting body
discloses the pre‑screening assessment for the purposes of the direct marketing
by, or on behalf of, the credit provider; and
(b) the recipient of the assessment is
an entity (other than the provider) that has an Australian link.
(3) If the credit reporting body discloses
the pre‑screening assessment under subsection (2), the body must make a
written note of that disclosure.
Civil penalty: 500 penalty units.
Use or disclosure by recipients
(4) If the credit reporting body discloses
the pre‑screening assessment under subsection (2), the recipient must not
use or disclose the assessment.
Civil penalty: 1,000 penalty units.
(5) Subsection (4) does not apply if the
recipient uses the pre‑screening assessment for the purposes of the direct
marketing by, or on behalf of, the credit provider.
(6) If the recipient uses the pre‑screening
assessment under subsection (5), the recipient must make a written note of
that use.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
(7) If the recipient is an APP entity,
Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in
relation to a pre‑screening assessment.
20J
Destruction of pre‑screening assessment
(1) If an entity has possession or control of
a pre‑screening assessment, the entity must destroy the assessment if:
(a) the entity no longer needs the
assessment for any purpose for which it may be used or disclosed under
section 20H; and
(b) the entity is not required by or
under an Australian law, or a court/tribunal order, to retain the assessment.
Civil penalty: 1,000 penalty units.
(2) If the entity is an APP entity but not a
credit reporting body, Australian Privacy Principle 11.2 does not apply to the
entity in relation to the pre‑screening assessment.
20K No
use or disclosure of credit reporting information during a ban period
(1) If:
(a) a credit reporting body holds
credit reporting information about an individual; and
(b) the individual believes on
reasonable grounds that the individual has been, or is likely to be, a victim
of fraud (including identity fraud); and
(c) the individual requests the body
not to use or disclose the information under this Division;
then, despite any other provision of this Division, the
body must not use or disclose the information during the ban period for the
information.
Civil penalty: 2,000 penalty units.
(2) Subsection (1) does not apply if:
(a) the individual expressly consents,
in writing, to the use or disclosure of the credit reporting information under
this Division; or
(b) the use or disclosure of the
credit reporting information is required by or under an Australian law or a
court/tribunal order.
Ban period
(3) The ban period for credit
reporting information about an individual is the period that:
(a) starts when the individual makes a
request under paragraph (1)(c); and
(b) ends:
(i) 21 days after the day
on which the request is made; or
(ii) if the period is
extended under subsection (4)—on the day after the extended period ends.
(4) If:
(a) there is a ban period for credit
reporting information about an individual that is held by a credit reporting
body; and
(b) before the ban period ends, the
individual requests the body to extend that period; and
(c) the body believes on reasonable
grounds that the individual has been, or is likely to be, a victim of fraud
(including identity fraud);
the body must:
(d) extend the ban period by such
period as the body considers is reasonable in the circumstances; and
(e) give the individual written
notification of the extension.
Civil penalty: 1,000 penalty units.
(5) A ban period for credit reporting
information may be extended more than once under subsection (4).
No charge for request etc.
(6) If an individual makes a request under
paragraph (1)(c) or (4)(b), a credit reporting body must not charge the
individual for the making of the request or to give effect to the request.
20L
Adoption of government related identifiers
(1) If:
(a) a credit reporting body holds
credit reporting information about an individual; and
(b) the information is a government
related identifier of the individual;
the body must not adopt the government related identifier
as its own identifier of the individual.
Civil penalty: 2,000 penalty units.
(2) Subsection (1) does not apply if the
adoption of the government related identifier is required or authorised by or
under an Australian law or a court/tribunal order.
20M
Use or disclosure of credit reporting information that is de‑identified
Use or disclosure
(1) If:
(a) a credit reporting body holds
credit reporting information; and
(b) the information (the de‑identified
information) is de‑identified;
the body must not use or disclose the de‑identified
information.
(2) Subsection (1) does not apply to the
use or disclosure of the de‑identified information if:
(a) the use or disclosure is for the
purposes of conducting research in relation to credit; and
(b) the credit reporting body complies
with the rules made under subsection (3).
Commissioner may make rules
(3) The Commissioner may, by legislative
instrument, make rules relating to the use or disclosure by a credit reporting
body of de‑identified information for the purposes of conducting research in
relation to credit.
(4) Without limiting subsection (3), the
rules may relate to the following matters:
(a) the kinds of de‑identified
information that may or may not be used or disclosed for the purposes of
conducting the research;
(b) whether or not the research is
research in relation to credit;
(c) the purposes of conducting the
research;
(d) consultation about the research;
(e) how the research is conducted.
Subdivision E—Integrity of credit reporting information
20N
Quality of credit reporting information
(1) A credit reporting body must take such
steps as are reasonable in the circumstances to ensure that the credit information
the body collects is accurate, up‑to‑date and complete.
(2) A credit reporting body must take such
steps as are reasonable in the circumstances to ensure that the credit
reporting information the body uses or discloses is, having regard to the
purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant.
(3) Without limiting subsections (1) and
(2), a credit reporting body must:
(a) enter into agreements with credit
providers that require the providers to ensure that credit information that
they disclose to the body under section 21D is accurate, up‑to‑date and
complete; and
(b) ensure that regular audits are
conducted by an independent person to determine whether those agreements are
being complied with; and
(c) identify and deal with suspected
breaches of those agreements.
20P
False or misleading credit reporting information
Offence
(1) A credit reporting body commits an
offence if:
(a) the body uses or discloses credit
reporting information under this Division (other than subsections 20D(2) and
20T(4)); and
(b) the information is false or
misleading in a material particular.
Penalty: 200 penalty units.
Civil penalty
(2) A credit reporting body must not use or
disclose credit reporting information under this Division (other than
subsections 20D(2) and 20T(4)) if the information is false or misleading in a
material particular.
Civil penalty: 2,000 penalty units.
20Q
Security of credit reporting information
(1) If a credit reporting body holds credit
reporting information, the body must take such steps as are reasonable in the
circumstances to protect the information:
(a) from misuse, interference and
loss; and
(b) from unauthorised access,
modification or disclosure.
(2) Without limiting subsection (1), a
credit reporting body must:
(a) enter into agreements with credit
providers that require the providers to protect credit reporting information
that is disclosed to them under this Division:
(i) from misuse,
interference and loss; and
(ii) from unauthorised
access, modification or disclosure; and
(b) ensure that regular audits are
conducted by an independent person to determine whether those agreements are
being complied with; and
(c) identify and deal with suspected
breaches of those agreements.
Subdivision F—Access to, and correction of, information
20R
Access to credit reporting information
Access
(1) If a credit reporting body holds credit
reporting information about an individual, the body must, on request by an
access seeker in relation to the information, give the access seeker access to
the information.
Exceptions to access
(2) Despite subsection (1), the credit
reporting body is not required to give the access seeker access to the credit
reporting information to the extent that:
(a) giving access would be unlawful;
or
(b) denying access is required or
authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to
prejudice one or more enforcement related activities conducted by, or on behalf
of, an enforcement body.
Dealing with requests for access
(3) The credit reporting body must respond to
the request within a reasonable period, but not longer than 10 days, after the
request is made.
Means of access
(4) If the credit reporting body gives access
to the credit reporting information, the access must be given in the manner set
out in the registered CR code.
Access charges
(5) If a request under subsection (1) in
relation to the individual has not been made to the credit reporting body in
the previous 12 months, the body must not charge the access seeker for the
making of the request or for giving access to the information.
(6) If subsection (5) does not apply,
any charge by the credit reporting body for giving access to the information
must not be excessive and must not apply to the making of the request.
Refusal to give access
(7) If the credit reporting body refuses to
give access to the information because of subsection (2), the body must
give the access seeker a written notice that:
(a) sets out the reasons for the
refusal except to the extent that, having regard to the grounds for the
refusal, it would be unreasonable to do so; and
(b) states that, if the access seeker
is not satisfied with the response to the request, the access seeker may:
(i) access a recognised
external dispute resolution scheme of which the body is a member; or
(ii) make a complaint to
the Commissioner under Part V.
20S
Correction of credit reporting information
(1) If:
(a) a credit reporting body holds
credit reporting information about an individual; and
(b) the body is satisfied that, having
regard to a purpose for which the information is held by the body, the
information is inaccurate, out‑of‑date, incomplete, irrelevant or misleading;
the body must take such steps (if any) as are reasonable
in the circumstances to correct the information to ensure that, having regard
to the purpose for which it is held, the information is accurate, up‑to‑date,
complete, relevant and not misleading.
(2) If:
(a) the credit reporting body corrects
credit reporting information under subsection (1); and
(b) the body has previously disclosed
the information under this Division (other than subsections 20D(2) and 20T(4));
the body must, within a reasonable period, give each
recipient of the information written notice of the correction.
(3) Subsection (2) does not apply if:
(a) it is impracticable for the credit
reporting body to give the notice under that subsection; or
(b) the credit reporting body is
required by or under an Australian law, or a court/tribunal order, not to give
the notice under that subsection.
20T
Individual may request the correction of credit information etc.
Request
(1) An individual may request a credit
reporting body to correct personal information about the individual if:
(a) the personal information is:
(i) credit information
about the individual; or
(ii) CRB derived
information about the individual; or
(iii) CP derived information
about the individual; and
(b) the body holds at least one kind
of the personal information referred to in paragraph (a).
Correction
(2) If the credit reporting body is satisfied
that the personal information is inaccurate, out‑of‑date, incomplete,
irrelevant or misleading, the body must take such steps (if any) as are reasonable
in the circumstances to correct the information within:
(a) the period of 30 days that starts
on the day on which the request is made; or
(b) such longer period as the
individual has agreed to in writing.
Consultation
(3) If the credit reporting body considers
that the body cannot be satisfied of the matter referred to in
subsection (2) in relation to the personal information without consulting
either or both of the following (the interested party):
(a) another credit reporting body that
holds or held the information and that has an Australian link;
(b) a credit provider that holds or
held the information and that has an Australian link;
the body must consult that interested party, or those
interested parties, about the individual’s request.
(4) The use or disclosure of personal
information about the individual for the purposes of the consultation is taken,
for the purposes of this Act, to be a use or disclosure that is authorised by
this subsection.
No charge
(5) The credit reporting body must not charge
the individual for the making of the request or for correcting the information.
20U
Notice of correction etc. must be given
(1) This section applies if an individual
requests a credit reporting body to correct personal information under subsection
20T(1).
Notice of correction etc.
(2) If the credit reporting body corrects the
personal information under subsection 20T(2), the body must, within a
reasonable period:
(a) give the individual written notice
of the correction; and
(b) if the body consulted an
interested party under subsection 20T(3) about the individual’s request—give
the party written notice of the correction; and
(c) if the correction relates to
information that the body has previously disclosed under this Division (other
than subsections 20D(2) and 20T(4))—give each recipient of the information
written notice of the correction.
(3) If the credit reporting body does not
correct the personal information under subsection 20T(2), the body must, within
a reasonable period, give the individual written notice that:
(a) states that the correction has not
been made; and
(b) sets out the body’s reasons for
not correcting the information (including evidence substantiating the
correctness of the information); and
(c) states that, if the individual is
not satisfied with the response to the request, the individual may:
(i) access a recognised
external dispute resolution scheme of which the body is a member; or
(ii) make a complaint to
the Commissioner under Part V.
Exceptions
(4) Paragraph (2)(c) does not apply if
it is impracticable for the credit reporting body to give the notice under that
paragraph.
(5) Subsection (2) or (3) does not apply
if the credit reporting body is required by or under an Australian law, or a
court/tribunal order, not to give the notice under that subsection.
Subdivision G—Dealing with credit reporting information after the
retention period ends etc.
20V
Destruction etc. of credit reporting information after the retention period
ends
(1) This section applies if:
(a) a credit reporting body holds
credit information about an individual; and
(b) the retention period for the
information ends.
Note: There is no retention period for
identification information or credit information of a kind referred to in paragraph
6N(k).
Destruction etc. of credit information
(2) The credit reporting body must destroy
the credit information, or ensure that the information is de‑identified, within
1 month after the retention period for the information ends.
Civil penalty: 1,000 penalty units.
(3) Despite subsection (2), the credit
reporting body must neither destroy the credit information nor ensure that the
information is de‑identified, if immediately before the retention period ends:
(a) there is a pending correction request
in relation to the information; or
(b) there is a pending dispute in
relation to the information.
Civil penalty: 500 penalty units.
(4) Subsection (2) does not apply if the
credit reporting body is required by or under an Australian law, or a court/tribunal
order, to retain the credit information.
Destruction etc. of CRB derived information
(5) The credit reporting body must destroy
any CRB derived information about the individual that was derived from the
credit information, or ensure that the CRB derived information is de‑identified:
(a) if:
(i) the CRB derived
information was derived from 2 or more kinds of credit information; and
(ii) the body is required
to do a thing referred to in subsection (2) to one of those kinds of
credit information;
at the same time that the body
does that thing to that credit information; or
(b) otherwise—at the same time that
the body is required to do a thing referred to in subsection (2) to the
credit information from which the CRB derived information was derived.
Civil penalty: 1,000 penalty units.
(6) Despite subsection (5), the credit
reporting body must neither destroy the CRB derived information nor ensure that
the information is de‑identified, if immediately before the retention period
ends:
(a) there is a pending correction
request in relation to the information; or
(b) there is a pending dispute in
relation to the information.
Civil penalty: 500 penalty units.
(7) Subsection (5) does not apply if the
credit reporting body is required by or under an Australian law, or a
court/tribunal order, to retain the CRB derived information.
20W
Retention period for credit information—general
The following table sets out the retention
period for credit information:
(a) that is information of a kind
referred to in an item of the table; and
(b) that is held by a credit reporting
body.
Retention period
|
Item
|
If the credit
information is ...
|
the retention period
for the information is ...
|
1
|
consumer credit liability information
|
the period of 2 years that starts on the day on which the
consumer credit to which the information relates is terminated or otherwise
ceases to be in force.
|
2
|
repayment history information
|
the period of 2 years that starts on the day on which the
monthly payment to which the information relates is due and payable.
|
3
|
information of a kind referred to in paragraph 6N(d) or
(e)
|
the period of 5 years that starts on the day on which the
information request to which the information relates is made.
|
4
|
default information
|
the period of 5 years that starts on the day on which the
credit reporting body collects the information.
|
5
|
payment information
|
the period of 5 years that starts on the day on which the
credit reporting body collects the default information to which the payment
information relates.
|
6
|
new arrangement information within the meaning of
subsection 6S(1)
|
the period of 2 years that starts on the day on which the
credit reporting body collects the default information referred to in that
subsection.
|
7
|
new arrangement information within the meaning of
subsection 6S(2)
|
the period of 2 years that starts on the day on which the
credit reporting body collects the information about the opinion referred to
in that subsection.
|
8
|
court proceedings information
|
the period of 5 years that starts on the day on which the
judgement to which the information relates is made or given.
|
9
|
information of a kind referred to in paragraph 6N(l)
|
the period of 7 years that starts on the day on which the
credit reporting body collects the information.
|
20X
Retention period for credit information—personal insolvency information
(1) The following table has effect:
Item
|
If personal insolvency
information relates to ...
|
the retention period
for the information is whichever of the following periods ends later ...
|
1
|
a bankruptcy of an individual
|
(a) the period of 5 years that starts on the day on which the
individual becomes a bankrupt;
(b) the period of 2 years that starts on the day the
bankruptcy ends.
|
2
|
a personal insolvency agreement to which item 3 of
this table does not apply
|
(a) the period of 5 years that starts on the day on which the
agreement is executed;
(b) the period of 2 years that starts on the day the
agreement is terminated or set aside under the Bankruptcy Act.
|
3
|
a personal insolvency agreement in relation to which a
certificate has been signed under section 232 of the Bankruptcy Act
|
(a) the period of 5 years that starts on the day on which the
agreement is executed;
(b) the period that ends on the day on which the certificate
is signed.
|
4
|
a debt agreement to which item 5 of this table does
not apply
|
(a) the period of 5 years that starts on the day on which the
agreement is made;
(b) the period of 2 years that starts on the day:
(i) the agreement is terminated under the Bankruptcy Act; or
(ii) an order declaring that all the agreement is void is
made under that Act.
|
5
|
a debt agreement that ends under section 185N of the
Bankruptcy Act
|
(a) the period of 5 years that starts on the day on which the
agreement is made;
(b) the period that ends on the day on which the agreement
ends.
|
Debt agreement proposals
(2) If personal insolvency information
relates to a debt agreement proposal, the retention period for
the information is the period that ends on the day on which:
(a) the proposal is withdrawn; or
(b) the proposal is not accepted under
section 185EC of the Bankruptcy Act; or
(c) the acceptance of the proposal for
processing is cancelled under section 185ED of that Act; or
(d) the proposal lapses under
section 185G of that Act.
Control of property
(3) If personal insolvency information
relates to a direction given, or an order made, under section 50 of the
Bankruptcy Act, the retention period for the information is the
period that ends on the day on which the control of the property to which the
direction or order relates ends.
Note: See subsection 50(1B) of the Bankruptcy Act
for when the control of the property ends.
(4) If the personal insolvency information
relates to an authority signed under section 188 of the Bankruptcy Act, the
retention period for the information is the period that ends on
the day on which the property to which the authority relates is no longer
subject to control under Division 2 of Part X of that Act.
Interpretation
(5) An expression used in this section that
is also used in the Bankruptcy Act has the same meaning in this section as it
has in that Act.
20Y
Destruction of credit reporting information in cases of fraud
(1) This section applies if:
(a) a credit reporting body holds
credit reporting information about an individual; and
(b) the information relates to
consumer credit that has been provided by a credit provider to the individual,
or a person purporting to be the individual; and
(c) the body is satisfied that:
(i) the individual has been
a victim of fraud (including identity fraud); and
(ii) the consumer credit
was provided as a result of that fraud.
Destruction of credit reporting information
(2) The credit reporting body must:
(a) destroy the credit reporting
information; and
(b) within a reasonable period after
the information is destroyed:
(i) give the individual a
written notice that states that the information has been destroyed and sets out
the effect of subsection (4); and
(ii) give the credit
provider a written notice that states that the information has been destroyed.
Civil penalty: 1,000 penalty units.
(3) Subsection (2) does not apply if the
credit reporting body is required by or under an Australian law, or a
court/tribunal order, to retain the credit reporting information.
Notification of destruction to third parties
(4) If:
(a) a credit reporting body destroys
credit reporting information about an individual under subsection (2); and
(b) the body has previously disclosed
the information to one or more recipients under Subdivision D of this Division;
the body must, within a reasonable period after the
destruction, notify those recipients of the destruction and the matters
referred to in paragraph (1)(c).
Civil penalty: 500 penalty units.
(5) Subsection (4) does not apply if the
credit reporting body is required by or under an Australian law, or a
court/tribunal order, not to give the notification.
20Z
Dealing with information if there is a pending correction request etc.
(1) This section applies if a credit reporting
body holds credit reporting information about an individual and either:
(a) subsection 20V(3) applies in
relation to the information; or
(b) subsection 20V(6) applies in
relation to the information.
Notification of Commissioner
(2) The credit reporting body must, as soon
as practicable, notify in writing the Commissioner of the matter referred to in
paragraph (1)(a) or (b) of this section.
Civil penalty: 1,000 penalty units.
Use or disclosure
(3) The credit reporting body must not use or
disclose the information under Subdivision D of this Division.
Civil penalty: 2,000 penalty units.
(4) However, the credit reporting body may
use or disclose the information under this subsection if:
(a) the use or disclosure is for the
purposes of the pending correction request, or pending dispute, in relation to
the information; or
(b) the use or disclosure of the
information is required by or under an Australian law or a court/tribunal
order.
(5) If the credit reporting body uses or
discloses the information under subsection (4), the body must make a
written note of the use or disclosure.
Civil penalty: 500 penalty units.
Direction to destroy information etc.
(6) The Commissioner may, by legislative
instrument, direct the credit reporting body to destroy the information, or
ensure that the information is de‑identified, by a specified day.
(7) If the Commissioner gives a direction
under subsection (6) to the credit reporting body, the body must comply
with the direction.
Civil penalty: 1,000 penalty units.
(8) To avoid doubt, section 20M applies
in relation to credit reporting information that is de‑identified as a result
of the credit reporting body complying with the direction.
20ZA
Dealing with information if an Australian law etc. requires it to be retained
(1) This section applies if a credit
reporting body is not required:
(a) to do a thing referred to in
subsection 20V(2) to credit information because of subsection 20V(4); or
(b) to do a thing referred to in
subsection 20V(5) to CRB derived information because of subsection 20V(7); or
(c) to destroy credit reporting
information under subsection 20Y(2) because of subsection 20Y(3).
Use or disclosure
(2) The credit reporting body must not use or
disclose the information under Subdivision D of this Division.
Civil penalty: 2,000 penalty units.
(3) However, the credit reporting body may
use or disclose the information under this subsection if the use or disclosure
of the information is required by or under an Australian law or a
court/tribunal order.
(4) If the credit reporting body uses or
discloses the information under subsection (3), the body must make a
written note of the use or disclosure.
Civil penalty: 500 penalty units.
Other requirements
(5) Subdivision E of this Division (other
than section 20Q) does not apply in relation to the use or disclosure of
the information.
Note: Section 20Q deals with the security of
credit reporting information.
(6) Subdivision F of this Division does not
apply in relation to the information.
Division 3—Credit providers
Subdivision A—Introduction and application of this Division
21
Guide to this Division
This Division sets out rules that
apply to credit providers in relation to their handling of the following:
(a) credit
information;
(b) credit eligibility
information;
(c) CRB derived
information.
If a credit provider is an APP entity,
the rules apply in relation to that information in addition to, or instead of,
any relevant Australian Privacy Principles.
21A
Application of this Division to credit providers
(1) This Division applies to a credit
provider in relation to the following:
(a) credit information;
(b) credit eligibility information;
(c) CRB derived information.
(2) If the credit provider is an APP entity,
this Division may apply to the provider in relation to information referred to
in subsection (1) in addition to, or instead of, the Australian Privacy
Principles.
Subdivision B—Consideration of information privacy
21B
Open and transparent management of credit information etc.
(1) The object of this section is to ensure
that credit providers manage credit information and credit eligibility
information in an open and transparent way.
Compliance with this Division etc.
(2) A credit provider must take such steps as
are reasonable in the circumstances to implement practices, procedures and
systems relating to the provider’s functions or activities as a credit provider
that:
(a) will ensure that the provider
complies with this Division and the registered CR code if it binds the provider;
and
(b) will enable the provider to deal
with inquiries or complaints from individuals about the provider’s compliance
with this Division or the registered CR code if it binds the provider.
Policy about the management of credit information etc.
(3) A credit provider must have a clearly
expressed and up‑to‑date policy about the management of credit information and
credit eligibility information by the provider.
(4) Without limiting subsection (3), the
policy of the credit provider must contain the following information:
(a) the kinds of credit information
that the provider collects and holds, and how the provider collects and holds
that information;
(b) the kinds of credit eligibility
information that the provider holds and how the provider holds that
information;
(c) the kinds of CP derived
information that the provider usually derives from credit reporting information
disclosed to the provider by a credit reporting body under Division 2 of
this Part;
(d) the purposes for which the
provider collects, holds, uses and discloses credit information and credit
eligibility information;
(e) how an individual may access
credit eligibility information about the individual that is held by the
provider;
(f) how an individual may seek the
correction of credit information or credit eligibility information about the
individual that is held by the provider;
(g) how an individual may complain
about a failure of the provider to comply with this Division or the registered
CR code if it binds the provider;
(h) how the provider will deal with
such a complaint;
(i) whether the provider is likely to
disclose credit information or credit eligibility information to entities that
do not have an Australian link;
(j) if the provider is likely to
disclose credit information or credit eligibility information to such
entities—the countries in which those entities are likely to be located if it
is practicable to specify those countries in the policy.
Availability of policy etc.
(5) A credit provider must take such steps as
are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: A credit provider will usually make the policy
available on the provider’s website.
(6) If a person or body requests a copy, in a
particular form, of the policy of a credit provider, the provider must take
such steps as are reasonable in the circumstances to give the person or body a
copy in that form.
Interaction with the Australian Privacy Principles
(7) If a credit provider is an APP entity,
Australian Privacy Principles 1.3 and 1.4 do not apply to the provider in
relation to credit information or credit eligibility information.
Subdivision C—Dealing with credit information
21C
Additional notification requirements for the collection of personal information
etc.
(1) At or before the time a credit provider
collects personal information about an individual that the provider is likely
to disclose to a credit reporting body, the provider must:
(a) notify the individual of the
following matters:
(i) the name and contact
details of the body;
(ii) any other matter
specified in the registered CR code; or
(b) otherwise ensure that the
individual is aware of those matters.
(2) If a credit provider is an APP entity,
subsection (1) applies to the provider in relation to personal information
in addition to Australian Privacy Principle 5.
(3) If a credit provider is an APP entity,
then the matters for the purposes of Australian Privacy Principle 5.1 include
the following matters to the extent that the personal information referred to
in that principle is credit information or credit eligibility information:
(a) that the policy (the credit
reporting policy) of the provider that is referred to in subsection
21B(3) contains information about how an individual may access the credit
eligibility information about the individual that is held by the provider;
(b) that the credit reporting policy
of the provider contains information about how an individual may seek the
correction of credit information or credit eligibility information about the
individual that is held by the provider;
(c) that the credit reporting policy
of the provider contains information about how an individual may complain about
a failure of the provider to comply with this Division or the registered CR
code if it binds the provider;
(d) that the credit reporting policy
of the provider contains information about how the provider will deal with such
a complaint;
(e) whether the provider is likely to
disclose credit information or credit eligibility information to entities that
do not have an Australian link;
(f) if the provider is likely to
disclose credit information or credit eligibility information to such
entities—the countries in which those entities are likely to be located if it
is practicable to specify those countries in the credit reporting policy.
21D
Disclosure of credit information to a credit reporting body
Prohibition on disclosure
(1) A credit provider must not disclose
credit information about an individual to a credit reporting body (whether or
not the body’s credit reporting business is carried on in Australia).
Civil penalty: 2,000 penalty units.
Permitted disclosure
(2) Subsection (1) does not apply to the
disclosure of credit information about the individual if:
(a) the credit provider:
(i) is a member of a
recognised external dispute resolution scheme or is prescribed by the
regulations; and
(ii) knows, or believes on
reasonable grounds, that the individual is at least 18 years old; and
(b) the credit reporting body is:
(i) an agency; or
(ii) an organisation that
has an Australian link; and
(c) the information meets the
requirements of subsection (3).
Note: Section 21F limits the disclosure of credit
information if there is a ban period for the information.
(3) Credit information about an individual
meets the requirements of this subsection if:
(a) the information does not relate to
an act, omission, matter or thing that occurred or existed before the
individual turned 18; and
(b) if the information relates to
consumer credit or commercial credit—the credit is or has been provided, or
applied for, in Australia; and
(c) if the information is repayment
history information about the individual:
(i) the credit provider is
a licensee or is prescribed by the regulations; and
(ii) the consumer credit to
which the information relates is consumer credit in relation to which the
provider also discloses, or a credit provider has previously disclosed, consumer
credit liability information about the individual to the credit reporting body;
and
(iii) the provider complies
with any requirements relating to the disclosure of the information that are
prescribed by the regulations; and
(d) if the information is default
information about the individual:
(i) the credit provider
has given the individual a notice in writing stating that the provider intends
to disclose the information to the credit reporting body; and
(ii) at least 14 days have
passed since the giving of the notice.
(4) Paragraph (3)(a) does not apply to
identification information about the individual.
(5) Despite paragraph (3)(a), consumer
credit liability information about the individual may relate to consumer credit
that was entered into on a day before the individual turned 18, so long as the
consumer credit was not terminated, or did not otherwise cease to be in force,
on a day before the individual turned 18.
Written note of disclosure
(6) If a credit provider discloses credit
information under this section, the provider must make a written note of that
disclosure.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
(7) If a credit provider is an APP entity,
Australian Privacy Principles 6 and 8 do not apply to the disclosure by the
provider of credit information to a credit reporting body.
21E
Payment information must be disclosed to a credit reporting body
If:
(a) a credit provider has disclosed
default information about an individual to a credit reporting body under
section 21D; and
(b) after the default information was
disclosed, the amount of the overdue payment to which the information relates
is paid;
the provider must, within a reasonable period after the
amount is paid, disclose payment information about the amount to the body under
that section.
Civil penalty: 500 penalty units.
21F
Limitation on the disclosure of credit information during a ban period
(1) This section applies if:
(a) a credit reporting body holds
credit reporting information about an individual; and
(b) a credit provider requests the
body to disclose the information to the provider for the purpose of assessing
an application for consumer credit made to the provider by the individual, or a
person purporting to be the individual; and
(c) the body is not permitted to
disclose the information because there is a ban period for the information; and
(d) during the ban period, the
provider provides the consumer credit to which the application relates to the
individual, or the person purporting to be the individual.
(2) If the credit provider holds credit
information about the individual that relates to the consumer credit, the
provider must not, despite sections 21D and 21E, disclose the information
to a credit reporting body.
Civil penalty: 2,000 penalty units.
(3) Subsection (2) does not apply if the
credit provider has taken such steps as are reasonable in the circumstances to
verify the identity of the individual.
Subdivision D—Dealing with credit eligibility information etc.
21G
Use or disclosure of credit eligibility information
Prohibition on use or disclosure
(1) If a credit provider holds credit
eligibility information about an individual, the provider must not use or
disclose the information.
Civil penalty: 2,000 penalty units.
Permitted uses
(2) Subsection (1) does not apply to the
use of credit eligibility information about the individual if:
(a) the use is for a consumer credit
related purpose of the credit provider in relation to the individual; or
(b) the use is a permitted CP use in
relation to the individual; or
(c) both of the following apply:
(i) the credit provider
believes on reasonable grounds that the individual has committed a serious
credit infringement;
(ii) the provider uses the
information in connection with the infringement; or
(d) the use is required or authorised
by or under an Australian law or a court/tribunal order; or
(e) the use is a use prescribed by the
regulations.
Permitted disclosures
(3) Subsection (1) does not apply to the
disclosure of credit eligibility information about the individual if:
(a) the disclosure is a permitted CP
disclosure in relation to the individual; or
(b) the disclosure is to a related
body corporate of the credit provider; or
(c) the disclosure is to:
(i) a person for the
purpose of processing an application for credit made to the credit provider; or
(ii) a person who manages
credit provided by the credit provider for use in managing that credit; or
(d) both of the following apply:
(i) the credit provider
believes on reasonable grounds that the individual has committed a serious
credit infringement;
(ii) the provider discloses
the information to another credit provider that has an Australian link, or to
an enforcement body; or
(e) both of the following apply:
(i) the disclosure is for
the purposes of a recognised external dispute resolution scheme;
(ii) a credit provider or
credit reporting body is a member of the scheme; or
(f) the disclosure is required or
authorised by or under an Australian law or a court/tribunal order; or
(g) the disclosure is a disclosure
prescribed by the regulations.
Note: See section 21NA for additional rules
about the disclosure of credit eligibility information under
paragraph (3)(b) or (c).
(4) However, if the credit eligibility
information about the individual is, or was derived from, repayment history
information about the individual, the credit provider must not disclose the
information under subsection (3).
Civil penalty: 2,000 penalty units.
(5) Subsection (4) does not apply if:
(a) the recipient of the credit
eligibility information is another credit provider who is a licensee; or
(b) the disclosure is a permitted CP
disclosure within the meaning of section 21L; or
(c) the credit provider discloses the
credit eligibility information under paragraph (3)(b), (c), (e) or (f); or
(d) the credit provider discloses the
credit eligibility information under paragraph (3)(d) to an enforcement
body.
Written note of use or disclosure
(6) If a credit provider uses or discloses
credit eligibility information under this section, the provider must make a
written note of that use or disclosure.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
(7) If a credit provider is an APP entity,
Australian Privacy Principles 6, 7 and 8 do not apply to the provider in
relation to credit eligibility information.
(8) If:
(a) a credit provider is an APP
entity; and
(b) the credit eligibility information
is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the
provider in relation to the information.
21H
Permitted CP uses in relation to individuals
A use by a credit provider of credit
eligibility information about an individual is a permitted CP use
in relation to the individual if:
(a) the relevant credit reporting
information was disclosed to the provider under a provision specified in column
1 of the table for the purpose (if any) specified in that column; and
(b) the provider uses the credit
eligibility information for the purpose specified in column 2 of the table.
Permitted CP uses
|
|
Column 1
|
Column 2
|
Item
|
The relevant credit
reporting information was disclosed to the credit provider under ...
|
The credit provider
uses the credit eligibility information for ...
|
1
|
item 1 of the table in subsection 20F(1) for the
purpose of assessing an application for consumer credit made by the
individual to the provider.
|
(a) a securitisation related purpose of the provider in
relation to the individual; or
(b) the internal management purposes of the provider that are
directly related to the provision or management of consumer credit by the
provider.
|
2
|
item 2 of the table in subsection 20F(1) for a
particular commercial credit related purpose of the provider in relation to
the individual.
|
that particular commercial credit related purpose.
|
3
|
item 2 of the table in subsection 20F(1) for the
purpose of assessing an application for commercial credit made by a person to
the provider.
|
the internal management purposes of the provider that are
directly related to the provision or management of commercial credit by the
provider.
|
4
|
item 3 of the table in subsection 20F(1) for a credit
guarantee purpose of the provider in relation to the individual.
|
(a) the credit guarantee purpose; or
(b) the internal management purposes of the provider that are
directly related to the provision or management of any credit by the
provider.
|
5
|
item 5 of the table in subsection 20F(1).
|
the purpose of assisting the individual to avoid
defaulting on his or her obligations in relation to consumer credit provided
by the provider to the individual.
|
6
|
item 6 of the table in subsection 20F(1) for a
particular securitisation related purpose of the provider in relation to the individual.
|
that particular securitisation related purpose.
|
21J
Permitted CP disclosures between credit providers
Consent
(1) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the disclosure is to another
credit provider (the recipient) for a particular purpose; and
(b) the recipient has an Australian
link; and
(c) the individual expressly consents
to the disclosure of the information to the recipient for that purpose.
(2) The consent of the individual under
paragraph (1)(c):
(a) must be given in writing unless:
(i) the disclosure of the
information to the recipient is for the purpose of assessing an application for
consumer credit or commercial credit made to the recipient; and
(ii) the application has
not been made in writing; and
(b) must be given to the credit
provider or recipient.
Agents of credit providers
(3) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the provider is acting as an agent
of another credit provider that has an Australian link; and
(b) while the provider is so acting,
the provider is a credit provider under subsection 6H(1); and
(c) the provider discloses the
information to the other credit provider in the provider’s capacity as such an
agent.
Securitisation arrangements etc.
(4) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the provider is a credit provider
under subsection 6J(1) in relation to credit; and
(b) the credit has been provided by,
or is credit for which an application has been made to, another credit provider
(the original credit provider) that has an Australian link; and
(c) the original credit provider is
not a credit provider under that subsection; and
(d) the information is disclosed to:
(i) the original credit
provider; or
(ii) another credit
provider that is a credit provider under that subsection in relation to the
credit and that has an Australian link; and
(e) the disclosure of the information
is reasonably necessary for:
(i) purchasing, funding or
managing, or processing an application for, the credit by means of a
securitisation arrangement; or
(ii) undertaking credit
enhancement in relation to the credit.
Mortgage credit secured by the same real property
(5) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the disclosure is to another
credit provider that has an Australian link; and
(b) both credit providers have
provided mortgage credit to the individual in relation to which the same real
property forms all or part of the security; and
(c) the individual is at least 60 days
overdue in making a payment in relation to the mortgage credit provided by
either provider; and
(d) the information is disclosed for
the purpose of either provider deciding what action to take in relation to the
overdue payment.
21K
Permitted CP disclosures relating to guarantees etc.
Offer to act as a guarantor etc.
(1) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) either:
(i) the provider has
provided credit to the individual; or
(ii) the individual has applied
to the provider for credit; and
(b) the disclosure is to a person for
the purpose of that person considering whether:
(i) to offer to act as a
guarantor in relation to the credit; or
(ii) to offer property as
security for the credit; and
(c) the person has an Australian link;
and
(d) the individual expressly consents
to the disclosure of the information to the person for that purpose.
(2) The consent of the individual under
paragraph (1)(d) must be given in writing unless:
(a) if subparagraph (1)(a)(i)
applies—the application for the credit was not made in writing; or
(b) if subparagraph (1)(a)(ii)
applies—the application for the credit has not been made in writing.
Guarantors etc.
(3) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the disclosure is to a person who:
(i) is a guarantor in
relation to credit provided by the provider to the individual; or
(ii) has provided property
as security for such credit; and
(b) the person has an Australian link;
and
(c) either:
(i) the individual
expressly consents to the disclosure of the information to the person; or
(ii) if
subparagraph (a)(i) applies—the information is disclosed to the person for
a purpose related to the enforcement, or proposed enforcement, of the
guarantee.
(4) The consent of the individual under
subparagraph (3)(c)(i) must be given in writing unless the application for
the credit was not made in writing.
21L
Permitted CP disclosures to mortgage insurers
A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if the disclosure is to a
mortgage insurer that has an Australian link for:
(a) a mortgage insurance purpose of
the insurer in relation to the individual; or
(b) any purpose arising under a
contract for mortgage insurance that has been entered into between the provider
and the insurer.
21M
Permitted CP disclosures to debt collectors
(1) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the disclosure is to a person or
body that carries on a business or undertaking that involves the collection of
debts on behalf of others; and
(c) the information is disclosed to
the person or body for the primary purpose of the person or body collecting
payments that are overdue in relation to:
(i) consumer credit
provided by the provider to the individual; or
(ii) commercial credit
provided by the provider to a person; and
(d) the information is information of
a kind referred to in subsection (2).
Note: See section 21NA for additional rules
about the disclosure of credit eligibility information under this subsection.
(2) The information for the purposes of
paragraph (1)(d) is:
(a) identification information about
the individual; or
(b) court proceedings information
about the individual; or
(c) personal insolvency information about
the individual; or
(d) if subparagraph (1)(c)(i)
applies—default information about the individual if:
(i) the information
relates to a payment that the individual is overdue in making in relation to
consumer credit that has been provided by the credit provider to the
individual; and
(ii) the provider does not
hold, or has not held, payment information about the individual that relates to
that overdue payment.
21N
Permitted CP disclosures to other recipients
Mortgage credit assistance schemes
(1) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the disclosure is to a State or
Territory authority; and
(b) the functions or responsibilities
of the authority include:
(i) giving assistance
(directly or indirectly) that facilitates the provision of mortgage credit to
individuals; or
(ii) the management or
supervision of schemes or arrangements under which such assistance is given;
and
(c) the information is disclosed for
the purpose of enabling the authority:
(i) to determine the
extent of the assistance (if any) to give in relation to the provision of
mortgage credit to the individual; or
(ii) to manage or supervise
such a scheme or arrangement.
Assignment of debts owed to credit providers etc.
(2) A disclosure by a credit provider of
credit eligibility information about an individual is a permitted CP
disclosure in relation to the individual if:
(a) the disclosure is to one or more
of the following (the recipient):
(i) an entity;
(ii) a professional legal
adviser of the entity;
(iii) a professional
financial adviser of the entity; and
(b) the recipient has an Australian
link; and
(c) subsection (3) applies to the
information.
(3) This subsection applies to the credit
eligibility information if the recipient proposes to use the information:
(a) in the process of the entity
considering whether to:
(i) accept an assignment
of a debt owed to the credit provider; or
(ii) accept a debt owed to
the provider as security for credit provided to the provider; or
(iii) purchase an interest
in the provider or a related body corporate of the provider; or
(b) in connection with exercising
rights arising from the acceptance of such an assignment or debt, or the
purchase of such an interest.
21NA
Disclosures to certain persons and bodies that do not have an Australian link
Related bodies corporate and credit managers etc.
(1) Before a credit provider discloses credit
eligibility information under paragraph 21G(3)(b) or (c) to a related body
corporate, or person, that does not have an Australian link, the provider must
take such steps as are reasonable in the circumstances to ensure that the body
or person does not breach the following provisions (the relevant
provisions) in relation to the information:
(a) for a disclosure under paragraph
21G(3)(b)—section 22D;
(b) for a disclosure under paragraph
21G(3)(c)—section 22E;
(c) in both cases—the Australian
Privacy Principles (other than Australian Privacy Principles 1, 6, 7, 8 and
9.2).
(2) If:
(a) a credit provider discloses credit
eligibility information under paragraph 21G(3)(b) or (c) to a related body
corporate, or person, that does not have an Australian link; and
(b) the relevant provisions do not
apply, under this Act, to an act done, or a practice engaged in, by the body or
person in relation to the information; and
(c) the body or person does an act, or
engages in a practice, in relation to the information that would be a breach of
the relevant provisions if those provisions applied to the act or practice;
the act done, or the practice engaged in, by the body or
person is taken, for the purposes of this Act, to have been done, or engaged
in, by the provider and to be a breach of those provisions by the provider.
Debt collectors
(3) Before a credit provider discloses credit
eligibility information under subsection 21M(1) to a person or body that does
not have an Australian link, the provider must take such steps as are
reasonable in the circumstances to ensure that the person or body does not
breach the Australian Privacy Principles (other than Australian Privacy
Principle 1) in relation to the information.
(4) If:
(a) a credit provider discloses credit
eligibility information under subsection 21M(1) to a person or body that does
not have an Australian link; and
(b) the Australian Privacy Principles
do not apply, under this Act, to an act done, or a practice engaged in, by the
person or body in relation to the information; and
(c) the person or body does an act, or
engages in a practice, in relation to the information that would be a breach of
the Australian Privacy Principles (other than Australian Privacy Principle 1)
if those Australian Privacy Principles applied to the act or practice;
the act done, or the practice engaged in, by the person or
body is taken, for the purposes of this Act, to have been done, or engaged in,
by the provider and to be a breach of those Australian Privacy Principles by
the provider.
21P
Notification of a refusal of an application for consumer credit
(1) This section applies if:
(a) a credit provider refuses an
application for consumer credit made in Australia:
(i) by an individual; or
(ii) jointly by an
individual and one or more other persons (the other applicants);
and
(b) the refusal is based wholly or
partly on credit eligibility information about one or more of the following:
(i) the individual;
(ii) a person who is
proposing to act as a guarantor in relation to the consumer credit;
(iii) if the application is
an application of a kind referred to in subparagraph (a)(ii)—one of the
other applicants; and
(c) a credit reporting body disclosed
the relevant credit reporting information to the provider for the purposes of
assessing the application.
(2) The credit provider must, within a
reasonable period after refusing the application, give the individual a written
notice that:
(a) states that the application has
been refused; and
(b) states that the refusal is based
wholly or partly on credit eligibility information about one or more of the
persons referred to in paragraph (1)(b); and
(c) if that information is about the
individual—sets out:
(i) the name and contact
details of the credit reporting body that disclosed the relevant credit
reporting information to the provider; and
(ii) any other matter
specified in the registered CR code.
Subdivision E—Integrity of credit information and credit eligibility
information
21Q
Quality of credit eligibility information
(1) A credit provider must take such steps
(if any) as are reasonable in the circumstances to ensure that the credit
eligibility information the provider collects is accurate, up‑to‑date and
complete.
(2) A credit provider must take such steps
(if any) as are reasonable in the circumstances to ensure that the credit
eligibility information the provider uses or discloses is, having regard to the
purpose of the use or disclosure, accurate, up‑to‑date, complete and relevant.
(3) If a credit provider is an APP entity,
Australian Privacy Principle 10 does not apply to the provider in relation to
credit eligibility information.
21R
False or misleading credit information or credit eligibility information
Offences
(1) A credit provider commits an offence if:
(a) the provider discloses credit information
under section 21D; and
(b) the information is false or
misleading in a material particular.
Penalty: 200 penalty units.
(2) A credit provider commits an offence if:
(a) the provider uses or discloses
credit eligibility information under this Division; and
(b) the information is false or
misleading in a material particular.
Penalty: 200 penalty units.
Civil penalties
(3) A credit provider must not disclose
credit information under section 21D if the information is false or
misleading in a material particular.
Civil penalty: 2,000 penalty units.
(4) A credit provider must not use or
disclose credit eligibility information under this Division if the information
is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
21S
Security of credit eligibility information
(1) If a credit provider holds credit
eligibility information, the provider must take such steps as are reasonable in
the circumstances to protect the information:
(a) from misuse, interference and
loss; and
(b) from unauthorised access,
modification or disclosure.
(2) If:
(a) a credit provider holds credit
eligibility information about an individual; and
(b) the provider no longer needs the
information for any purpose for which the information may be used or disclosed
by the provider under this Division; and
(c) the provider is not required by or
under an Australian law, or a court/tribunal order, to retain the information;
the provider must take such steps as are reasonable in the
circumstances to destroy the information or to ensure that the information is
de‑identified.
Civil penalty: 1,000 penalty units.
(3) If a credit provider is an APP entity,
Australian Privacy Principle 11 does not apply to the provider in relation to
credit eligibility information.
Subdivision F—Access to, and correction of, information
21T
Access to credit eligibility information
Access
(1) If a credit provider holds credit
eligibility information about an individual, the provider must, on request by
an access seeker in relation to the information, give the access seeker access
to the information.
Exceptions to access
(2) Despite subsection (1), the credit
provider is not required to give the access seeker access to the credit
eligibility information to the extent that:
(a) giving access would be unlawful;
or
(b) denying access is required or
authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to
prejudice one or more enforcement related activities conducted by, or on behalf
of, an enforcement body.
Dealing with requests for access
(3) The credit provider must respond to the
request within a reasonable period after the request is made.
Means of access
(4) If the credit provider gives access to
the credit eligibility information, the access must be given in the manner set
out in the registered CR code.
Access charges
(5) If the credit provider is an agency, the
provider must not charge the access seeker for the making of the request or for
giving access to the information.
(6) If a credit provider is an organisation
or small business operator, any charge by the provider for giving access to the
information must not be excessive and must not apply to the making of the
request.
Refusal to give access
(7) If the provider refuses to give access to
the information because of subsection (2), the provider must give the
access seeker a written notice that:
(a) sets out the reasons for the
refusal except to the extent that, having regard to the grounds for the
refusal, it would be unreasonable to do so; and
(b) states that, if the access seeker
is not satisfied with the response to the request, the access seeker may:
(i) access a recognised
external dispute resolution scheme of which the provider is a member; or
(ii) make a complaint to
the Commissioner under Part V.
Interaction with the Australian Privacy Principles
(8) If a credit provider is an APP entity,
Australian Privacy Principle 12 does not apply to the provider in relation to
credit eligibility information.
21U Correction
of credit information or credit eligibility information
(1) If:
(a) a credit provider holds credit
information or credit eligibility information about an individual; and
(b) the provider is satisfied that,
having regard to a purpose for which the information is held by the provider,
the information is inaccurate, out‑of‑date, incomplete, irrelevant or
misleading;
the provider must take such steps (if any) as are
reasonable in the circumstances to correct the information to ensure that,
having regard to the purpose for which it is held, the information is accurate,
up‑to‑date, complete, relevant and not misleading.
Notice of correction
(2) If:
(a) the credit provider corrects
credit information or credit eligibility information under subsection (1);
and
(b) the provider has previously
disclosed the information under:
(i) this Division (other
than subsection 21V(4)); or
(ii) the Australian Privacy
Principles (other than Australian Privacy Principle 4.2);
the provider must, within a reasonable period, give each
recipient of the information written notice of the correction.
(3) Subsection (2) does not apply if:
(a) it is impracticable for the credit
provider to give the notice under that subsection; or
(b) the credit provider is required by
or under an Australian law, or a court/tribunal order, not to give the notice
under that subsection.
Interaction with the Australian Privacy Principles
(4) If a credit provider is an APP entity,
Australian Privacy Principle 13:
(a) applies to the provider in
relation to credit information or credit eligibility information that is
identification information; but
(b) does not apply to the provider in
relation to any other kind of credit information or credit eligibility
information.
Note: Identification information may be corrected
under this section or Australian Privacy Principle 13.
21V
Individual may request the correction of credit information etc.
Request
(1) An individual may request a credit
provider to correct personal information about the individual if:
(a) the personal information is:
(i) credit information
about the individual; or
(ii) CRB derived
information about the individual; or
(iii) CP derived information
about the individual; and
(b) the provider holds at least one
kind of the personal information referred to in paragraph (a).
Correction
(2) If the credit provider is satisfied that
the personal information is inaccurate, out‑of‑date, incomplete, irrelevant or
misleading, the provider must take such steps (if any) as are reasonable in the
circumstances to correct the information within:
(a) the period of 30 days that starts
on the day on which the request is made; or
(b) such longer period as the
individual has agreed to in writing.
Consultation
(3) If the credit provider considers that the
provider cannot be satisfied of the matter referred to in subsection (2)
in relation to the personal information without consulting either or both of
the following (the interested party):
(a) a credit reporting body that holds
or held the information and that has an Australian link;
(b) another credit provider that holds
or held the information and that has an Australian link;
the provider must consult that interested party, or those
interested parties, about the individual’s request.
(4) The use or disclosure of personal
information about the individual for the purposes of the consultation is taken,
for the purposes of this Act, to be a use or disclosure that is authorised by
this subsection.
No charge
(5) The credit provider must not charge the
individual for the making of the request or for correcting the information.
Interaction with the Australian Privacy Principles
(6) If a credit provider is an APP entity,
Australian Privacy Principle 13:
(a) applies to the provider in
relation to personal information referred to in paragraph (1)(a) that is
identification information; but
(b) does not apply to the provider in
relation to any other kind of personal information referred to in that
paragraph.
Note: Identification information may be corrected
under this section or Australian Privacy Principle 13.
21W
Notice of correction etc. must be given
(1) This section applies if an individual
requests a credit provider to correct personal information under subsection
21V(1).
Notice of correction etc.
(2) If the credit provider corrects personal
information about the individual under subsection 21V(2), the provider must,
within a reasonable period:
(a) give the individual written notice
of the correction; and
(b) if the provider consulted an interested
party under subsection 21V(3) about the individual’s request—give the party
written notice of the correction; and
(c) if the correction relates to
information that the provider has previously disclosed under:
(i) this Division (other
than subsection 21V(4)); or
(ii) the Australian Privacy
Principles (other than Australian Privacy Principle 4.2);
give each recipient of the
information written notice of the correction.
(3) If the credit provider does not correct
the personal information under subsection 21V(2), the provider must, within a
reasonable period, give the individual written notice that:
(a) states that the correction has not
been made; and
(b) sets out the provider’s reasons
for not correcting the information (including evidence substantiating the
correctness of the information); and
(c) states that, if the individual is
not satisfied with the response to the request, the individual may:
(i) access a recognised
external dispute resolution scheme of which the provider is a member; or
(ii) make a complaint to
the Commissioner under Part V.
Exceptions
(4) Paragraph (2)(c) does not apply if
it is impracticable for the credit provider to give the notice under that
paragraph.
(5) Subsection (2) or (3) does not apply
if the credit provider is required by or under an Australian law, or a
court/tribunal order, not to give the notice under that subsection.
Division 4—Affected information recipients
22
Guide to this Division
This Division sets out rules that
apply to affected information recipients in relation to their handling of their
regulated information.
If an affected information recipient
is an APP entity, the rules apply in relation to the regulated information of
the recipient in addition to, or instead of, any relevant Australian Privacy
Principles.
Subdivision A—Consideration of information privacy
22A
Open and transparent management of regulated information
(1) The object of this section is to ensure
that an affected information recipient manages the regulated information of the
recipient in an open and transparent way.
Compliance with this Division etc.
(2) An affected information recipient must
take such steps as are reasonable in the circumstances to implement practices,
procedures and systems relating to the recipient’s functions or activities
that:
(a) will ensure that the recipient
complies with this Division and the registered CR code if it binds the
recipient; and
(b) will enable the recipient to deal
with inquiries or complaints from individuals about the recipient’s compliance
with this Division or the registered CR code if it binds the recipient.
Policy about the management of regulated information
(3) An affected information recipient must
have a clearly expressed and up‑to‑date policy about the recipient’s management
of the regulated information of the recipient.
(4) Without limiting subsection (3), the
policy of the affected information recipient must contain the following
information:
(a) the kinds of regulated information
that the recipient collects and holds, and how the recipient collects and holds
that information;
(b) the purposes for which the
recipient collects, holds, uses and discloses regulated information;
(c) how an individual may access
regulated information about the individual that is held by the recipient and
seek the correction of such information;
(d) how an individual may complain
about a failure of the recipient to comply with this Division or the registered
CR code if it binds the recipient;
(e) how the recipient will deal with
such a complaint.
Availability of policy etc.
(5) An affected information recipient must
take such steps as are reasonable in the circumstances to make the policy
available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: An affected information recipient will usually
make the policy available on the recipient’s website.
(6) If a person or body requests a copy, in a
particular form, of the policy of an affected information recipient, the
recipient must take such steps as are reasonable in the circumstances to give
the person or body a copy in that form.
Interaction with the Australian Privacy Principles
(7) If an affected information recipient is
an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the
recipient in relation to the regulated information of the recipient.
Subdivision B—Dealing with regulated information
22B
Additional notification requirements for affected information recipients
If an affected information recipient is
an APP entity, then the matters for the purposes of Australian Privacy
Principle 5.1 include the following matters to the extent that the personal
information referred to in that principle is regulated information of the
recipient:
(a) that the policy (the credit
reporting policy) of the recipient that is referred to in subsection
22A(3) contains information about how an individual may access the regulated
information about the individual that is held by the recipient, and seek the
correction of such information;
(b) that the credit reporting policy
of the recipient contains information about how an individual may complain
about a failure of the recipient to comply with this Division or the registered
CR code if it binds the recipient; and
(c) that the credit reporting policy of
the recipient contains information about how the recipient will deal with such
a complaint.
22C
Use or disclosure of information by mortgage insurers or trade insurers
Prohibition on use or disclosure
(1) If:
(a) a mortgage insurer or trade
insurer holds or held personal information about an individual; and
(b) the information was disclosed to
the insurer by a credit reporting body or credit provider under Division 2
or 3 of this Part;
the insurer must not use or disclose the information, or
any personal information about the individual derived from that information.
Civil penalty: 2,000 penalty units.
Permitted uses
(2) Subsection (1) does not apply to the
use of the information if:
(a) for a mortgage insurer—the use is
for:
(i) a mortgage insurance
purpose of the insurer in relation to the individual; or
(ii) any purpose arising
under a contract for mortgage insurance that has been entered into between the
credit provider and the insurer; or
(b) for a trade insurer—the use is for
a trade insurance purpose of the insurer in relation to the individual; or
(c) the use is required or authorised
by or under an Australian law or a court/tribunal order.
Permitted disclosure
(3) Subsection (1) does not apply to the
disclosure of the information if the disclosure is required or authorised by or
under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
(4) If the mortgage insurer or trade insurer
is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the
insurer in relation to the information.
(5) If:
(a) the mortgage insurer or trade
insurer is an APP entity; and
(b) the information is a government
related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the
insurer in relation to the information.
22D
Use or disclosure of information by a related body corporate
Prohibition on use or disclosure
(1) If:
(a) a body corporate holds or held
credit eligibility information about an individual; and
(b) the information was disclosed to
the body by a credit provider under paragraph 21G(3)(b);
the body must not use or disclose the information, or any
personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted use or disclosure
(2) Subsection (1) does not apply to the
use or disclosure of the information by the body corporate if the body would be
permitted to use or disclose the information under section 21G if the body
were the credit provider.
(3) In determining whether the body corporate
would be permitted to use or disclose the information under section 21G,
assume that the body is whichever of the following is applicable:
(a) the credit provider that has
provided the relevant credit to the individual;
(b) the credit provider to which the
relevant application for credit was made by the individual.
Interaction with the Australian Privacy Principles
(4) If the body corporate is an APP entity,
Australian Privacy Principles 6, 7 and 8 do not apply to the body in relation
to the information.
(5) If:
(a) the body corporate is an APP
entity; and
(b) the information is a government
related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the
body in relation to the information.
22E
Use or disclosure of information by credit managers etc.
Prohibition on use or disclosure
(1) If:
(a) a person holds or held credit
eligibility information about an individual; and
(b) the information was disclosed to
the person by a credit provider under paragraph 21G(3)(c);
the person must not use or disclose the information, or
any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted uses
(2) Subsection (1) does not apply to the
use of the information if:
(a) the person uses the information for
the purpose for which it was disclosed to the person under paragraph 21G(3)(c);
or
(b) the use is required or authorised
by or under an Australian law or a court/tribunal order.
Permitted disclosure
(3) Subsection (1) does not apply to the
disclosure of the information if:
(a) the disclosure is to the credit
provider; or
(b) the disclosure is required or
authorised by or under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
(4) If the person is an APP entity,
Australian Privacy Principles 6, 7 and 8 do not apply to the person in relation
to the information.
(5) If:
(a) the person is an APP entity; and
(b) the information is a government
related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the
person in relation to the information.
22F
Use or disclosure of information by advisers etc.
Prohibition on use or disclosure
(1) If:
(a) any of the following (the recipient)
holds or held credit eligibility information about an individual:
(i) an entity;
(ii) a professional legal
adviser of the entity;
(iii) a professional
financial adviser of the entity; and
(b) the information was disclosed to the
recipient by a credit provider under subsection 21N(2);
the recipient must not use or disclose the information, or
any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted uses
(2) Subsection (1) does not apply to the
use of the information if:
(a) for a recipient that is the
entity—the information is used for a matter referred to in subsection 21N(3);
or
(b) for a recipient that is the
professional legal adviser, or professional financial adviser, of the
entity—the information is used:
(i) in the adviser’s
capacity as an adviser of the entity; and
(ii) in connection with
advising the entity about a matter referred to in subsection 21N(3); or
(c) the use is required or authorised
by or under an Australian law or a court/tribunal order.
Permitted disclosure
(3) Subsection (1) does not apply to the
disclosure of the information if the disclosure is required or authorised by or
under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
(4) If the recipient is an APP entity,
Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in
relation to the information.
(5) If:
(a) the recipient is an APP entity;
and
(b) the information is a government
related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the
recipient in relation to the information.
Division 5—Complaints
23
Guide to this Division
This Division deals with complaints
about credit reporting bodies or credit providers.
Individuals may complain to credit
reporting bodies or credit providers about acts or practices that may be a
breach of certain provisions of this Part or the registered CR code.
If a complaint is made, the respondent
for the complaint must investigate the complaint and make a decision about the
complaint.
23A
Individual may complain about a breach of a provision of this Part etc.
Complaint
(1) An individual may complain to a credit
reporting body about an act or practice engaged in by the body that may be a
breach of either of the following provisions in relation to the individual:
(a) a provision of this Part (other
than section 20R or 20T);
(b) a provision of the registered CR
code (other than a provision that relates to that section).
Note: A complaint about a breach of section 20R
or 20T, or a provision of the registered CR code that relates to that section,
may be made to the Commissioner under Part V.
(2) An individual may complain to a credit
provider about an act or practice engaged in by the provider that may be a
breach of either of the following provisions in relation to the individual:
(a) a provision of this Part (other
than section 21T or 21V);
(b) a provision of the registered CR
code (other than a provision that relates to that section) if it binds the
credit provider.
Note: A complaint about a breach of section 21T
or 21V, or a provision of the registered CR code that relates to that section,
may be made to the Commissioner under Part V.
Nature of complaint
(3) If an individual makes a complaint, the
individual must specify the nature of the complaint.
(4) The complaint may relate to personal
information that has been destroyed or de‑identified.
No charge
(5) The credit reporting body or credit
provider must not charge the individual for the making of the complaint or for
dealing with the complaint.
23B
Dealing with complaints
(1) If an individual makes a complaint under
section 23A, the respondent for the complaint:
(a) must, within 7 days after the complaint
is made, give the individual a written notice that:
(i) acknowledges the
making of the complaint; and
(ii) sets out how the
respondent will deal with the complaint; and
(b) must investigate the complaint.
Consultation about the complaint
(2) If the respondent for the complaint
considers that it is necessary to consult a credit reporting body or credit
provider about the complaint, the respondent must consult the body or provider.
(3) The use or disclosure of personal
information about the individual for the purposes of the consultation is taken,
for the purposes of this Act, to be a use or disclosure that is authorised by
this subsection.
Decision about the complaint
(4) After investigating the complaint, the
respondent must, within the period referred to in subsection (5), make a
decision about the complaint and give the individual a written notice that:
(a) sets out the decision; and
(b) states that, if the individual is
not satisfied with the decision, the individual may:
(i) access a recognised
external dispute resolution scheme of which the respondent is a member; or
(ii) make a complaint to
the Commissioner under Part V.
(5) The period for the purposes of
subsection (4) is:
(a) the period of 30 days that starts
on the day on which the complaint is made; or
(b) such longer period as the
individual has agreed to in writing.
23C
Notification requirements relating to correction complaints
(1) This section applies if an individual
makes a complaint under section 23A about an act or practice that may
breach section 20S or 21U (which deal with the correction of personal
information by credit reporting bodies and credit providers).
Notification of complaint etc.
(2) If:
(a) the respondent for the complaint
is a credit reporting body; and
(b) the complaint relates to credit
information or credit eligibility information that a credit provider holds;
the respondent must, in writing:
(c) notify the provider of the making
of the complaint as soon as practicable after it is made; and
(d) notify the provider of the making
of a decision about the complaint under subsection 23B(4) as soon as
practicable after it is made.
(3) If:
(a) the respondent for the complaint
is a credit provider; and
(b) the complaint relates to:
(i) credit reporting
information that a credit reporting body holds; or
(ii) credit information or
credit eligibility information that another credit provider holds;
the respondent must, in writing:
(c) notify the body or other provider
(as the case may be) of the making of the complaint as soon as practicable
after it is made; and
(d) notify the body or other provider
(as the case may be) of the making of a decision about the complaint under
subsection 23B(4) as soon as practicable after it is made.
Notification of recipients of disclosed information
(4) If:
(a) a credit reporting body discloses
credit reporting information to which the complaint relates under
Division 2 of this Part; and
(b) at the time of the disclosure, a
decision about the complaint under subsection 23B(4) has not been made;
the body must, at that time, notify in writing the
recipient of the information of the complaint.
(5) If:
(a) a credit provider discloses
personal information to which the complaint relates under Division 3 of
this Part or under the Australian Privacy Principles; and
(b) at the time of the disclosure, a
decision about the complaint under subsection 23B(4) has not been made;
the provider must, at that time, notify in writing the
recipient of the information of the complaint.
Exceptions
(6) Subsection (2), (3), (4) or (5) does
not apply if:
(a) it is impracticable for the credit
reporting body or credit provider to give the notification under that
subsection; or
(b) the credit reporting body or
credit provider is required by or under an Australian law, or a court/tribunal
order, not to give the notification under that subsection.
Division 6—Unauthorised obtaining of credit reporting information etc.
24
Obtaining credit reporting information from a credit reporting body
Offences
(1) An entity commits an offence if:
(a) the entity obtains credit
reporting information; and
(b) the information is obtained from a
credit reporting body; and
(c) the entity is not:
(i) an entity to which the
body is permitted to disclose the information under Division 2 of this
Part; or
(ii) an access seeker for
the information.
Penalty: 200 penalty units.
(2) An entity commits an offence if:
(a) the entity obtains credit
reporting information; and
(b) the information is obtained from a
credit reporting body; and
(c) the information is obtained by
false pretence.
Penalty: 200 penalty units.
Civil penalties
(3) An entity must not obtain credit
reporting information from a credit reporting body if the entity is not:
(a) an entity to which the body is
permitted to disclose the information under Division 2 of this Part; or
(b) an access seeker for the
information.
Civil penalty: 2,000 penalty units.
(4) An entity must not obtain, by false
pretence, credit reporting information from a credit reporting body.
Civil penalty: 2,000 penalty units.
24A
Obtaining credit eligibility information from a credit provider
Offences
(1) An entity commits an offence if:
(a) the entity obtains credit
eligibility information; and
(b) the information is obtained from a
credit provider; and
(c) the entity is not:
(i) an entity to which the
provider is permitted to disclose the information under Division 3 of this
Part; or
(ii) an access seeker for
the information.
Penalty: 200 penalty units.
(2) An entity commits an offence if:
(a) the entity obtains credit
eligibility information; and
(b) the information is obtained from a
credit provider; and
(c) the information is obtained by
false pretence.
Penalty: 200 penalty units.
Civil penalties
(3) An entity must not obtain credit
eligibility information from a credit provider if the entity is not:
(a) an entity to which the provider is
permitted to disclose the information under Division 3 of this Part; or
(b) an access seeker for the
information.
Civil penalty: 2,000 penalty units.
(4) An entity must not obtain, by false
pretence, credit eligibility information from a credit provider.
Civil penalty: 2,000 penalty units.
Division 7—Court orders
25
Compensation orders
(1) The Federal Court or the Federal Magistrates
Court may order an entity to compensate a person for loss or damage (including
injury to the person’s feelings or humiliation) suffered by the person if:
(a) either:
(i) a civil penalty order
has been made against the entity for a contravention of a civil penalty
provision (other than section 13G); or
(ii) the entity is found
guilty of an offence against this Part; and
(b) that loss or damage resulted from
the contravention or commission of the offence.
The order must specify the amount of compensation.
(2) The court may make the order only if:
(a) the person applies for an order
under this section; and
(b) the application is made within 6
years of the day the cause of action that relates to the contravention or
commission of the offence accrued.
(3) If the court makes the order, the amount
of compensation specified in the order that is to be paid to the person may be
recovered as a debt due to the person.
25A
Other orders to compensate loss or damage
(1) This section applies if:
(a) either:
(i) a civil penalty order
has been made against an entity for a contravention of a civil penalty
provision (other than section 13G); or
(ii) an entity is found
guilty of an offence against this Part; and
(b) a person has suffered, or is
likely to suffer, loss or damage (including injury to the person’s feelings or
humiliation) as a result of the contravention or commission of the offence.
(2) The Federal Court or the Federal
Magistrates Court may make such order as the Court considers appropriate
against the entity to:
(a) compensate the person, in whole or
in part, for that loss or damage; or
(b) prevent or reduce that loss or
damage suffered, or likely to be suffered, by the person.
(3) Without limiting subsection (2),
examples of orders the court may make include:
(a) an order directing the entity to
perform any reasonable act, or carry out any reasonable course of conduct, to
redress the loss or damage suffered by the person; and
(b) an order directing the entity to
pay the person a specified amount to reimburse the person for expenses
reasonably incurred by the person in connection with the contravention or
commission of the offence; and
(c) an order directing the defendant
to pay to the person the amount of loss or damage the plaintiff suffered.
(4) The court may make the order only if:
(a) the person applies for an order
under this section; and
(b) the application is made within 6
years of the day the cause of action that relates to the contravention or
commission of the offence accrued.
(5) If the court makes an order that the
entity pay an amount to the person, the person may recover the amount as a debt
due to the person.
73 Subsections 30(3) and (4)
Omit “credit reporting agency” (wherever occurring), substitute
“credit reporting body”.
74 Subsection 49(4) (paragraph (a) of the definition of
credit reporting offence)
Omit “18C(4), 18D(4), 18K(4), 18L(2), 18N(2), 18R(2) or 18S(3) or
section 18T”, substitute “20P(1), 21R(1) or (2), 24(1) or (2) or 24A(1) or
(2)”.
75 Subsection 68(1)
Omit “credit reporting agency”, substitute “credit reporting
body”.
Schedule 3
1 Subsection 6(1)
Insert:
APP code has the meaning given by
section 26C.
2 Subsection 6(1)
Insert:
APP code developer means:
(a) an APP entity; or
(b) a group of APP entities; or
(c) a body or association representing
one or more APP entities.
3 Subsection 6(1) (definition of approved privacy code)
Repeal the definition.
4 Subsection 6(1) (definition of code complaint)
Omit “an approved privacy code”, substitute “a registered APP
code”.
5 Subsection 6(1) (definition of Code of Conduct)
Repeal the definition.
6 Subsection 6(1)
Insert:
Codes Register has the meaning given by
subsection 26U(1).
7 Subsection 6(1)
Insert:
CR code has the meaning given by
section 26N.
8 Subsection 6(1)
Insert:
CR code developer means:
(a) an entity that is subject to
Part IIIA; or
(b) a group of entities that are
subject to Part IIIA; or
(c) a body or association representing
one or more entities that are subject to Part IIIA.
9 Subsection 6(1) (definition of credit provider)
After “III,”, insert “IIIB,”.
10 Subsection 6(1) (paragraph (a) of the definition of credit
reporting complaint)
Omit “the Code of Conduct”, substitute “the registered CR code”.
11 Subsection 6(1) (definition of credit reporting
infringement)
Repeal the definition.
12 Subsection 6(1) (definition of privacy code)
Repeal the definition.
13 Subsection 6(1)
Insert:
registered APP code has the meaning given by
section 26B.
14 Subsection 6(1)
Insert:
registered CR code has the meaning given by
section 26M.
15 Subsection 6(3A)
Repeal the subsection.
16 At the end of subsection 6(7)
Add:
; or (g) being both an APP complaint and a
code complaint.
17 Section 6B (heading)
Repeal the heading, substitute:
6B Breach
of a registered APP code
18 Subsections 6B(1), (2), (3) and (4)
Omit “an approved privacy code”, substitute “a registered APP
code”.
19 After section 6B
Insert:
6BA
Breach of the registered CR code
For the purposes of this Act, an act or
practice breaches the registered CR code if, and only if, it is contrary to, or
inconsistent with, the code.
20 Subsection 7(2)
Omit “an approved privacy code”, substitute “a registered APP
code”.
21 Subsection 7B(2) (note)
Omit “or a binding approved privacy code”, substitute “, or a
registered APP code that binds the organisation,”.
22 Subsection 13B(1) (note)
Omit “or a binding approved privacy code”, substitute “and a
registered APP code that binds them”.
23 Subsection 13B(1) (paragraph (b) of the note)
Omit “or a corresponding provision in a binding approved privacy
code”.
24 Subsection 13B(1A) (note)
Omit “a binding approved privacy code”, substitute “a registered
APP code that binds the body”.
25 Subsection 13C(1) (note)
Omit “or a binding approved privacy code”, substitute “and a
registered APP code that binds them”.
26 Subsection 13C(1) (note)
Omit “or a corresponding provision in a binding approved privacy
code”.
27 Division 5 of Part III
Repeal the Division.
28 Part IIIAA
Repeal the Part.
29 Before Part IV
Insert:
Part IIIB—Privacy codes
Division 1—Introduction
26
Guide to this Part
This Part deals with privacy codes.
Division 2 deals with codes of
practice about information privacy, called APP codes. APP code developers or
the Commissioner may develop APP codes, which:
(a) must set out
how one or more of the Australian Privacy Principles are to be applied or
complied with; and
(b) may impose
additional requirements to those imposed by the Australian Privacy Principles;
and
(c) may deal
with other specified matters.
If the Commissioner includes an APP
code on the Codes Register, an APP entity bound by the code must not breach it.
A breach of a registered APP code is an interference with the privacy of an
individual.
Division 3 deals with a code of
practice about credit reporting, called a CR code. CR code developers or the
Commissioner may develop a CR code, which:
(a) must set out
how one or more of the provisions of Part IIIA are to be applied or
complied with; and
(b) must deal
with matters required or permitted by Part IIIA to be provided for by the
registered CR code; and
(c) may deal
with other specified matters.
If the Commissioner includes a CR code
on the Codes Register, an entity bound by the code must not breach it. A breach
of the registered CR code is an interference with the privacy of an individual.
Division 4 deals with the Codes
Register, guidelines relating to codes and the review of the operation of
registered codes.
Division 2—Registered APP codes
Subdivision A—Compliance with registered APP codes etc.
26A
APP entities to comply with binding registered APP codes
An APP entity must not do an act, or
engage in a practice, that breaches a registered APP code that binds the
entity.
26B
What is a registered APP code
(1) A registered APP code is an
APP code:
(a) that is included on the Codes
Register; and
(b) that is in force.
(2) A registered APP code is a legislative
instrument.
(3) Despite subsection 12(2) of the Legislative
Instruments Act 2003, a registered APP code may be expressed to take effect
before the date it is registered under that Act.
Note: An APP code cannot come into force before it
is included on the Codes Register: see paragraph 26C(2)(c).
26C
What is an APP code
(1) An APP code is a written
code of practice about information privacy.
(2) An APP code must:
(a) set out how one or more of the
Australian Privacy Principles are to be applied or complied with; and
(b) specify the APP entities that are
bound by the code, or a way of determining the APP entities that are bound by
the code; and
(c) set out the period during which
the code is in force (which must not start before the day the code is
registered under section 26H).
(3) An APP code may do one or more of the
following:
(a) impose additional requirements to
those imposed by one or more of the Australian Privacy Principles, so long as
the additional requirements are not contrary to, or inconsistent with, those
principles;
(b) cover an act or practice that is
exempt within the meaning of subsection 7B(1), (2) or (3);
(c) deal with the internal handling of
complaints;
(d) provide for the reporting to the
Commissioner about complaints;
(e) deal with any other relevant
matters.
(4) An APP code may be expressed to apply to
any one or more of the following:
(a) all personal information or a
specified type of personal information;
(b) a specified activity, or a
specified class of activities, of an APP entity;
(c) a specified industry sector or
profession, or a specified class of industry sectors or professions;
(d) APP entities that use technology
of a specified kind.
(5) An APP code is not a legislative
instrument.
26D
Extension of Act to exempt acts or practices covered by registered APP codes
If a registered APP code covers an act
or practice that is exempt within the meaning of subsection 7B(1), (2) or (3),
this Act applies in relation to the code as if that act or practice were not
exempt.
Subdivision B—Development and registration of APP codes
26E
Development of APP codes by APP code developers
Own initiative
(1) An APP code developer may develop an APP
code.
At the Commissioner’s request
(2) The Commissioner may, in writing, request
an APP code developer to develop an APP code, and apply to the Commissioner for
the code to be registered, if the Commissioner is satisfied it is in the public
interest for the code to be developed.
(3) The request must:
(a) specify the period within which
the request must be complied with; and
(b) set out the effect of
section 26A.
(4) The period:
(a) must run for at least 120 days
from the date the request is made; and
(b) may be extended by the
Commissioner.
(5) The request may:
(a) specify one or more matters that
the APP code must deal with; and
(b) specify the APP entities, or a
class of APP entities, that should be bound by the code.
(6) Despite paragraph (5)(a), the
Commissioner must not require an APP code to cover an act or practice that is
exempt within the meaning of subsection 7B(1), (2) or (3). However, the APP
code that is developed by the APP code developer may cover such an act or
practice.
(7) The Commissioner must make a copy of the
request publicly available as soon as practicable after the request is made.
26F
Application for registration of APP codes
(1) If an APP code developer develops an APP
code, the developer may apply to the Commissioner for registration of the code.
(2) Before making the application, the APP
code developer must:
(a) make a draft of the APP code
publicly available; and
(b) invite the public to make
submissions to the developer about the draft within a specified period (which
must run for at least 28 days); and
(c) give consideration to any
submissions made within the specified period.
(3) The application must:
(a) be made in the form and manner specified
by the Commissioner; and
(b) be accompanied by such information
as is specified by the Commissioner.
(4) The APP code developer may vary the APP
code at any time before the Commissioner registers the code, but only with the
consent of the Commissioner.
26G
Development of APP codes by the Commissioner
(1) This section applies if the Commissioner
made a request under subsection 26E(2) and either:
(a) the request has not been complied
with; or
(b) the request has been complied with
but the Commissioner has decided not to register, under section 26H, the
APP code that was developed as requested.
(2) The Commissioner may develop an APP code
if the Commissioner is satisfied that it is in public interest to develop the
code. However, despite subsection 26C(3)(b), the APP code must not cover an act
or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
(3) Before registering the APP code under
section 26H, the Commissioner must:
(a) make a draft of the code publicly
available; and
(b) invite the public to make
submissions to the Commissioner about the draft within a specified period
(which must run for at least 28 days); and
(c) give consideration to any
submissions made within the specified period.
26H
Commissioner may register APP codes
(1) If:
(a) an application for registration of
an APP code is made under section 26F; or
(b) the Commissioner develops an APP
code under section 26G;
the Commissioner may register the code by including it on
the Codes Register.
(2) In deciding whether to register the APP
code, the Commissioner may:
(a) consult any person the
Commissioner considers appropriate; and
(b) consider the matters specified in
any relevant guidelines made under section 26V.
(3) If the Commissioner decides not to
register an APP code developed by an APP code developer, the Commissioner must
give written notice of the decision to the developer, including reasons for the
decision.
Subdivision C—Variation and removal of registered APP codes
26J
Variation of registered APP codes
(1) The Commissioner may, in writing, approve
a variation of a registered APP code:
(a) on his or her own initiative; or
(b) on application by an APP entity
that is bound by the code; or
(c) on application by a body or
association representing one or more APP entities that are bound by the code.
(2) An application under
paragraph (1)(b) or (c) must:
(a) be made in the form and manner
specified by the Commissioner; and
(b) be accompanied by such information
as is specified by the Commissioner.
(3) If the Commissioner varies a registered
APP code on his or her own initiative, then, despite subsection 26C(3)(b), the
variation must not deal with an act or practice that is exempt within the
meaning of subsection 7B(1), (2) or (3).
(4) Before deciding whether to approve a
variation, the Commissioner must:
(a) make a draft of the variation
publicly available; and
(b) consult any person the
Commissioner considers appropriate about the variation; and
(c) consider the extent to which
members of the public have been given an opportunity to comment on the
variation.
(5) In deciding whether to approve a
variation, the Commissioner may consider the matters specified in any relevant
guidelines made under section 26V.
(6) If the Commissioner approves a variation
of a registered APP code (the original code), the Commissioner
must:
(a) remove the original code from the
Codes Register; and
(b) register the APP code, as varied,
by including it on the Register.
(7) If the Commissioner approves a variation,
the variation comes into effect on the day specified in the approval, which
must not be before the day on which the APP code, as varied, is included on the
Codes Register.
(8) An approval is not a legislative
instrument.
Note: The APP code, as varied, is a legislative
instrument once it is included on the Codes Register: see section 26B.
26K
Removal of registered APP codes
(1) The Commissioner may remove a registered
APP code from the Codes Register:
(a) on his or her own initiative; or
(b) on application by an APP entity
that is bound by the code; or
(c) on application by a body or
association representing one or more APP entities that are bound by the code.
(2) An application under
paragraph (1)(b) or (c) must:
(a) be made in the form and manner
specified by the Commissioner; and
(b) be accompanied by such information
as is specified by the Commissioner.
(3) Before deciding whether to remove the
registered APP code, the Commissioner must:
(a) consult any person the
Commissioner considers appropriate about the proposed removal; and
(b) consider the extent to which
members of the public have been given an opportunity to comment on the proposed
removal.
(4) In deciding whether to remove the
registered APP code, the Commissioner may consider the matters specified in any
relevant guidelines made under section 26V.
Division 3—Registered CR code
Subdivision A—Compliance with the registered CR code
26L
Entities to comply with the registered CR code if bound by the code
If an entity is bound by the registered
CR code, the entity must not do an act, or engage in a practice, that breaches
the code.
Note: There must always be one, and only one,
registered CR code at all times after this Part commences: see subsection 26S(4).
26M
What is the registered CR code
(1) The registered CR code is
the CR code that is included on the Codes Register.
(2) The registered CR code is a legislative
instrument.
(3) Despite subsection 12(2) of the Legislative
Instruments Act 2003, the registered CR code may be expressed to take
effect before the date it is registered under that Act.
26N
What is a CR code
(1) A CR code is a written code
of practice about credit reporting.
(2) A CR code must:
(a) set out how one or more of the provisions
of Part IIIA are to be applied or complied with; and
(b) make provision for, or in relation
to, matters required or permitted by Part IIIA to be provided for by the
registered CR code; and
(c) bind all credit reporting bodies;
and
(d) specify the credit providers that
are bound by the code, or a way of determining which credit providers are
bound; and
(e) specify any other entities subject
to Part IIIA that are bound by the code, or a way of determining which of
those entities are bound.
(3) A CR code may do one or more of the
following:
(a) impose additional requirements to
those imposed by Part IIIA, so long as the additional requirements are not
contrary to, or inconsistent with, that Part;
(b) deal with the internal handling of
complaints;
(c) provide for the reporting to the
Commissioner about complaints;
(d) deal with any other relevant
matters.
(4) A CR code may be expressed to apply
differently in relation to:
(a) classes of entities that are
subject to Part IIIA; and
(b) specified classes of credit
information, credit reporting information or credit eligibility information;
and
(c) specified classes of activities of
entities that are subject to Part IIIA.
(5) A CR code is not a legislative
instrument.
Subdivision B—Development and registration of CR code
26P
Development of CR code by CR code developers
(1) The Commissioner may, in writing, request
a CR code developer to develop a CR code and apply to the Commissioner for the
code to be registered.
(2) The request must:
(a) specify the period within which
the request must be complied with; and
(b) set out the effect of
section 26L.
(3) The period:
(a) must run for at least 120 days
from the date the request is made; and
(b) may be extended by the
Commissioner.
(4) The request may:
(a) specify one or more matters that
the CR code must deal with; and
(b) specify the credit providers, or a
class of credit providers, that should be bound by the code; and
(c) specify the other entities, or a
class of other entities, subject to Part IIIA that should be bound by the
code.
(5) The Commissioner must make a copy of the
request publicly available as soon as practicable after the request is made.
26Q
Application for registration of CR code
(1) If a CR code developer develops a CR
code, the developer may apply to the Commissioner for registration of the code.
(2) Before making the application, the CR
code developer must:
(a) make a draft of the CR code
publicly available; and
(b) invite the public to make
submissions to the developer about the draft within a specified period (which
must run for at least 28 days); and
(c) give consideration to any
submissions made within the specified period.
(3) The application must:
(a) be made in the form and manner
specified by the Commissioner; and
(b) be accompanied by such information
as is specified by the Commissioner.
(4) The CR code developer may vary the CR
code at any time before the Commissioner registers the code, but only with the
consent of the Commissioner.
26R
Development of CR code by the Commissioner
(1) The Commissioner may develop a CR code if
the Commissioner made a request under section 26P and either:
(a) the request has not been complied
with; or
(b) the request has been complied with
but the Commissioner has decided not to register, under section 26S, the
CR code that was developed as requested.
(2) Before registering the CR code under
section 26S, the Commissioner must:
(a) make a draft of the code publicly
available; and
(b) invite the public to make
submissions to the Commissioner about the draft within a specified period
(which must run for at least 28 days); and
(c) give consideration to any
submissions made within the specified period.
26S
Commissioner may register CR code
(1) If:
(a) an application for registration of
a CR code is made under section 26Q; or
(b) the Commissioner develops a CR
code under section 26R;
the Commissioner may register the code by including it on
the Codes Register.
(2) In deciding whether to register the CR code,
the Commissioner may:
(a) consult any person the
Commissioner considers appropriate; and
(b) consider the matters specified in
any guidelines made under section 26V.
(3) If the Commissioner decides not to
register a CR code developed by a CR code developer, the Commissioner must give
written notice of the decision to the developer, including reasons for the
decision.
(4) The Commissioner must ensure that there
is one, and only one, registered CR code at all times after this Part
commences.
Subdivision C—Variation of the registered CR code
26T
Variation of the registered CR code
(1) The Commissioner may, in writing, approve
a variation of the registered CR code:
(a) on his or her own initiative; or
(b) on application by an entity that
is bound by the code; or
(c) on application by a body or
association representing one or more of the entities that are bound by the
code.
(2) An application under
paragraph (1)(b) or (c) must:
(a) be made in the form and manner
specified by the Commissioner; and
(b) be accompanied by such information
as is specified by the Commissioner.
(3) Before deciding whether to approve a
variation, the Commissioner must:
(a) make a draft of the variation
publicly available; and
(b) consult any person the
Commissioner considers appropriate about the variation; and
(c) consider the extent to which
members of the public have been given an opportunity to comment on the
variation.
(4) In deciding whether to approve a
variation, the Commissioner may consider the matters specified in any relevant
guidelines made under section 26V.
(5) If the Commissioner approves a variation
of the registered CR code (the original code), the Commissioner
must:
(a) remove the original code from the
Codes Register; and
(b) register the CR code, as varied,
by including it on the Register.
(6) If the Commissioner approves a variation,
the variation comes into effect on the day specified in the approval, which
must not be before the day on which the CR code, as varied, is included on the
Codes Register.
(7) An approval is not a legislative
instrument.
Note: The CR code, as varied, is a legislative
instrument once it is included on the Codes Register: see section 26M.
Division 4—General matters
26U
Codes Register
(1) The Commissioner must keep a register
(the Codes Register) which includes:
(a) the APP codes the Commissioner has
decided to register under section 26H; and
(b) the APP codes the Commissioner
must register under section 26J; and
(c) the CR code the Commissioner has
decided to register under section 26S; and
(d) the CR code the Commissioner must
register under section 26T.
(2) Despite subsection (1), the
Commissioner is not required to include on the Codes Register:
(a) an APP code removed from the Register
under section 26J or 26K; or
(b) the CR code removed from the
Register under section 26T.
(3) The Commissioner must make the Codes
Register available on the Commissioner’s website.
(4) The Commissioner may charge fees for
providing copies of, or extracts from, the Codes Register.
26V
Guidelines relating to codes
(1) The Commissioner may make written
guidelines:
(a) to assist APP code developers to
develop APP codes; or
(b) to assist APP entities bound by
registered APP codes to apply or comply with the codes; or
(c) to assist CR code developers to
develop a CR code; or
(d) to assist entities bound by the
registered CR code to apply or comply with the code.
(2) The Commissioner may make written
guidelines about matters the Commissioner may consider in deciding whether:
(a) to register an APP code or a CR
code; or
(b) to approve a variation of a
registered APP code or the registered CR code; or
(c) to remove a registered APP code
from the Codes Register.
(3) The Commissioner may publish any such
guidelines on the Commissioner’s website.
(4) Guidelines are not a legislative
instrument.
26W
Review of operation of registered codes
(1) The Commissioner may review the operation
of a registered APP code.
Note: The review may inform a decision by the
Commissioner to approve a variation of a registered APP code or to remove a
registered APP code from the Codes Register.
(2) The Commissioner may review the operation
of the registered CR code.
Note: The review may inform a decision by the Commissioner
to approve a variation of the registered CR code.
30 Subsection 36(1)
Omit “Subject to subsection (1A), an”, substitute “An”.
31 Subsections 36(1A), (1B) and (1C)
Repeal the subsections.
32 Subsections 54(1A), 55A(7) and 55B(2)
Repeal the subsections.
33 Subsection 55B(3)
Omit “or (2)”.
34 Subsection 55B(3)
Omit “or adjudicator”.
35 Subsection 55B(4)
Omit “or (2)”.
36 Subsection 64(1)
Omit “(1)”.
37 Subsection 64(2)
Repeal the subsection.
38 Section 95C
Omit “an approved privacy code”, substitute “a registered APP
code”.
Schedule 4
1 After section 2
Insert:
2A
Objects of this Act
The objects of this Act are:
(a) to promote the protection of the
privacy of individuals; and
(b) to recognise that the protection
of the privacy of individuals is balanced with the interests of entities in
carrying out their functions or activities; and
(c) to provide the basis for
nationally consistent regulation of privacy and the handling of personal
information; and
(d) to promote responsible and
transparent handling of personal information by entities; and
(e) to facilitate an efficient credit
reporting system while ensuring that the privacy of individuals is respected;
and
(f) to facilitate the free flow of
information across national borders while ensuring that the privacy of
individuals is respected; and
(g) to provide a means for individuals
to complain about an alleged interference with their privacy; and
(h) to implement Australia’s
international obligation in relation to privacy.
2 Subsections 5B(1) and (1A)
Repeal the subsections, substitute:
Agencies
(1) This Act, a registered APP code and the
registered CR code extend to an act done, or practice engaged in, outside
Australia and the external Territories by an agency.
Note: The act or practice overseas will not breach
an Australian Privacy Principle or a registered APP code if the act or practice
is required by an applicable foreign law (see sections 6A and 6B).
Organisations and small business operators
(1A) This Act, a registered APP code and the
registered CR code extend to an act done, or practice engaged in, outside
Australia and the external Territories by an organisation, or small business
operator, that has an Australian link.
Note: The act or practice overseas will not breach
an Australian Privacy Principle or a registered APP code if the act or practice
is required by an applicable foreign law (see sections 6A and 6B).
3 Subsection 5B(2) (heading)
Repeal the heading, substitute:
Australian link
4 Subsection 5B(2)
Omit “The organisation must be”, substitute “An organisation or
small business operator has an Australian link if the
organisation or operator is”.
5 Subsection 5B(3) (heading)
Repeal the heading.
6 Subsection 5B(3)
Omit “All of the following conditions must be met”, substitute
“An organisation or small business operator also has an Australian link
if all of the following apply”.
7 Paragraphs 5B(3)(a), (b) and (c)
After “organisation”, insert “or operator”.
8 Subsection 5B(4)
After “subsection (1)”, insert “or (1A)”.
9 Subsection 6(1)
Insert:
advice related functions has the meaning
given by subsection 28B(1).
10 Subsection 6(1)
Insert:
Australian link has the meaning given by
subsections 5B(2) and (3).
11 Subsection 6(1) (all the definitions of breach)
Repeal the definitions, substitute:
breach:
(a) in relation to an Australian
Privacy Principle, has the meaning given by section 6A; and
(b) in relation to a registered APP
code, has the meaning given by section 6B; and
(c) in relation to the registered CR code,
has the meaning given by section 6BA.
12 Subsection 6(1)
Insert:
civil penalty order has the meaning given by
subsection 80W(4).
13 Subsection 6(1)
Insert:
civil penalty provision has the meaning given
by section 80U.
14 Subsection 6(1) (definition of code complaint)
Omit “the complainant”, substitute “an individual”.
15 Subsection 6(1)
Insert:
committee of management of an unincorporated
association means a body (however described) that governs, manages or conducts
the affairs of the association.
16 Subsection 6(1) (definition of credit reporting
complaint)
Omit “the complainant”, substitute “an individual”.
17 Subsection 6(1)
Insert:
Defence Department means the Department of
State that deals with defence and that is administered by the Minister
administering section 1 of the Defence Act 1903.
18 Subsection 6(1) (definition of file number complaint)
Omit “the complainant”, substitute “an individual”.
19 Subsection 6(1) (paragraph (a) of the definition of file
number complaint)
Omit “guideline”, substitute “rule”.
20 Subsection 6(1)
Insert:
guidance related functions has the meaning
given by subsection 28(1).
21 Subsection 6(1) (definition of individual concerned)
Repeal the definition.
22 Subsection 6(1)
Insert:
interference with the privacy of an individual
has the meaning given by sections 13 to 13F.
23 Subsection 6(1)
Insert:
monitoring related functions has the meaning
given by subsections 28A(1) and (2).
24 Subsection 6(1)
Insert:
offence against this Act includes an offence
against section 6 of the Crimes Act 1914, or section 11.1,
11.2, 11.2A, 11.4 or 11.5 of the Criminal Code, that relates to an
offence against this Act.
25 Subsection 6(1)
Insert:
recognised external dispute resolution scheme
means an external dispute resolution scheme recognised under section 35A.
26 Subsection 6(1) (definition of tax file number
information)
Omit “(including information forming part of a database)”.
27 Subsection 6(3)
Omit “guideline” (wherever occurring), substitute “rule”.
28 Subsection 6(6)
Omit “Department of Defence”, substitute “Defence Department”.
29 Paragraphs 7(1)(ca) and (g) and (1A)(c)
Omit “Department of Defence”, substitute “Defence Department”.
30 Subsection 7(2)
Omit “under section 27”, substitute “in relation to the
principles and such a code”.
31 Paragraph 7(2)(b)
Omit “Department of Defence”, substitute “Defence Department”.
32 Subsection 7(3A)
Repeal the subsection.
33 Subsection 7(4)
Omit “paragraphs 27(1)(b), (c), (d), (e), (g), (k) and (m)”,
substitute “section 28, of paragraphs 28A(2)(a) to (e)”.
34 Section 12B (heading)
Repeal the heading, substitute:
12B
Severability—additional effect of this Act
35 Subsections 12B(1) and (2)
Repeal the subsections, substitute:
(1) Without limiting its effect apart from
this section, this Act has effect in relation to the following (the regulated
entities) as provided by this section:
(a) an agency;
(b) an organisation;
(c) a small business operator;
(d) a body politic.
Note: Subsection 27(4) applies in relation to an
investigation of an act or practice referred to in subsection 29(1) of the Healthcare
Identifiers Act 2010.
(2) This Act also has the effect it would
have if its operation in relation to regulated entities were expressly confined
to an operation to give effect to the following:
(a) the International Covenant on
Civil and Political Rights done at New York on 16 December 1966 ([1980]
ATS 23), and in particular Articles 17 and 24(1) of the Covenant;
(b) Article 16 of the Convention on
the Rights of the Child done at New York on 20 November 1989 ([1991] ATS
4).
Note: In 2012, the text of the Covenant and
Convention in the Australian Treaty Series was accessible through the
Australian Treaties Library on the AustLII website (www.austlii.edu.au).
36 Subsection 12B(3)
Omit “to organisations”, substitute “to regulated entities”.
37 Subsection 12B(3)
Omit “subsection 5B(1)”, substitute “section 5B”.
38 Subsection 12B(3)
Omit “by organisations”.
39 Subsections 12B(4) and (5)
Omit “organisations” (wherever occurring), substitute “regulated
entities”.
40 After subsection 12B(5)
Insert:
(5A) This Act also has the effect it would have
if its operation in relation to regulated entities were expressly confined to
acts or practices engaged in by regulated entities in the course of:
(a) banking (other than State banking
not extending beyond the limits of the State concerned); or
(b) insurance (other than State
insurance not extending beyond the limits of the State concerned).
41 Subsections 12B(6) to (8)
Omit “organisations” (wherever occurring), substitute “regulated
entities”.
42 Sections 13 and 13A
Repeal the sections, substitute:
13
Interferences with privacy
APP entities
(1) An act or practice of an APP entity is an
interference with the privacy of an individual if:
(a) the act or practice breaches an
Australian Privacy Principle in relation to personal information about the
individual; or
(b) the act or practice breaches a
registered APP code that binds the entity in relation to personal information
about the individual.
Credit reporting
(2) An act or practice of an entity is an
interference with the privacy of an individual if:
(a) the act or practice breaches a
provision of Part IIIA in relation to personal information about the
individual; or
(b) the act or practice breaches the
registered CR code in relation to personal information about the individual and
the code binds the entity.
Contracted service providers
(3) An act or practice of an organisation is
an interference with the privacy of an individual if:
(a) the act or practice relates to
personal information about the individual; and
(b) the organisation is a contracted
service provider for a Commonwealth contract (whether or not the organisation
is a party to the contract); and
(c) the act or practice does not
breach:
(i) an Australian Privacy
Principle; or
(ii) a registered APP code
that binds the organisation;
in relation to the personal
information because of a provision of the contract that is inconsistent with
the principle or code; and
(d) the act is done, or the practice
is engaged in, in a manner contrary to, or inconsistent with, that provision.
Note: See subsections 6A(2) and 6B(2) for when an
act or practice does not breach an Australian Privacy Principle or a registered
APP code.
Tax file numbers
(4) An act or practice is an interference
with the privacy of an individual if:
(a) it is an act or practice of a file
number recipient and the act or practice breaches a rule issued under
section 17 in relation to tax file number information that relates to the
individual; or
(b) the act or practice involves an
unauthorised requirement or request for disclosure of the tax file number of
the individual.
Other interferences with privacy
(5) An act or practice is an interference
with the privacy of an individual if the act or practice:
(a) constitutes a breach of
Part 2 of the Data‑matching Program (Assistance and Tax) Act 1990
or the rules issued under section 12 of that Act; or
(b) constitutes a breach of the rules
issued under section 135AA of the National Health Act 1953.
Note: Other Acts may provide that an act or practice
is an interference with the privacy of an individual. For example, see the Healthcare
Identifiers Act 2010, the Anti‑Money Laundering and Counter‑Terrorism
Financing Act 2006 and the Personal Property Securities Act 2009.
43 Subsection 13B(1)
Omit “paragraphs 13A(1)(a) and (b)”, substitute “subsection
13(1)”.
44 Subsection 13B(1)
Omit “of an individual”, substitute “of an individual”.
45 Subsection 13B(2)
Repeal the subsection, substitute:
Relationship with subsection 13(3)
(2) Subsection (1) does not prevent an
act or practice of an organisation from being an interference with the
privacy of an individual under subsection 13(3).
46 Subsection 13C(1)
Omit “of the individual”, substitute “of the individual”.
47 Subsection 13C(2)
Repeal the subsection, substitute:
Effect of subsection (1)
(2) Subsection (1) has effect despite
subsections 13(1) and (3).
48 Subsection 13D(1)
Omit “of an individual”, substitute “of an individual”.
49 Subsection 13D(2)
Repeal the subsection, substitute:
Effect of subsection (1)
(2) Subsection (1) has effect despite
subsections 13(1) and (3).
50 Sections 13E and 13F
Repeal the sections, substitute:
13E
Effect of sections 13B, 13C and 13D
Sections 13B, 13C and 13D do not
prevent an act or practice of an organisation from being an interference
with the privacy of an individual under subsection 13(2), (4) or (5).
13F
Act or practice not covered by section 13 is not an interference with
privacy
An act or practice that is not covered
by section 13 is not an interference with the privacy of an
individual.
13G
Serious and repeated interferences with privacy
An entity contravenes this subsection
if:
(a) the entity does an act, or engages
in a practice, that is a serious interference with the privacy of an
individual; or
(b) the entity repeatedly does an act,
or engages in a practice, that is an interference with the privacy of one or
more individuals.
Civil penalty: 2,000 penalty units.
51 Section 17
Repeal the section, substitute:
17
Rules relating to tax file number information
The Commissioner must, by legislative
instrument, issue rules concerning the collection, storage, use and security of
tax file number information.
52 Section 18 (heading)
Repeal the heading, substitute:
18
File number recipients to comply with rules
53 Section 18
Omit “guideline”, substitute “rule”.
54 Sections 27 to 29
Repeal the sections, substitute:
27
Functions of the Commissioner
(1) The Commissioner has the following
functions:
(a) the functions that are conferred
on the Commissioner by or under:
(i) this Act; or
(ii) any other law of the
Commonwealth;
(b) the guidance related functions;
(c) the monitoring related functions;
(d) the advice related functions;
(e) to do anything incidental or
conducive to the performance of any of the above functions.
(2) The Commissioner has power to do all
things necessary or convenient to be done for, or in connection with, the
performance of the Commissioner’s functions.
(3) Without limiting subsection (2), the
Commissioner may establish a panel of persons with expertise in relation to a
particular matter to assist the Commissioner in performing any of the
Commissioner’s functions.
(4) Section 38 of the Healthcare
Identifiers Act 2010, rather than section 12B of this Act, applies in
relation to an investigation of an act or practice referred to in subsection
29(1) of that Act in the same way as it applies to Parts 3 and 4 of that
Act.
Note: Section 38 of the Healthcare
Identifiers Act 2010 deals with the additional effect of Parts 3 and 4
of that Act.
28 Guidance
related functions of the Commissioner
(1) The following are the guidance
related functions of the Commissioner:
(a) making guidelines for the
avoidance of acts or practices that may or might be interferences with the
privacy of individuals, or which may otherwise have any adverse effects on the
privacy of individuals;
(b) making, by legislative instrument,
guidelines for the purposes of paragraph (d) of Australian Privacy Principle
6.3;
(c) promoting an understanding and
acceptance of:
(i) the Australian Privacy
Principles and the objects of those principles; and
(ii) a registered APP code;
and
(iii) the provisions of
Part IIIA and the objects of those provisions; and
(iv) the registered CR code;
(d) undertaking educational programs
for the purposes of promoting the protection of individual privacy.
(2) The Commissioner may publish the
guidelines referred to in paragraphs (1)(a) and (b) in such manner as the
Commissioner considers appropriate.
(3) The educational programs referred to in
paragraph (1)(d) may be undertaken by:
(a) the Commissioner; or
(b) a person or authority acting on
behalf of the Commissioner.
(4) Guidelines made under
paragraph (1)(a) are not a legislative instrument.
28A Monitoring
related functions of the Commissioner
Credit reporting and tax file number information
(1) The following are the monitoring
related functions of the Commissioner:
(a) monitoring the security and
accuracy of information held by an entity that is information to which
Part IIIA applies;
(b) examining the records of entities
to ensure that the entities:
(i) are not using
information to which Part IIIA applies for unauthorised purposes; and
(ii) are taking adequate
measures to prevent the unlawful disclosure of such information;
(c) examining the records of the
Commissioner of Taxation to ensure that the Commissioner:
(i) is not using tax file
number information for purposes beyond his or her powers; and
(ii) is taking adequate
measures to prevent the unlawful disclosure of the tax file number information
that he or she holds;
(d) evaluating compliance with the
rules issued under section 17;
(e) monitoring the security and
accuracy of tax file number information kept by file number recipients.
Other matters
(2) The following are also the monitoring
related functions of the Commissioner:
(a) examining a proposed enactment
that would require or authorise acts or practices of an entity that might
otherwise be interferences with the privacy of individuals, or which may
otherwise have any adverse effects on the privacy of individuals;
(b) examining a proposal for data
matching or linkage that may involve an interference with the privacy of
individuals, or which may otherwise have any adverse effects on the privacy of
individuals;
(c) ensuring that any adverse effects
of the proposed enactment or the proposal on the privacy of individuals are
minimised;
(d) undertaking research into, and
monitoring developments in, data processing and technology (including data
matching and linkage) to ensure that any adverse effects of such developments
on the privacy of individuals are minimised;
(e) reporting to the Minister the
results of that research and monitoring;
(f) monitoring and reporting on the
adequacy of equipment and user safeguards.
(3) The functions referred to in
paragraphs (2)(a) and (b) may be performed by the Commissioner:
(a) on request by a Minister or
Norfolk Island Minister; or
(b) on the Commissioner’s own initiative.
(4) If the reporting referred to in
paragraph (2)(e) or (f) is done in writing, the instrument is not a
legislative instrument.
28B Advice
related functions of the Commissioner
(1) The following are the advice
related functions of the Commissioner:
(a) providing advice to a Minister,
Norfolk Island Minister or entity about any matter relevant to the operation of
this Act;
(b) informing the Minister of action
that needs to be taken by an agency in order to comply with the Australian
Privacy Principles;
(c) providing reports and
recommendations to the Minister in relation to any matter concerning the need
for, or the desirability of, legislative or administrative action in the
interests of the privacy of individuals;
(d) providing advice to file number
recipients about:
(i) their obligations
under the Taxation Administration Act 1953 in relation to the
confidentiality of tax file number information; or
(ii) any matter relevant to
the operation of this Act.
(2) The functions referred to in paragraphs (1)(a),
(c) and (d) may be performed by the Commissioner on request or on the
Commissioner’s own initiative.
(3) The Commissioner may perform the function
referred to in paragraph (1)(b) whenever the Commissioners think it is
necessary to do so.
(4) If the Minister is informed under
paragraph (1)(b) in writing, or the report referred to in
paragraph (1)(c) is provided in writing, the instrument is not a
legislative instrument.
29
Commissioner must have due regard to the objects of the Act
The Commissioner must have due regard to
the objects of this Act in performing the Commissioner’s functions, and
exercising the Commissioner’s powers, conferred by this Act.
Note: The objects of this Act are set out in
section 2A.
55 Subparagraph 30(1)(b)(ii)
Repeal the subparagraph, substitute:
(ii) does not consider that
it is reasonably possible that the matter that gave rise to the investigation
can be conciliated successfully or has attempted to conciliate the matter
without success.
56 Subsection 30(3)
Omit “under paragraph 27(1)(a), 28(1)(b) or (c) or 28A(1)(b)”.
57 Subsection 30(3)
After “credit provider” (first occurring), insert “that is an
interference with the privacy of an individual under subsection 13(1), (2) or
(4)”.
58 Subsection 30(6)
Repeal the subsection.
59 Subsection 31(1)
Omit “paragraph 27(1)(b)”, substitute “paragraph 28A(2)(a)”.
60 Subsection 31(2)
Omit “agency or organisation”, substitute “entity”.
61 Section 32 (heading)
Repeal the heading, substitute:
32
Commissioner may report to the Minister if the Commissioner has monitored
certain activities etc.
62 Subsection 32(1)
Repeal the subsection, substitute:
(1) If the Commissioner has:
(a) monitored an activity in the
performance of a function under paragraph 28(1)(d), 28A(1)(a), (b), (d) or (e)
or (2)(b), (c) or (d) or 28B(1)(b) or (c); or
(b) conducted an assessment under
section 33C;
the Commissioner may report to the Minister about the
activity or assessment, and must do so if so directed by the Minister.
63 Subsection 32(2)
After “activity”, insert “or assessment”.
64 After section 33B
Insert:
Division 3A—Assessments by, or at the direction of, the Commissioner
33C
Commissioner may conduct an assessment relating to the Australian Privacy
Principles etc.
(1) The Commissioner may conduct an
assessment of the following matters:
(a) whether personal information held
by an APP entity is being maintained and handled in accordance with the
following:
(i) the Australian Privacy
Principles;
(ii) a registered APP code
that binds the entity;
(b) whether information held by an
entity is being maintained and handled in accordance with the following to the
extent that they apply to the information:
(i) the provisions of
Part IIIA;
(ii) the registered CR code
if it binds the entity;
(c) whether tax file number
information held by a file number recipient is being maintained and handled in
accordance with any relevant rules issued under section 17;
(d) whether the data matching program
(within the meaning of the Data‑matching Program (Assistance and Tax) Act
1990) of an agency complies with Part 2 of that Act and the rules
issued under section 12 of that Act;
(e) whether information to which
section 135AA of the National Health Act 1953 applies is being
maintained and handled in accordance with the rules issued under that section.
(2) The Commissioner may conduct the
assessment in such manner as the Commissioner considers fit.
33D
Commissioner may direct an agency to give a privacy impact assessment
(1) If:
(a) an agency proposes to engage in an
activity or function involving the handling of
personal information about individuals; and
(b) the Commissioner considers that
the activity or function might have a significant impact on the privacy of
individuals;
the Commissioner may, in writing, direct the agency to
give the Commissioner, within a specified period, a privacy impact assessment
about the activity or function.
(2) A direction under subsection (1) is
not a legislative instrument.
Privacy impact assessment
(3) A privacy impact assessment
is a written assessment of an activity or function that:
(a) identifies the impact that the
activity or function might have on the privacy of individuals; and
(b) sets out recommendations for
managing, minimising or eliminating that impact.
(4) Subsection (3) does not limit the
matters that the privacy impact assessment may deal with.
(5) A privacy impact assessment is not a
legislative instrument.
Failure to comply with a direction
(6) If an agency does not comply with a direction
under subsection (1), the Commissioner must advise both of the following
of the failure:
(a) the Minister;
(b) if another Minister is responsible
for the agency—that other Minister.
Review
(7) Before the fifth anniversary of the
commencement of this section, the Minister must cause a review to be undertaken
of whether this section should apply in relation to organisations.
Division 3B—Enforceable undertakings
33E
Commissioner may accept undertakings
(1) The Commissioner may accept any of the
following undertakings:
(a) a written undertaking given by an
entity that the entity will, in order to comply with this Act, take specified
action;
(b) a written undertaking given by an
entity that the entity will, in order to comply with this Act, refrain from
taking specified action;
(c) a written undertaking given by an
entity that the entity will take specified action directed towards ensuring
that the entity does not do an act, or engage in a practice, in the future that
interferes with the privacy of an individual.
(2) The undertaking must be expressed to be
an undertaking under this section.
(3) The entity may withdraw or vary the
undertaking at any time, but only with the consent of the Commissioner.
(4) The Commissioner may, by written notice
given to the entity, cancel the undertaking.
(5) The Commissioner may publish the
undertaking on the Commissioner’s website.
33F
Enforcement of undertakings
(1) If:
(a) an entity gives an undertaking
under section 33E; and
(b) the undertaking has not been
withdrawn or cancelled; and
(c) the Commissioner considers that
the entity has breached the undertaking;
the Commissioner may apply to the Federal Court or Federal
Magistrates Court for an order under subsection (2).
(2) If the court is satisfied that the entity
has breached the undertaking, the court may make any or all of the following
orders:
(a) an order directing the entity to
comply with the undertaking;
(b) any order that the court considers
appropriate directing the person to compensate any other person who has
suffered loss or damage as a result of the breach;
(c) any other order that the court
considers appropriate.
65 Subsections 34(1) and (2)
Omit “functions referred to in section 27”, substitute
“Commissioner’s functions”.
66 At the end of Part IV
Add:
35A
Commissioner may recognise external dispute resolution schemes
(1) The Commissioner may, by written notice,
recognise an external dispute resolution scheme:
(a) for an entity or a class of
entities; or
(b) for a specified purpose.
(2) In considering whether to recognise an
external dispute resolution scheme, the Commissioner must take the following
matters into account:
(a) the accessibility of the scheme;
(b) the independence of the scheme;
(c) the fairness of the scheme;
(d) the accountability of the scheme;
(e) the efficiency of the scheme;
(f) the effectiveness of the scheme;
(g) any other matter the Commissioner
considers relevant.
(3) The Commissioner may:
(a) specify a period for which the
recognition of an external dispute resolution scheme is in force; and
(b) make the recognition of an
external dispute resolution scheme subject to specified conditions, including
conditions relating to the conduct of an independent review of the operation of
the scheme; and
(c) vary or revoke:
(i) the recognition of an
external dispute resolution scheme; or
(ii) the period for which
the recognition is in force; or
(iii) a condition to which
the recognition is subject.
(4) A notice under subsection (1) is not
a legislative instrument.
67 Part V (heading)
Repeal the heading, substitute:
Part V—Investigations
etc.
68 Before Division 1 of Part V
Insert:
Division 1A—Introduction
36A
Guide to this Part
In general, this Part deals with
complaints and investigations about acts or practices that may be an
interference with the privacy of an individual.
An individual may complain to the
Commissioner about an act or practice that may be an interference with the
privacy of the individual. If a complaint is made, the Commissioner is required
to investigate the act or practice except in certain circumstances.
The Commissioner may also, on his or
her own initiative, investigate an act or practice that may be an interference
with the privacy of an individual or a breach of Australian Privacy Principle
1.
The Commissioner has a range powers
relating to the conduct of investigations including powers:
(a) to
conciliate complaints; and
(b) to make
preliminary inquiries of any person; and
(c) to require a
person to give information or documents, or to attend a compulsory conference;
and
(d) to transfer
matters to an alternative complaint body in certain circumstances.
After an investigation, the
Commissioner may make a determination in relation to the investigation. An
entity to which a determination relates must comply with certain declarations
included in the determination. Court proceedings may be commenced to enforce a
determination.
69 Subsection 36(7) (note)
Omit “Section 70A contains”, substitute “Sections 98A
to 98C contain”.
70 Subsection 36(8)
Omit “one of paragraphs 13(b) to (d) (inclusive)”, substitute
“subsection 13(2), (4) or (5)”.
71 Subsection 36(8)
After “person”, insert “or entity”.
72 Subsection 38(1)
Omit “or accepted under subsection 40(1B)”.
73 Paragraph 38(1)(a)
After “person”, insert “or entity”.
74 Subsection 38(2)
Omit “or accepted under subsection 40(1B)”.
75 Subsection 38B(2)
Omit all the words after “representative”, substitute:
complaint:
(a) if the complaint was lodged
without the consent of the member—at any time; or
(b) otherwise—at any time before the
Commissioner begins to hold an inquiry into the complaint.
76 Add at the end of subsection 38B(2)
Add:
Note: If a class member withdraws from a
representative complaint that relates to a matter, the former member may make a
complaint under section 36 that relates to the matter.
77 Subsections 40(1B) and (1C)
Repeal the subsections, substitute:
(1B) Subsection (1A) does not apply if the
complaint is about an act or practice that may breach:
(a) section 20R, 20T, 21T or 21V
(which are about access to, and correction of, credit reporting information
etc.); or
(b) a provision of the registered CR
code that relates to that section.
78 Subsection 40(2)
After “Commissioner may”, insert “, on the Commissioner’s own
initiative,”.
79 Paragraph 40(2)(a)
After “individual”, insert “or a breach of Australian Privacy
Principle 1”.
80 Section 40A
Repeal the section, substitute:
40A
Conciliation of complaints
(1) If:
(a) a complaint about an act or
practice is made under section 36; and
(b) the Commissioner considers it is
reasonably possible that the complaint may be conciliated successfully;
the Commissioner must make a reasonable attempt to
conciliate the complaint.
(2) Subsection (1) does not apply if the
Commissioner has decided under section 41 or 50 not to investigate, or not
to investigate further, the act or practice.
(3) If the Commissioner is satisfied that
there is no reasonable likelihood that the complaint will be resolved by
conciliation, the Commissioner must, in writing, notify the complainant
and respondent of that matter.
(4) If a notification is given under
subsection (3), the Commissioner may decide not to investigate, or not to
investigate further, the act or practice.
(5) Evidence of anything said or done in the
course of the conciliation is not admissible in any hearing before the
Commissioner, or in any legal proceedings, relating to complaint or the act or
practice unless:
(a) the complainant and respondent
otherwise agree; or
(b) the thing was said or done in
furtherance of the commission of a fraud or an offence, or the commission of an
act that renders a person liable to a civil penalty.
81 Section 41 (heading)
Repeal the heading, substitute:
41
Commissioner may or must decide not to investigate etc. in certain
circumstances
82 Subsection 41(1)
Omit “, or which the Commissioner has accepted under subsection
40(1B),”.
83 At the end of paragraphs 41(1)(a) and (c)
Add “or”.
84 Paragraph 41(1)(d)
Omit “or lacking in substance;”, substitute “, lacking in
substance or not made in good faith; or”.
85 After paragraph 41(1)(d)
Insert:
(da) an investigation, or further
investigation, of the act or practice is not warranted having regard to all the
circumstances; or
(db) the complainant has not responded,
within the period specified by the Commissioner, to a request for information
in relation to the complaint; or
(dc) the act or practice is being dealt
with by a recognised external dispute resolution scheme; or
(dd) the act or practice would be more
effectively or appropriately dealt with by a recognised external dispute
resolution scheme; or
86 After subsection 41(1)
Insert:
(1A) The Commissioner must not investigate, or
investigate further, an act or practice about which a complaint has been made
under section 36 if the Commissioner is satisfied that the complainant has
withdrawn the complaint.
87 Subsections 41(2) and (3)
Omit “, or accepted by the Commissioner under subsection
40(1B),”.
88 Section 42
Before “Where”, insert “(1)”.
89 Section 42
Omit “or the Commissioner accepts a complaint under subsection
40(1B),”.
90 Section 42
Omit “respondent”, substitute “respondent or any other person”.
91 At the end of section 42
Add:
(2) The Commissioner may make inquiries of any
person for the purpose of determining whether to investigate an act or practice
under subsection 40(2).
92 After subsection 43(1)
Insert:
(1AA) Before commencing an investigation of an act
or practice of a person or entity under subsection 40(2), the Commissioner must
inform the person or entity that the act or practice is to be investigated.
93 Subsection 43(2)
Omit “in private but otherwise”.
94 Subsections 43(4), (5) and (6)
Repeal the subsections, substitute:
(4) The Commissioner may make a determination
under section 52 in relation to an investigation under this Division
without holding a hearing, if:
(a) it appears to the Commissioner
that the matter to which the investigation relates can be adequately determined
in the absence of:
(i) in the case of an
investigation under subsection 40(1)—the complainant and respondent; or
(ii) otherwise—the person
or entity that engaged in the act or practice that is being investigated; and
(b) the Commissioner is satisfied that
there are no unusual circumstances that would warrant the Commissioner holding
a hearing; and
(c) an application for a hearing has
not been made under section 43A.
95 Subsection 43(7)
Omit “afford the complainant or respondent an opportunity to
appear before the Commissioner and to make submissions under
subsection (5)”, substitute “hold a hearing”.
96 Subsection 43(8A)
Omit “an approved privacy code or the National Privacy
Principles”, substitute “the Australian Privacy Principles or a registered APP
code”.
97 After section 43
Insert:
43A
Interested party may request a hearing
(1) An interested party in relation to an
investigation under this Division may, in writing, request that the
Commissioner hold a hearing before the Commissioner makes a determination under
section 52 in relation to the investigation.
(2) If an interested party makes request
under subsection (1), the Commissioner must:
(a) notify any other interested party
of the request; and
(b) give all interested parties a
reasonable opportunity to make a submission about the request; and
(c) decide whether or not to hold a
hearing.
(3) In this section:
interested party in relation to an
investigation means:
(a) in the case of an investigation
under subsection 40(1)—the complainant or respondent; or
(b) otherwise—the person or entity
that engaged in the act or practice that is being investigated.
98 Subsection 44(4)
Omit “sections 69 and”, substitute “section”.
99 Subsection 46(1)
Omit “(except an NPP complaint or a code complaint accepted under
subsection 40(1B))”.
100 Subsection 50(1)
Insert:
alternative complaint body means:
(a) the Australian Human Rights
Commission; or
(b) the Ombudsman; or
(c) the Postal Industry Ombudsman; or
(d) the Overseas Students Ombudsman;
or
(e) the Public Service Commissioner;
or
(f) the Norfolk Island Public Service
Board; or
(g) a recognised external dispute
resolution scheme.
101 At the end of paragraph 50(2)(a)
Add:
(v) to a recognised
external dispute resolution scheme; or
102 Subsection 50(2)
Omit “Australian Human Rights Commission, the Ombudsman, the
Postal Industry Ombudsman, the Overseas Students Ombudsman or the Public
Service Commissioner, as the case may be”, substitute “alternative complaint
body”.
103 Paragraphs 50(2)(c) and (e)
Omit “Australian Human Rights Commission, the Ombudsman, the
Postal Industry Ombudsman, the Overseas Students Ombudsman or the Public
Service Commissioner”, substitute “alternative complaint body”.
104 At the end of paragraph 50(3)(a)
Add:
(v) to the recognised
external dispute resolution scheme; or
105 Subsection 50A(2) (note 2)
Repeal the note, substitute:
Note 2: The Commissioner may determine under
section 53B that the determination applies in relation to an agency if the
organisation has not complied with the determination.
106 Subparagraph 52(1)(b)(i)
Omit “should” (wherever occurring), substitute “must”.
107 After subparagraph 52(1)(b)(i)
Insert:
(ia) a declaration that the
respondent must take specified steps within a specified period to ensure that
such conduct is not repeated or continued;
108 Subparagraph 52(1)(b)(ii)
Omit “should”, substitute “must”.
109 Subsection 52(1A)
Repeal the subsection, substitute:
(1A) After investigating an act or practice of a
person or entity under subsection 40(2), the Commissioner may make a
determination that includes one or more of the following:
(a) a declaration that:
(i) the act or practice is
an interference with the privacy of one or more individuals; and
(ii) the person or entity
must not repeat or continue the act or practice;
(b) a declaration that the person or
entity must take specified steps within a specified period to ensure that the
act or practice is not repeated or continued;
(c) a declaration that the person or
entity must perform any reasonable act or course of conduct to redress any loss
or damage suffered by one or more of those individuals;
(d) a declaration that one or more of
those individuals are entitled to a specified amount by way of compensation for
any loss or damage suffered by reason of the act or practice;
(e) a declaration that it would be
inappropriate for any further action to be taken in the matter.
(1AA) The steps specified by the Commissioner under
subparagraph (1)(b)(ia) or paragraph (1A)(b) must be reasonable and
appropriate.
(1AB) The loss or damage referred to in
paragraph (1)(b) or subsection (1A) includes:
(a) injury to the feelings of the
complainant or individual; and
(b) humiliation suffered by the
complainant or individual.
110 Subsection 52(1B)
After “subsection (1)”, insert “or (1A)”.
111 Subsections 52(3A) and (3B)
Repeal the subsections, substitute:
(3A) A determination under paragraph (1)(b)
or subsection (1A) may include any order that the Commissioner considers
necessary or appropriate.
112 Subsection 53A(1)
Omit “to which a contracted service provider for a Commonwealth
contract is the respondent”, substitute “that applies in relation to a
contracted service provider for a Commonwealth contract”.
113 Section 53B (heading)
Repeal the heading, substitute:
53B
Substituting an agency for a contracted service provider
114 Paragraph 53B(1)(a)
Repeal the paragraph, substitute:
(a) a determination under
section 52 applies in relation to a contracted service provider for a
Commonwealth contract; and
115 After subparagraph 53B(1)(b)(i)
Insert:
(ia) a declaration under
paragraph 52(1A)(d) that one or more individuals are entitled to a specified
amount by way of the compensation; or
116 Paragraph 53B(1)(c)
Omit “respondent”, substitute “provider”.
117 Paragraph 53B(1)(d)
After “complainant”, insert “or individuals”.
118 Paragraph 53B(1)(d)
Omit “subparagraph (b)(i) or (b)(ii)”, substitute
“paragraph (b)”.
119 Subsection 53B(2)
After “writing that”, insert “the determination under
section 52 instead applies in relation to”.
120 Subsection 53B(2)
Omit “is the respondent to the determination under
section 52”.
121 Subsection 53B(2) (at the end of the note)
Add “or individuals”.
122 Subsection 54(1)
Omit “respondent to the determination is”, substitute “determination
applies in relation to”.
123 Section 55
Repeal the section, substitute:
55
Obligations of organisations and small business operators
If the determination applies in relation
to an organisation or small business operator, the organisation or operator:
(a) must not repeat or continue
conduct that is covered by a declaration included in the determination under
sub‑subparagraph 52(1)(b)(i)(B) or paragraph 52(1A)(a); and
(b) must take the steps that are
specified in a declaration included in the determination under subparagraph
52(1)(b)(ia) or paragraph 52(1A)(b) within the specified period; and
(c) must perform the act or course of
conduct that is covered by a declaration included in the determination under
subparagraph 52(1)(b)(ii) or paragraph 52(1A)(c).
124 Subsection 55A(1)
Omit “Any of the”, substitute “The”.
125 Paragraphs 55A(1)(a) to (c)
Repeal the paragraphs, substitute:
(a) if the determination was made
under subsection 52(1)—the complainant;
(b) the Commissioner.
126 Subsection 55A(2)
Omit “respondent”, substitute “person or entity in relation to
which the determination applies”.
127 Subsection 55A(2)
Omit “the complainant”, substitute “an individual”.
128 Subsection 55A(5)
Omit “respondent”, substitute “person or entity in relation to
which the determination applies”.
129 Subsection 55A(5)
Omit “the complainant”, substitute “an individual”.
130 Paragraph 55A(6)(c)
Omit “appearance”, substitute “hearing”.
131 Paragraph 55A(6)(c)
Omit “under subsection 43(5)”.
132 Subsection 55A(7A)
Omit “matters that paragraph 29(a) requires the Commissioner to
have due regard to”, substitute “objects of this Act”.
133 Paragraphs 55B(1)(a) and (b) and (3)(a) and (b)
Repeal the paragraphs, substitute:
(a) a specified APP entity had
breached an Australian Privacy Principle; or
(b) a specified APP entity had
breached a registered APP code that binds the entity.
134 Subsection 57(1)
Omit “has an agency, or the principal executive of an agency, as
the respondent”, substitute “that applies in relation to an agency or the
principal executive of an agency”.
135 Section 58
Repeal the section, substitute:
58
Obligations of agencies
If this Division applies to a
determination and the determination applies in relation to an agency, the agency:
(a) must not repeat or continue
conduct that is covered by a declaration included in the determination under
subparagraph 52(1)(b)(i) or paragraph 52(1A)(a); and
(b) must take the steps that are
specified in a declaration included in the determination under subparagraph
52(1)(b)(ia) or paragraph 52(1A)(b) within the specified period; and
(c) must perform the act or course of
conduct that is covered by a declaration included in the determination under
subparagraph 52(1)(b)(ii) or paragraph 52(1A)(c).
136 Section 59
Omit “the principal executive of an agency is the respondent to a
determination to which this Division applies”, substitute “this Division
applies to a determination and the determination applies in relation to the
principal executive of an agency”.
137 Paragraph 59(b)
After “subparagraph 52(1)(b)(i)”, insert “or paragraph
52(1A)(a)”.
138 After paragraph 59(b)
Insert:
(ba) that the steps specified in a
declaration included in the determination under subparagraph 52(1)(b)(ia) or
paragraph 52(1A)(b) are taken within the specified period; and
139 At the end of paragraph 59(c)
Add “or paragraph 52(1A)(c)”.
140 Subsection 60(1)
After “subparagraph 52(1)(b)(iii)”, insert “, paragraph
52(1A)(d)”.
141 Subsection 60(1)
After “complainant”, insert “or individual”.
142 Subsection 60(2)
Omit “respondent is”, substitute “determination applies in
relation to”.
143 Subsection 60(2)
After “complainant” (wherever occurring), insert “or individual”.
144 Section 61
Repeal the section.
145 Subsection 62(3)
Repeal the subsection, substitute:
(3) The application may be made by:
(a) if the determination was made
under subsection 52(1)—the complainant; or
(b) the Commissioner.
146 Subsection 62(4)
Omit “respondent”, substitute “agency or principal executive”.
147 Paragraph 62(5)(a)
Omit “section 61”, substitute “section 96”.
148 At the end of section 62
Add:
(6) In this section:
complainant, in relation to a representative
complaint, means a class member.
149 Subsection 63(2A)
Omit “NPP”, substitute “APP”.
150 Paragraphs 67(aa) and (ab)
Repeal the paragraphs.
151 Sections 69 and 70A
Repeal the sections.
152 Subsection 72(1)
Repeal the subsection.
153 Subsection 72(2) (heading)
Repeal the heading, substitute:
Determinations about an APP entity’s acts and practices
154 Paragraph 72(2)(a)
Repeal the paragraph, substitute:
(a) an act or practice of an APP
entity breaches, or may breach:
(i) an Australian Privacy
Principle; or
(ii) a registered APP code
that binds the entity; but
155 Paragraph 72(2)(b)
Omit “organisation”, substitute “entity”.
156 Paragraph 72(2)(b)
Omit “Principle”, substitute “principle”.
157 Subsection 72(2)
Omit “make a written”, substitute “, by legislative instrument,
make a”.
158 Subsection 72(3)
Omit “organisation is taken not to contravene section 16A if
the organisation”, substitute “APP entity is taken not to contravene
section 15 or 26A if the entity”.
159 Subsection 72(4)
Omit “make a written”, substitute “, by legislative instrument,
make a”.
160 Subsection 72(4)
Omit “organisation is taken to contravene section 16A”,
substitute “APP entity is taken to contravene section 15 or 26A”.
161 Subsection 72(4)
Omit “organisation does”, substitute “APP entity does”.
162 Subsection 72(4)
Omit “organisation or any other organisation”, substitute “entity
or any other APP entity”.
163 Section 73 (heading)
Repeal the heading, substitute:
73
Application by APP entity
164 Subsection 73(1)
Omit “An agency or organisation”, substitute “An APP entity”.
165 Subsection 73(1)
Omit “the agency or organisation”, substitute “the entity”.
166 After subsection 73(1)
Insert:
(1A) If:
(a) an application is made under
subsection (1); and
(b) the Commissioner is satisfied that
the application is frivolous, vexatious, misconceived, lacking in substance or
not made in good faith;
the Commissioner may, in writing, dismiss the application.
167 Section 74 (heading)
Repeal the heading, substitute:
74
Publication of application etc.
168 Subsection 74(1)
Omit all the words after “notice”, substitute:
of:
(a) the receipt by the Commissioner of
an application; and
(b) if the Commissioner dismisses an
application under subsection 73(1A)—the dismissal of the application.
169 At the end of subsection 75(1)
Add “unless the Commissioner dismisses the application under
subsection 73(1A)”.
170 Subsection 79(3)
Repeal the subsection.
171 Section 80
Repeal the section.
172 Paragraph 80A(1)(a)
Omit “agency or organisation”, substitute “APP entity”.
173 Subparagraphs 80A(1)(a)(i) and (ii)
Repeal the subparagraphs, substitute:
(i) an Australian Privacy
Principle; or
(ii) a registered APP code
that binds the entity; and
174 Paragraph 80A(1)(b)
Omit “agency or organisation”, substitute “entity”.
175 Paragraph 80A(1)(b)
Omit “Principle”, substitute “principle”.
176 Subsection 80A(2)
Omit “make a written temporary public interest”, substitute “, by
legislative instrument, make a”.
177 Paragraph 80A(2)(a)
Omit “agency or organisation”, substitute “APP entity”.
178 Subsection 80A(3)
Repeal the subsection, substitute:
(3) The Commissioner must specify in the
determination a period of up to 12 months during which the determination is in
force (subject to subsection 80D(2)).
179 Subsections 80B(1) and (2)
Repeal the subsections, substitute:
APP entity covered by a determination
(1) If an act or practice of an APP entity is
the subject of a temporary public interest determination, the entity is taken
not to breach section 15 or 26A if the entity does the act, or engages in
the practice, while the determination is in force.
180 Subsection 80B(3)
Omit “make a written”, substitute “, by legislative instrument,
make a”.
181 Subsection 80B(3)
Omit “organisation is taken to contravene section 16A”,
substitute “APP entity is taken to contravene section 15 or 26A”.
182 Subsection 80B(3)
Omit “organisation does”, substitute “APP entity does”.
183 Subsection 80B(3)
Omit “organisation or another organisation”, substitute “entity
or another APP entity”.
184 Section 80C
Repeal the section.
185 Paragraph 80D(2)(a)
Omit “subsection 72(1) or (2) (as appropriate)”, substitute
“subsection 72(2)”.
186 Paragraph 80P(1)(a)
Omit “concerned”.
187 Subsections 80P(4) and (5)
Repeal the subsections, substitute:
(4) An entity does not breach an Australian
Privacy Principle, or a registered APP code that binds the entity, in respect
of a collection, use or disclosure of personal information authorised by
subsection (1).
188 Paragraphs 80Q(2)(a) and (b)
Repeal the paragraphs, substitute:
(a) if the first person is an APP
entity—a disclosure permitted under an Australian Privacy Principle or a
registered APP code that binds the person;
189 After Part VIA
Part VIB—Civil penalty orders
Division 1—Civil penalty provisions
80U
Civil penalty provisions
A subsection of this Act (or a section
of this Act that is not divided into subsections) is a civil penalty
provision if the words “civil penalty” and one or more amounts in
penalty units are set out at the foot of the subsection (or section).
80V
Ancillary contravention of civil penalty provisions
(1) An entity must not:
(a) attempt to contravene a civil
penalty provision; or
(b) aid, abet, counsel or procure a
contravention of a civil penalty provision; or
(c) induce (by threats, promises or
otherwise) a contravention of a civil penalty provision; or
(d) be in any way, directly or
indirectly, knowingly concerned in, or party to, a contravention of a civil
penalty provision; or
(e) conspire with others to effect a
contravention of a civil penalty provision.
(2) An entity that contravenes
subsection (1) in relation to a civil penalty provision is taken to have
contravened the provision.
Division 2—Obtaining a civil penalty order
80W
Civil penalty orders
Application for order
(1) The Commissioner may apply to the Federal
Court or Federal Magistrates Court for an order that an entity, that is alleged
to have contravened a civil penalty provision, pay the Commonwealth a pecuniary
penalty.
(2) The Commissioner must make the
application within 6 years of the alleged contravention.
Court may order entity to pay pecuniary penalty
(3) If the court is satisfied that the entity
has contravened the civil penalty provision, the court may order the entity to
pay to the Commonwealth such pecuniary penalty for the contravention as the
court determines to be appropriate.
Note: Subsection (5) sets out the maximum
penalty that the court may order the entity to pay.
(4) An order under subsection (3) is a civil
penalty order.
Determining pecuniary penalty
(5) The pecuniary penalty must not be more
than:
(a) if the entity is a body
corporate—5 times the amount of the pecuniary penalty specified for the civil
penalty provision; or
(b) otherwise—the amount of the
pecuniary penalty specified for the civil penalty provision.
(6) In determining the pecuniary penalty, the
court must take into account all relevant matters, including:
(a) the nature and extent of the
contravention; and
(b) the nature and extent of any loss
or damage suffered because of the contravention; and
(c) the circumstances in which the
contravention took place; and
(d) whether the entity has previously
been found by a court in proceedings under this Act to have engaged in any
similar conduct.
80X
Civil enforcement of penalty
(1) A pecuniary penalty is a debt payable to
the Commonwealth.
(2) The Commonwealth may enforce a civil
penalty order as if it were an order made in civil proceedings against the
entity to recover a debt due by the entity. The debt arising from the order is
taken to be a judgement debt.
80Y
Conduct contravening more than one civil penalty provision
(1) If conduct constitutes a contravention of
2 or more civil penalty provisions, proceedings may be instituted under this
Division against an entity in relation to the contravention of any one or more
of those provisions.
(2) However, the entity is not liable to more
than one pecuniary penalty under this Division in relation to the same conduct.
80Z
Multiple contraventions
(1) The Federal Court or Federal Magistrates
Court may make a single civil penalty order against an entity for multiple
contraventions of a civil penalty provision if:
(a) proceedings for the contraventions
are founded on the same facts; or
(b) the contraventions form, or are
part of, a series of contraventions of the same or a similar character.
(2) However, the pecuniary penalty must not
exceed the sum of the maximum pecuniary penalties that could be ordered if a
separate civil penalty order were made for each of the contraventions.
Note: In determining the pecuniary penalty, the
court must take into account all relevant matters including the matters
mentioned in subsection 80W(6).
80ZA
Proceedings may be heard together
The Federal Court or Federal Magistrates
Court may direct that 2 or more proceedings for civil penalty orders are to be
heard together.
80ZB
Civil evidence and procedure rules for civil penalty orders
The Federal Court or Federal Magistrates
Court must apply the rules of evidence and procedure for civil matters when
hearing proceedings for a civil penalty order.
80ZC
Contravening a civil penalty provision is not an offence
A contravention of a civil penalty
provision is not an offence.
Division 3—Civil proceedings and criminal proceedings
80ZD
Civil proceedings after criminal proceedings
The Federal Court or Federal Magistrates
Court must not make a civil penalty order against an entity for a contravention
of a civil penalty provision if the entity has been convicted of an offence
constituted by conduct that is the same, or substantially the same, as the
conduct constituting the contravention.
80ZE
Criminal proceedings during civil proceedings
(1) Proceedings for a civil penalty order
against an entity for a contravention of a civil penalty provision are stayed
if:
(a) criminal proceedings are commenced
or have already been commenced against the entity for an offence; and
(b) the offence is constituted by
conduct that is the same, or substantially the same, as the conduct alleged to
constitute the contravention.
(2) The proceedings for the civil penalty
order may be resumed if the entity is not convicted of the offence. Otherwise:
(a) the proceedings are dismissed; and
(b) costs must not be awarded in
relation to the proceedings.
80ZF
Criminal proceedings after civil proceedings
Criminal proceedings may be commenced
against an entity for conduct that is the same, or substantially the same, as
conduct that would constitute a contravention of a civil penalty provision
regardless of whether a civil penalty order has been made against the entity in
relation to the contravention.
80ZG
Evidence given in proceedings for civil penalty order not admissible in
criminal proceedings
(1) Evidence of information given, or
evidence of production of documents, by an individual is not admissible in
criminal proceedings against the individual if:
(a) the individual previously gave the
evidence or produced the documents in proceedings for a civil penalty order
against the individual for an alleged contravention of a civil penalty
provision (whether or not the order was made); and
(b) the conduct alleged to constitute
the offence is the same, or substantially the same, as the conduct alleged to
constitute the contravention.
(2) However, subsection (1) does not
apply to criminal proceedings in relation to the falsity of the evidence given
by the individual in the proceedings for the civil penalty order.
190 After paragraph 82(2)(a)
Insert:
(aa) the Privacy Commissioner (within
the meaning of the Australian Information Commissioner Act 2010); and
191 Paragraph 82(2)(b)
Omit “6 other”, substitute “8 other”.
192 Subsection 82(3)
After “Commissioner”, insert “and Privacy Commissioner (within
the meaning of that Act)”.
193 Paragraph 82(7)(a)
Repeal the paragraph, substitute:
(a) at least one must be a person who
has had at least 5 years’ experience at a high level in industry or commerce;
and
(aa) at least one must be a person who
has had at least 5 years’ experience at a high level in public administration,
or the service of a government or an authority of a government; and
(ab) at least one must be a person who
has had extensive experience in health privacy; and
194 Paragraph 82(7)(b)
Omit “shall”, substitute “must”.
195 At the end of paragraph 82(7)(b)
Add “and”.
196 Paragraph 82(7)(c)
Repeal the paragraph, substitute:
(c) at least one must be a person who
has had extensive experience in information and communication technologies; and
197 Paragraphs 82(7)(d) and (e)
Omit “shall”, substitute “must”.
198 Paragraph 83(b)
Omit “guidelines”, substitute “rules or guidelines”.
199 Subsections 95(5), 95A(7) and 95AA(3)
Repeal the subsections.
200 After section 95C
Insert:
96
Review by the Administrative Appeals Tribunal
(1) An application may be made to the
Administrative Appeals Tribunal for review of the following decisions of the
Commissioner:
(a) a decision under subsection 26H(1)
not to register an APP code developed by an APP code developer;
(b) a decision under subsection 26S(1)
not to register a CR code developed by a CR code developer;
(c) a decision under subsection 52(1)
or (1A) to make a determination;
(d) a decision under subsection 73(1A)
to dismiss an application;
(e) a decision under section 95
to refuse to approve the issue of guidelines;
(f) a decision under subsection
95A(2) or (4) or 95AA(2) to refuse to approve guidelines;
(g) a decision under subsection 95A(6)
to revoke an approval of guidelines.
(2) An application under
paragraph (1)(a) may only be made by the APP code developer that developed
the APP code.
(3) An application under
paragraph (1)(b) may only be made by the CR code developer that developed
the CR code.
201 After section 98
Insert:
98A
Treatment of partnerships
(1) If, apart from this subsection, this Act
would impose an obligation on a partnership, the obligation is imposed instead
on each partner but may be discharged by any of the partners.
(2) If, apart from this subsection, an
offence against this Act would be committed by a partnership, the offence is
taken to have been committed by each partner.
(3) If, apart from this subsection, a
partnership would contravene a civil penalty provision, the contravention is
taken to have been committed by each partner.
(4) A partner does not commit an offence
against this Act because of subsection (2), or contravene a civil penalty
provision because of subsection (3), if the partner:
(a) does not know of the circumstances
that constitute the contravention of the provision concerned; or
(b) knows of those circumstances but
takes all reasonable steps to correct the contravention as soon as possible
after the partner becomes aware of those circumstances.
Note: In criminal proceedings, a defendant bears an
evidential burden in relation to the matters in subsection (4) (see
subsection 13.3(3) of the Criminal Code).
98B Treatment
of unincorporated associations
(1) If, apart from this subsection, this Act
would impose an obligation on an unincorporated association, the obligation is
imposed instead on each member of the association’s committee of management but
may be discharged by any of the members.
(2) If, apart from this subsection, an
offence against this Act would be committed by an unincorporated association,
the offence is taken to have been committed by each member of the association’s
committee of management.
(3) If, apart from this subsection, an
unincorporated association would contravene a civil penalty provision, the
contravention is taken to have been committed by each member of the
association’s committee of management.
(4) A member of an unincorporated association’s
committee of management does not commit an offence against this Act because of
subsection (2), or contravene a civil penalty provision because of
subsection (3), if the member:
(a) does not know of the circumstances
that constitute the contravention of the provision concerned; or
(b) knows of those circumstances but
takes all reasonable steps to correct the contravention as soon as possible
after the member becomes aware of those circumstances.
Note: In criminal proceedings, a defendant bears an
evidential burden in relation to the matters in subsection (4) (see
subsection 13.3(3) of the Criminal Code).
98C
Treatment of trusts
(1) If, apart from this subsection, this Act
would impose an obligation on a trust, the obligation is imposed instead on
each trustee of the trust but may be discharged by any of the trustees.
(2) If, apart from this subsection, an
offence against this Act would be committed by a trust, the offence is taken to
have been committed by each trustee of the trust.
(3) If, apart from this subsection, a trust
would contravene a civil penalty provision, the contravention is taken to have
been committed by each trustee of the trust.
(4) A trustee of a trust does not commit an
offence against this Act because of subsection (2), or contravene a civil
penalty provision because of subsection (3), if the trustee:
(a) does not know of the circumstances
that constitute the contravention of the provision concerned; or
(b) knows of those circumstances but
takes all reasonable steps to correct the contravention as soon as possible
after the trustee becomes aware of those circumstances.
Note: In criminal proceedings, a defendant bears an
evidential burden in relation to the matters in subsection (4) (see
subsection 13.3(3) of the Criminal Code).
202 Subsection 99A(1)
After “this Act”, insert “or for a civil penalty order”.
203 Subsection 99A(2)
After “this Act”, insert “or proceedings for a civil penalty
order”.
204 Subsection 99A(3)
After “this Act”, insert “or for a civil penalty order”.
205 Subsection 99A(4)
After “this Act”, insert “or proceedings for a civil penalty
order”.
206 Subsection 99A(9)
Repeal the subsection.
Federal Circuit Court of
Australia (Consequential Amendments) Act 2013 (No. 13, 2013)
Schedule 3
83 Section 19
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
84 Subsection 25(1)
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
85 Subsection 25A(2)
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
86 Subsection 33F(1)
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
87 Subsection 80W(1)
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
88 Subsection 80Z(1)
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
89 Section 80ZA
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
90 Section 80ZB
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
91 Section 80ZD
Omit “Federal Magistrates Court”, substitute “Federal Circuit
Court”.
Endnote
4—Misdescribed amendments
This endnote sets out amendments of the Privacy Act 1988 that have been misdescribed.
Healthcare Identifiers
(Consequential Amendments) Act 2010 (No. 73, 2010)
Schedule 2
8 Section 13 (note) (the note added by item 4 of
this Schedule)
After “Note”, insert “1”.
9 Section 13 (note) (the note added by item 26 of
Schedule 5 to the Personal Property Securities (Consequential
Amendments) Act 2009)
After “Note”, insert “2”.
Endnote
5—Modifications
This endnote sets out modifications of the Privacy Act 1988.
Australian Capital Territory
Government Service (Consequential Provisions) Act 1994 (No. 92, 1994)
The modifications are not incorporated in this endnote.
Banking (State Bank of South Australia and Other Matters) Act 1994 (No. 69, 1994)
Part 2.3—Modifications of the Privacy Act 1988 relating to the
restructuring of the State Bank of South
Australia
Division 1—Preliminary
12
Object of Part
The object of this Part is to facilitate
the restructuring of the State Bank of South Australia by modifying the effect
of the Privacy Act 1988.
13
Interpretation
An expression used in this Part and in
the Privacy Act 1988 has the same meaning in this Part as it has in that
Act.
14
Definitions
In this Part:
account includes a deposit or loan.
appointed day has the same meaning as in the State
Bank (Corporatisation) Act 1994 of South Australia.
borrower has a meaning corresponding to loan.
designated subsidiary of the State Bank of South Australia means a company that is an SBSA subsidiary within the meaning of
the State Bank (Corporatisation) Act 1994 of South Australia.
eligible customer,
in relation to a person, means:
(a) an
individual who is, or has sought to become:
(i) a customer of the
person within the ordinary meaning of that expression; or
(ii) a depositor with the
person; or
(iii) a borrower from the
person; or
(b) a guarantor or prospective
guarantor of an individual who is, or has sought to become, a borrower from the
person.
re‑transfer provision means:
(a) section 16 of the State
Bank (Corporatisation) Act 1994 of South Australia; or
(b) a corresponding provision of a law
of another State or of a Territory.
transfer provision means:
(a) section 7 of the State
Bank (Corporatisation) Act 1994 of South Australia; or
(b) a corresponding provision of a law
of another State or of a Territory.
15
State banking
(1) Section 12A of the Privacy Act
1988 has effect as if the provisions of this Part were provisions of that
Act.
(2) A reference in the Privacy Act 1988 to
State banking does not include a reference to State banking to the extent to
which the matter of State banking has been referred to the Parliament under
section 21 of the State Bank (Corporatisation) Act 1994 of South Australia.
Division 2—Transfers of
loans–transferee bank deemed to have provided credit
16 Transfers to Bank of South Australia Limited
(1) This section applies if:
(a) a loan or prospective loan is
transferred on a particular day (the transfer day) under a
transfer provision to Bank of South Australia Limited from:
(i) the State Bank of South Australia; or
(ii) a designated
subsidiary of the State Bank of South Australia; and
(b) immediately before the transfer,
the loan or prospective loan was credit provided by the State Bank of South Australia or the designated subsidiary, as the case may be.
(2) This Part and the Privacy Act 1988
have effect, on and after the transfer day, as if the loan or prospective loan
were credit provided by Bank of South Australia Limited instead of by the State
Bank of South Australia or the designated subsidiary, as the case requires.
17 Re‑transfers
to the State Bank of South Australia or a designated subsidiary of the State
Bank of South Australia
(1) This section applies if:
(a) a loan or prospective loan is
transferred on a particular day (the re‑transfer day) under a re‑transfer
provision from Bank of South Australia Limited to:
(i) the State Bank of South Australia; or
(ii) a designated
subsidiary of the State Bank of South Australia; and
(b) immediately before the transfer,
the loan or prospective loan was credit provided by Bank of South Australia
Limited.
(2) This Part and the Privacy Act 1988 have
effect, on and after the re‑transfer day, as if the loan or prospective loan
were credit provided by the State Bank of South Australia or by the designated
subsidiary, as the case requires, instead of by Bank of South Australia
Limited.
Division 3—Disclosure of reports
Subdivision A—Transfers to Bank of South Australia Limited
18
Disclosure of information about transferred eligible customers
(1) This section applies to the disclosure of
a report (within the meaning of subsection 18N(9) of the Privacy Act
1988) or any personal information derived from such a report if:
(a) the
disclosure is by:
(i) the State Bank of South Australia; or
(ii) a designated
subsidiary of the State Bank of South Australia; or
(iii) an agent of a body
covered by subparagraph (i) or (ii); and
(b) the report or information is
disclosed to:
(i) Bank of South
Australia Limited; or
(ii) an agent of Bank of
South Australia Limited; and
(c) the report or information relates
to the affairs of an individual who:
(i) was an eligible
customer of the State Bank of South Australia or the designated subsidiary, as
the case may be; and
(ii) became an eligible
customer of Bank of South Australia Limited as a result of the operation of a
transfer provision; and
(d) the report or information is
disclosed for the purposes of facilitating the operation of a transfer
provision in relation to the individual.
(2) The disclosure does not breach:
(a) the Privacy Act 1988; or
(b) the Code of Conduct.
Subdivision B—Re‑transfers to the State Bank of South Australia or to a designated
subsidiary of the State Bank of South Australia
19
Disclosure of information where account is re‑transferred to the State Bank of South Australia or to a designated subsidiary of the State Bank of South Australia
(1) This section applies to the disclosure of
a report (within the meaning of subsection 18N(9) of the Privacy Act
1988) or any personal information derived from such a report if:
(a) the
disclosure is by:
(i) Bank
of South Australia Limited; or
(ii) an
agent of Bank of South Australia Limited; and
(b) the
report or information is disclosed to:
(i) the State Bank of South Australia; or
(ii) a designated
subsidiary of the State Bank of South Australia; or
(iii) an agent of a body
covered by subparagraph (i) or (ii); and
(c) the report relates to the affairs
of an eligible customer of the State Bank of South Australia or of the
designated subsidiary, as the case requires, whose account was transferred to
that Bank or subsidiary from Bank of South Australia Limited as a result of the
operation of a re‑transfer provision; and
(d) the report or information is
disclosed for the purposes of facilitating the operation of the re‑transfer
provision in relation to the eligible customer.
(2) The disclosure does not breach:
(a) the Privacy Act 1988; or
(b) the Code of Conduct.
Subdivision C—Management of accounts by Bank of South Australia Limited
20
Disclosure of information where Bank of South Australia Limited manages the
account of an eligible customer of the State Bank of South Australia or a
designated subsidiary of the State Bank of South Australia
(1) This section applies to the disclosure of
a report (within the meaning of subsection 18N(9) of the Privacy Act
1988) or any personal information derived from such a report if:
(a) the disclosure is by:
(i) the State Bank of South Australia; or
(ii) a designated
subsidiary of the State Bank of South Australia; or
(iii) an
agent of a body covered by subparagraph (i) or (ii); and
(b) the
report or information is disclosed to Bank of South Australia Limited; and
(c) the report or information relates
to the affairs of an eligible customer of the State Bank of South Australia or
of the designated subsidiary, as the case may be; and
(d) an account of the eligible
customer is being managed by Bank of South Australia Limited as agent for the
State Bank of South Australia or the designated subsidiary, as the case may be;
and
(e) the report or information is
disclosed for the purposes of facilitating the management of the account.
(2) The disclosure does not breach:
(a) the Privacy Act 1988; or
(b) the Code of Conduct.
Subdivision D—Dissolution of designated subsidiaries of the State Bank of South Australia
21
Disclosure of information where a designated subsidiary of the State Bank of South Australia is about to be dissolved
(1) This section applies if:
(a) a designated subsidiary of the
State Bank of South Australia is proposed to be dissolved under subsection 23(1)
of the State Bank (Corporatisation) Act 1994 of South Australia; and
(b) as a result of the dissolution, an
account with the designated subsidiary will be vested in the State Bank of South Australia under subsection 23(2) of that Act.
(2) In applying paragraph 18N(1)(d) of
the Privacy Act 1988 to a disclosure that is relevant to that account,
the designated subsidiary is taken to be related to the State Bank of South
Australia.
Division 4—Authorities and notifications
Subdivision A—Transfers to Bank of South Australia Limited
22
Authorities relating to the State Bank of South Australia or a designated
subsidiary of the State Bank of South Australia deemed to relate to Bank of
South Australia Limited
(1) This section applies to an authority (however
described) given under the Privacy Act 1988 if:
(a) the authority was given to:
(i) the State Bank of South Australia; or
(ii) a designated
subsidiary of the State Bank of South Australia; and
(b) the authority authorised the State
Bank of South Australia or the designated subsidiary, as the case may be, to
disclose, use or receive:
(i) a credit report; or
(ii) any other information
that has or has had any bearing on an individual’s credit worthiness, credit
standing, credit history or credit capacity; and
(c) the authority relates to the
affairs of an individual who:
(i) was an eligible
customer of the State Bank of South Australia or the designated subsidiary, as
the case may be; and
(ii) became an eligible
customer of Bank of South Australia Limited on a particular day (the transfer
day) as a result of the operation of a transfer provision.
(2) This Part and the Privacy Act 1988 have
effect, on and after the transfer day, as if the authority had been given to,
and had so authorised, Bank of South Australia Limited instead of the State
Bank of South Australia or the designated subsidiary, as the case requires.
23
Notifications given by the State Bank of South Australia or a designated
subsidiary of the State Bank of South Australia deemed to have been given by
Bank of South Australia Limited
(1) This section applies to a notification
(however described) given under the Privacy Act 1988 if:
(a) the notification was given by:
(i) the State Bank of South Australia; or
(ii) a designated subsidiary
of the State Bank of South Australia; and
(b) the notification was given to an
individual who:
(i) was an eligible
customer of the State Bank of South Australia or the designated subsidiary, as
the case may be; and
(ii) became an eligible
customer of Bank of South Australia Limited on a particular day (the transfer
day) as a result of the operation of a transfer provision.
(2) This Part and the Privacy Act 1988 have
effect, on and after the transfer day, as if the notification had been given by
Bank of South Australia Limited instead of by the State Bank of South Australia or the designated subsidiary, as the case requires.
Subdivision B—Re‑transfers to the State Bank of South Australia or to a designated
subsidiary of the State Bank of South Australia
24
Authorities relating to Bank of South Australia Limited deemed to relate to the
State Bank of South Australia or the designated subsidiary concerned
(1) This section applies to an authority
(however described) given under the Privacy Act 1988 if:
(a) the authority was given to Bank of
South Australia Limited; and
(b) the authority authorised Bank of
South Australia Limited to disclose, use or receive:
(i) a credit report; or
(ii) any other information
that has or has had any bearing on an individual’s credit worthiness, credit
standing, credit history or credit capacity; and
(c) the authority relates to the
affairs of an individual who:
(i) was an eligible
customer of Bank of South Australia Limited; and
(ii) became an eligible
customer of the State Bank of South Australia or a designated subsidiary of the
State Bank of South Australia on a particular day (the re‑transfer day)
as a result of the operation of a re‑transfer provision.
(2) The Privacy Act 1988 has effect,
on and after the re‑transfer day, as if the authority had been given to, and
had so authorised, the State Bank of South Australia or the designated
subsidiary, as the case requires, instead of Bank of South Australia Limited.
25
Notifications given by Bank of South Australia Limited deemed to have been
given by the State Bank of South Australia or the designated subsidiary
concerned
(1) This
section applies to a notification (however described) given under the Privacy
Act 1988 if:
(a) the notification was given by Bank
of South Australia Limited; and
(b) the notification was given to an
individual who:
(i) was an eligible
customer of Bank of South Australia Limited; and
(ii) became an eligible
customer of the State Bank of South Australia or a designated subsidiary of the
State Bank of South Australia on a particular day (the re‑transfer day)
as a result of the operation of a re‑transfer provision.
(2) The Privacy Act 1988 has effect,
on and after the re‑transfer day, as if the notification had been given by the
State Bank of South Australia or the designated subsidiary, as the case
requires, instead of by Bank of South Australia Limited.
Division 5—Deletion of information from credit information files
Subdivision A—Transfers to Bank of South Australia Limited
26
Credit reporting agencies that have been given information about overdue
payments
(1) This section applies if:
(a) the State Bank of South Australia
or a designated subsidiary of the State Bank of South Australia was a credit
provider in relation to credit provided to an individual; and
(b) as a result of the operation of a
transfer provision, the individual’s account was transferred to Bank of South
Australia Limited on a particular day (the transfer day); and
(c) a credit reporting agency had been
given information that the individual was overdue in making a payment in
respect of the credit provided by the State Bank of South Australia or the
designated subsidiary, as the case may be.
(2) This Division and subsection 18F(3)
of the Privacy Act 1988 have effect, on and after the transfer day, as
if the credit reporting agency had been given information that the individual
was overdue in making a payment in respect of credit provided by Bank of South
Australia Limited.
27
Credit reporting agencies that have previously been informed about current
credit provider status
(1) This section applies if:
(a) the State Bank of South Australia
or a designated subsidiary of the State Bank of South Australia was a credit
provider in relation to credit provided to an individual; and
(b) as a result of the operation of a
transfer provision, the individual’s account was transferred to Bank of South
Australia Limited on a particular day (the transfer day); and
(c) a credit reporting agency had
previously been informed that the State Bank of South Australia or the
designated subsidiary, as the case may be, was a current credit provider in
relation to the individual.
(2) This Division and subsection 18F(5)
of the Privacy Act 1988 have effect, on and after the transfer day, as
if the credit reporting agency had previously been informed that Bank of South
Australia Limited was a current credit provider in relation to the individual.
28
Credit provider ceasing to be current credit provider
An obligation is not imposed on the
State Bank of South Australia, or a designated subsidiary of the State Bank of
South Australia, under subsection 18F(5) of the Privacy Act 1988 merely
because of the operation of a transfer provision.
Subdivision B—Re‑transfers to the State Bank of South Australia or to a designated
subsidiary of the State Bank of South Australia
29
Credit reporting agencies that have been given information about overdue
payments
(1) This section applies if:
(a) Bank of South Australia Limited
was a credit provider in relation to credit provided to an individual; and
(b) as a result of the operation of a
re‑transfer provision, the individual’s account was transferred to the State
Bank of South Australia or to a designated subsidiary of the State Bank of South Australia on a particular day (the re‑transfer day); and
(c) a credit reporting agency had been
given information that the individual is overdue in making a payment in respect
of the credit provided by Bank of South Australia Limited.
(2) Subsection 18F(3) of the Privacy
Act 1988 has effect, on and after the re‑transfer day, as if the credit
reporting agency had been given information that the individual was overdue in
making a payment in respect of credit provided by the State Bank of South
Australia or the designated subsidiary, as the case requires.
30
Credit reporting agencies that have previously been informed about current
credit provider status
(1) This
section applies if:
(a) Bank of South Australia Limited
was a credit provider in relation to credit provided to an individual; and
(b) as a result of the operation of a
re‑transfer provision, the individual’s account was transferred to the State
Bank of South Australia or to a designated subsidiary of the State Bank of South
Australia on a particular day (the re‑transfer day); and
(c) a credit reporting agency had
previously been informed that Bank of South Australia Limited was a current
credit provider in relation to the individual.
(2) Subsection 18F(5) of the Privacy Act
1988 has effect, on and after the re‑transfer day, as if the credit
reporting agency had previously been informed that the State Bank of South
Australia or the designated subsidiary, as the case requires, was a current
credit provider in relation to the individual.
31
Credit provider ceasing to be current credit provider
An obligation is not imposed on Bank of
South Australia Limited under subsection 18F(5) of the Privacy Act 1988
merely because of the operation of a re‑transfer provision.
Division 6—Banks to publish information about the operation of this Part
32
Publication of information about the operation of this Part
(1) On or before the appointed day, or as
soon as practicable after that day, the State Bank of South Australia or Bank
of South Australia Limited must prepare a written statement setting out
information about:
(a) the kinds of reports and
information that will be, or that have been, disclosed under section 18;
and
(b) the kinds of authorities and
notifications that will be, or have been, affected by the operation of
sections 22 and 23.
(2) The statement must not be prepared in a
manner that is likely to enable the identification of a particular eligible
customer.
(3) As soon as practicable after the
preparation of the statement, the State Bank of South Australia or Bank of
South Australia Limited, as the case requires, must make copies of the
statement generally available to:
(a) in any case—its eligible
customers; and
(b) if the statement is prepared by
the State Bank of South Australia—the eligible customers of Bank of South
Australia Limited.
(4) For the purposes of the Privacy Act
1988, a contravention of this section is taken to be a credit reporting
infringement by the State Bank of South Australia and Bank of South Australia
Limited.
Division 7—This Part to be disregarded in determining the meaning that a
provision of the Privacy Act 1988 has apart from this Part
33
This Part to be disregarded in determining the meaning that a provision of the Privacy
Act 1988 has apart from this Part
In determining the meaning that a
provision of the Privacy Act 1988 has apart from this Part, this Part is
to be disregarded.