6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health service6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit provider6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history information7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this Act
19 - Guide to this Part20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodies20B - Open and transparent management of credit reporting information20C - Collection of solicited credit information20D - Dealing with unsolicited credit information20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identified20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting information20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be given20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retained21 - Guide to this Division21A - Application of this Division to credit providers21B - Open and transparent management of credit information etc.21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban period21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer credit21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility information21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be given22 - Guide to this Division22A - Open and transparent management of regulated information22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaints24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit provider25 - Compensation orders25A - Other orders to compensate loss or damage
36A - Guide to this Part36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor General52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service provider54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificate57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agency63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisations
80U - Civil penalty provisions80V - Enforceable undertakings80W - Injunctions
access seeker has the meaning given by subsection 6L(1).
Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5 1A of that Act.
(f) Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or
(fa) records (as defined in the Archives Act 1983) in the care (as defined in that Act) of the National Archives of Australia in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or
Note 1: Under section 187LA of the Telecommunications (Interception and Access) Act 1979, service providers are, in relation to their activities relating to retained data, treated as organisations for the purposes of this Act.
(1) An access seeker in relation to credit reporting information, or credit eligibility information, about an individual is:
Note: In 2012, the text of the Covenant and Convention in the Australian Treaty Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).
(f) how an individual may access credit reporting information about the individual that is held by the body and seek the correction of such information;
(b) from unauthorised access, modification or disclosure.
(ii) from unauthorised access, modification or disclosure; and
Access
(1) If a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Exceptions to access
(2) Despite subsection (1), the credit reporting body is not required to give the access seeker access to the credit reporting information to the extent that:
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Dealing with requests for access
Means of access
(4) If the credit reporting body gives access to the credit reporting information, the access must be given in the manner set out in the registered CR code.
Access charges
(5) If a request under subsection (1) in relation to the individual has not been made to the credit reporting body in the previous 12 months, the body must not charge the access seeker for the making of the request or for giving access to the information.
(6) If subsection (5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
(7) If the credit reporting body refuses to give access to the information because of subsection (2), the body must give the access seeker a written notice that:
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the body is a member; or
(i) access a recognised external dispute resolution scheme of which the body is a member; or
(e) how an individual may access credit eligibility information about the individual that is held by the provider;
(a) that the policy (the credit reporting policy) of the provider that is referred to in subsection 21B(3) contains information about how an individual may access the credit eligibility information about the individual that is held by the provider;
(b) from unauthorised access, modification or disclosure.
Access
(1) If a credit provider holds credit eligibility information about an individual, the provider must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Exceptions to access
(2) Despite subsection (1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that:
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Dealing with requests for access
Means of access
(4) If the credit provider gives access to the credit eligibility information, the access must be given in the manner set out in the registered CR code.
Access charges
(5) If the credit provider is an agency, the provider must not charge the access seeker for the making of the request or for giving access to the information.
(6) If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
(7) If the provider refuses to give access to the information because of subsection (2), the provider must give the access seeker a written notice that:
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the provider is a member; or
(i) access a recognised external dispute resolution scheme of which the provider is a member; or
(c) how an individual may access regulated information about the individual that is held by the recipient and seek the correction of such information;
(a) that the policy (the credit reporting policy) of the recipient that is referred to in subsection 22A(3) contains information about how an individual may access the regulated information about the individual that is held by the recipient, and seek the correction of such information;
(i) access a recognised external dispute resolution scheme of which the respondent is a member; or
(ii) an access seeker for the information.
(b) an access seeker for the information.
(ii) an access seeker for the information.
(b) an access seeker for the information.
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
(a) an unauthorised access to information; or
has been, or is required to be, notified under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss.
(i) there is unauthorised access to, or unauthorised disclosure of, the information;
(ii) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
(i) unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
(ii) assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;
(c) the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
Access to, or disclosure of, information
(a) an access to, or disclosure of, information is covered by paragraph 26WE(2)(a); and
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals;
the access or disclosure is not, and is taken never to have been:
(a) an access to, or disclosure of, information is covered by paragraph 26WE(2)(a); and
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to the individual;
to take steps to notify the individual of the contents of a statement that relates to the access or disclosure.
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before there is unauthorised access to, or unauthorised disclosure of, the information; and
(d) as a result of the action, there is no unauthorised access to, or unauthorised disclosure of, the information;
(i) after there is unauthorised access to, or unauthorised disclosure of, the information; and
(ii) before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals;
(i) after there is unauthorised access to, or unauthorised disclosure of, the information; and
(ii) before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to the individual;
For the purposes of this Division, in determining whether a reasonable person would conclude that an access to, or a disclosure of, information:
(b) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities;
(4) If the entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, the statement referred to in subparagraph (2)(a)(i) may also set out the identity and contact details of those other entities.
(b) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities;
(e) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities.
(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities; or
(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities;
(b) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities;
(a) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities; and
(8) If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out the identity and contact details of those other entities.
(a) an application made under subsection 55(1) of the Freedom of Information Act 1982 for review of a decision under that Act refusing access to a document has been finally determined or otherwise disposed of;
(c) the effect of the review and any appeal is that access is not to be given to the document;
(f) the Commissioner has, as a result of the complaint, recommended under subsection 30(3) of this Act that the agency amend the document, or amend a part of the document, to which the applicant has been refused access; and
(a) the accessibility of the scheme;
(a) section 20R, 20T, 21T or 21V (which are about access to, and correction of, credit reporting information etc.); or
(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
(g) that the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information;
(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
(b) from unauthorised access, modification or disclosure.
Access
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
Exception to access—agency
(b) the entity is required or authorised to refuse to give the individual access to the personal information by or under:
(ii) any other Act of the Commonwealth, or a Norfolk Island enactment, that provides for access by persons to documents;
then, despite subclause 12.1, the entity is not required to give access to the extent that the entity is required or authorised to refuse to give access.
Exception to access—organisation
12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:
(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(b) giving access would have an unreasonable impact on the privacy of other individuals; or
(c) the request for access is frivolous or vexatious; or
(d) the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or
(e) giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(f) giving access would be unlawful; or
(g) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(ii) giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
(i) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision making process.
Dealing with requests for access
(a) respond to the request for access to the personal information:
(b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
Other means of access
(a) to give access to the personal information because of subclause 12.2 or 12.3; or
(b) to give access in the manner requested by the individual;
the entity must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual.
12.6 Without limiting subclause 12.5, access may be given through the use of a mutually agreed intermediary.
Access charges
12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.
(b) the entity charges the individual for giving access to the personal information;
Refusal to give access
12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:
12.10 If the APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.