Division 1 - General definitions6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health service
Division 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit provider
Subdivision B - Other definitions6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history information
Division 3 - Other matters7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this Act
Division 1 - Interferences with privacy13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacy
Division 2 - Australian Privacy Principles14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal information
Division 4 - Tax file number information17 - Rules relating to tax file number information18 - File number recipients to comply with rules
Division 1 - Introduction19 - Guide to this Part
Division 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodies
Subdivision B - Consideration of information privacy20B - Open and transparent management of credit reporting information
Subdivision C - Collection of credit information20C - Collection of solicited credit information20D - Dealing with unsolicited credit information
Subdivision D - Dealing with credit reporting information etc.20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identified
Subdivision E - Integrity of credit reporting information20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting information
Subdivision F - Access to, and correction of, information20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be given
Subdivision G - Dealing with credit reporting information after the retention period ends etc.20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retained
Division 3 - Credit providers
Subdivision A - Introduction and application of this Division21 - Guide to this Division21A - Application of this Division to credit providers
Subdivision B - Consideration of information privacy21B - Open and transparent management of credit information etc.
Subdivision C - Dealing with credit information21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban period
Subdivision D - Dealing with credit eligibility information etc.21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer credit
Subdivision E - Integrity of credit information and credit eligibility information21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility information
Subdivision F - Access to, and correction of, information21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be given
Division 4 - Affected information recipients22 - Guide to this Division
Subdivision A - Consideration of information privacy22A - Open and transparent management of regulated information
Subdivision B - Dealing with regulated information22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.
Division 5 - Complaints23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaints
Division 6 - Unauthorised obtaining of credit reporting information etc.24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit provider
Division 7 - Court orders25 - Compensation orders25A - Other orders to compensate loss or damage
Division 1 - Introduction26 - Guide to this Part
Division 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codes
Subdivision B - Development and registration of APP codes26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codes
Subdivision C - Variation and removal of registered APP codes26J - Variation of registered APP codes26K - Removal of registered APP codes
Division 3 - Registered CR code
Subdivision A - Compliance with the registered CR code26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR code
Subdivision B - Development and registration of CR code26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR code
Subdivision C - Variation of the registered CR code26T - Variation of the registered CR code
Division 4 - General matters26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codes
Division 1 - Introduction26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012
Division 2 - Eligible data breach26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant matters
Division 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entities
Subdivision B - General notification obligations26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by Commissioner
Subdivision C - Commissioner may direct entity to notify eligible data breach26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisions
Division 2 - Functions of Commissioner27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the Act
Division 3 - Reports by Commissioner30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reports
Division 3A - Assessments by, or at the direction of, the Commissioner33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessment
Division 4 - Miscellaneous34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemes
Division 1A - Introduction36A - Guide to this Part
Division 1 - Investigation of complaints and investigations on the Commissioner’s initiative36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor General
Division 2 - Determinations following investigation of complaints52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service provider
Division 3 - Enforcement54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificate
Division 4 - Review and enforcement of determinations involving Commonwealth agencies57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agency
Division 5 - Miscellaneous63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisations
Division 1 - Public interest determinations71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determination
Division 2 - Temporary public interest determinations80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider application
Division 3 - Register of determinations80E - Register of determinations
Division 1 - Object and interpretation80F - Object80G - Interpretation80H - Meaning of permitted purpose
Division 2 - Declaration of emergency80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effect
Division 3 - Provisions dealing with the use and disclosure of personal information80P - Authorisation of collection, use and disclosure of personal information
Division 4 - Other matters80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety net
Division 1 - Civil penalties80U - Civil penalty provisions
Division 2 - Enforceable undertakings80V - Enforceable undertakings
Division 3 - Injunctions80W - Injunctions
95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymity
Part 2 - Collection of personal information3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal information
Part 3 - Dealing with personal information6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers
Part 4 - Integrity of personal information10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal information
Part 5 - Access to, and correction of, personal information12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal information
Open and transparent management of regulated information
(1) The object of this section is to ensure that an affected information recipient manages the regulated information of the recipient in an open and transparent way.
Compliance with this Division etc.
(2) An affected information recipient must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the recipient’s functions or activities that:
(a) will ensure that the recipient complies with this Division and the registered CR code if it binds the recipient; and
(b) will enable the recipient to deal with inquiries or complaints from individuals about the recipient’s compliance with this Division or the registered CR code if it binds the recipient.
Policy about the management of regulated information
(3) An affected information recipient must have a clearly expressed and up to date policy about the recipient’s management of the regulated information of the recipient.
(4) Without limiting subsection (3), the policy of the affected information recipient must contain the following information:
(a) the kinds of regulated information that the recipient collects and holds, and how the recipient collects and holds that information;
(b) the purposes for which the recipient collects, holds, uses and discloses regulated information;
(c) how an individual may access regulated information about the individual that is held by the recipient and seek the correction of such information;
(d) how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient;
(e) how the recipient will deal with such a complaint.
Availability of policy etc.
(5) An affected information recipient must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note: An affected information recipient will usually make the policy available on the recipient’s website.
(6) If a person or body requests a copy, in a particular form, of the policy of an affected information recipient, the recipient must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Interaction with the Australian Privacy Principles
(7) If an affected information recipient is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the recipient in relation to the regulated information of the recipient.