Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal information(a) that is derived from credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; and
(a) credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or
(a) if the recipient is a mortgage insurer or trade insurer—personal information disclosed to the recipient under Division 2 or 3 of Part IIIA; or
(b) if the recipient is a body corporate referred to in paragraph 21G(3)(b)—credit eligibility information disclosed to the recipient under that paragraph; or
(c) if the recipient is a person referred to in paragraph 21G(3)(c)—credit eligibility information disclosed to the recipient under that paragraph; or
(d) if the recipient is an entity or adviser referred to in paragraph 21N(2)(a)—credit eligibility information disclosed to the recipient under subsection 21N(2).
(c) discloses personal information about another individual to anyone else for a benefit, service or advantage; or
(7) Paragraph (4)(c) does not prevent an individual, body corporate, partnership, unincorporated association or trust from being a small business operator only because he, she or it discloses personal information about another individual:
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(b) the provider has disclosed the opinion to a credit reporting body; and
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(b) on a day after the default information was disclosed, the amount of the overdue payment to which the information relates is paid;
(a) an act done or practice engaged in by, or information disclosed to, a person employed by, or in the service of, an agency, organisation, file number recipient, credit reporting body or credit provider in the performance of the duties of the person’s employment shall be treated as having been done or engaged in by, or disclosed to, the agency, organisation, recipient, credit reporting body or credit provider;
(b) an act done or practice engaged in by, or information disclosed to, a person on behalf of, or for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub committee or other body established by or under a Commonwealth enactment or a Norfolk Island enactment for the purpose of assisting, or performing functions in connection with, an agency or organisation, shall be treated as having been done or engaged in by, or disclosed to, the agency or organisation; and
(c) an act done or practice engaged in by, or information disclosed to, a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member shall be treated as having been done or engaged in by, or disclosed to, the Australian Federal Police.
(d) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
(a) an APP entity discloses personal information about an individual to an overseas recipient; and
(d) the purposes for which the body collects, holds, uses and discloses credit reporting information;
(a) the credit reporting body collects the credit information about the individual from a credit provider who is permitted under section 21D to disclose the information to the body; and
(2) The credit reporting body may use or disclose the credit information for the purposes of making the determination under subsection (1).
(1) If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information.
(4) However, if the credit reporting information is, or was derived from, repayment history information about the individual, the credit reporting body must not disclose the information under paragraph (3)(a) or (f) unless the recipient of the information is:
(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
(1) If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information for the purposes of direct marketing.
(1) If a credit reporting body makes a pre screening assessment in relation to direct marketing by, or on behalf of, a credit provider, the body must not use or disclose the assessment.
(a) the credit reporting body discloses the pre screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider; and
(3) If the credit reporting body discloses the pre screening assessment under subsection (2), the body must make a written note of that disclosure.
(4) If the credit reporting body discloses the pre screening assessment under subsection (2), the recipient must not use or disclose the assessment.
(a) the entity no longer needs the assessment for any purpose for which it may be used or disclosed under section 20H; and
(c) the individual requests the body not to use or disclose the information under this Division;
then, despite any other provision of this Division, the body must not use or disclose the information during the ban period for the information.
the body must not use or disclose the de identified information.
(a) the kinds of de identified information that may or may not be used or disclosed for the purposes of conducting the research;
(2) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(a) enter into agreements with credit providers that require the providers to ensure that credit information that they disclose to the body under section 21D is accurate, up to date and complete; and
(a) the body uses or discloses credit reporting information under this Division (other than subsections 20D(2) and 20T(4)); and
(2) A credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D(2) and 20T(4)) if the information is false or misleading in a material particular.
(a) enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division:
(b) the body has previously disclosed the information under this Division (other than subsections 20D(2) and 20T(4));
(c) if the correction relates to information that the body has previously disclosed under this Division (other than subsections 20D(2) and 20T(4))—give each recipient of the information written notice of the correction.
(b) the body has previously disclosed the information to one or more recipients under Subdivision D of this Division;
(3) The credit reporting body must not use or disclose the information under Subdivision D of this Division.
(4) However, the credit reporting body may use or disclose the information under this subsection if:
(5) If the credit reporting body uses or discloses the information under subsection (4), the body must make a written note of the use or disclosure.
(2) The credit reporting body must not use or disclose the information under Subdivision D of this Division.
(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(4) If the credit reporting body uses or discloses the information under subsection (3), the body must make a written note of the use or disclosure.
(c) the kinds of CP derived information that the provider usually derives from credit reporting information disclosed to the provider by a credit reporting body under Division 2 of this Part;
(d) the purposes for which the provider collects, holds, uses and discloses credit information and credit eligibility information;
(i) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(j) if the provider is likely to disclose credit information or credit eligibility information to such entities—the countries in which those entities are likely to be located if it is practicable to specify those countries in the policy.
(1) At or before the time a credit provider collects personal information about an individual that the provider is likely to disclose to a credit reporting body, the provider must:
(e) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(f) if the provider is likely to disclose credit information or credit eligibility information to such entities—the countries in which those entities are likely to be located if it is practicable to specify those countries in the credit reporting policy.
(1) A credit provider must not disclose credit information about an individual to a credit reporting body (whether or not the body’s credit reporting business is carried on in Australia).
(ii) the consumer credit to which the information relates is consumer credit in relation to which the provider also discloses, or a credit provider has previously disclosed, consumer credit liability information about the individual to the credit reporting body; and
(i) the credit provider has given the individual a notice in writing stating that the provider intends to disclose the information to the credit reporting body; and
(6) If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.
(a) a credit provider has disclosed default information about an individual to a credit reporting body under section 21D; and
(b) after the default information was disclosed, the amount of the overdue payment to which the information relates is paid;
the provider must, within a reasonable period after the amount is paid, disclose payment information about the amount to the body under that section.
(b) a credit provider requests the body to disclose the information to the provider for the purpose of assessing an application for consumer credit made to the provider by the individual, or a person purporting to be the individual; and
(c) the body is not permitted to disclose the information because there is a ban period for the information; and
(2) If the credit provider holds credit information about the individual that relates to the consumer credit, the provider must not, despite sections 21D and 21E, disclose the information to a credit reporting body.
(1) If a credit provider holds credit eligibility information about an individual, the provider must not use or disclose the information.
(ii) the provider discloses the information to another credit provider that has an Australian link, or to an enforcement body; or
(4) However, if the credit eligibility information about the individual is, or was derived from, repayment history information about the individual, the credit provider must not disclose the information under subsection (3).
(c) the credit provider discloses the credit eligibility information under paragraph (3)(b), (c), (e) or (f); or
(d) the credit provider discloses the credit eligibility information under paragraph (3)(d) to an enforcement body.
(6) If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.
(a) the relevant credit reporting information was disclosed to the provider under a provision specified in column 1 of the table for the purpose (if any) specified in that column; and
Permitted CP uses | ||
---|---|---|
Column 1 | Column 2 | |
Item | The relevant credit reporting information was disclosed to the credit provider under ... | The credit provider uses the credit eligibility information for ... |
1 | item 1 of the table in subsection 20F(1) for the purpose of assessing an application for consumer credit made by the individual to the provider. | (a) a securitisation related purpose of the provider in relation to the individual; or (b) the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider. |
2 | item 2 of the table in subsection 20F(1) for a particular commercial credit related purpose of the provider in relation to the individual. | that particular commercial credit related purpose. |
3 | item 2 of the table in subsection 20F(1) for the purpose of assessing an application for commercial credit made by a person to the provider. | the internal management purposes of the provider that are directly related to the provision or management of commercial credit by the provider. |
4 | item 3 of the table in subsection 20F(1) for a credit guarantee purpose of the provider in relation to the individual. | (a) the credit guarantee purpose; or (b) the internal management purposes of the provider that are directly related to the provision or management of any credit by the provider. |
5 | item 5 of the table in subsection 20F(1). | the purpose of assisting the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the provider to the individual. |
6 | item 6 of the table in subsection 20F(1) for a particular securitisation related purpose of the provider in relation to the individual. | that particular securitisation related purpose. |
(c) the provider discloses the information to the other credit provider in the provider’s capacity as such an agent.
(d) the information is disclosed to:
(d) the information is disclosed for the purpose of either provider deciding what action to take in relation to the overdue payment.
(ii) if subparagraph (a)(i) applies—the information is disclosed to the person for a purpose related to the enforcement, or proposed enforcement, of the guarantee.
(c) the information is disclosed to the person or body for the primary purpose of the person or body collecting payments that are overdue in relation to:
(c) the information is disclosed for the purpose of enabling the authority:
(1) Before a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the body or person does not breach the following provisions (the relevant provisions) in relation to the information:
(a) a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link; and
(3) Before a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the person or body does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
(a) a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link; and
(c) a credit reporting body disclosed the relevant credit reporting information to the provider for the purposes of assessing the application.
(i) the name and contact details of the credit reporting body that disclosed the relevant credit reporting information to the provider; and
(2) A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(a) the provider discloses credit information under section 21D; and
(a) the provider uses or discloses credit eligibility information under this Division; and
(3) A credit provider must not disclose credit information under section 21D if the information is false or misleading in a material particular.
(4) A credit provider must not use or disclose credit eligibility information under this Division if the information is false or misleading in a material particular.
(b) the provider no longer needs the information for any purpose for which the information may be used or disclosed by the provider under this Division; and
(b) the provider has previously disclosed the information under:
(c) if the correction relates to information that the provider has previously disclosed under:
(b) the purposes for which the recipient collects, holds, uses and discloses regulated information;
(b) the information was disclosed to the insurer by a credit reporting body or credit provider under Division 2 or 3 of this Part;
the insurer must not use or disclose the information, or any personal information about the individual derived from that information.
(b) the information was disclosed to the body by a credit provider under paragraph 21G(3)(b);
the body must not use or disclose the information, or any personal information about the individual derived from that information.
(2) Subsection (1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.
(3) In determining whether the body corporate would be permitted to use or disclose the information under section 21G, assume that the body is whichever of the following is applicable:
(b) the information was disclosed to the person by a credit provider under paragraph 21G(3)(c);
the person must not use or disclose the information, or any personal information about the individual derived from that information.
(a) the person uses the information for the purpose for which it was disclosed to the person under paragraph 21G(3)(c); or
(b) the information was disclosed to the recipient by a credit provider under subsection 21N(2);
the recipient must not use or disclose the information, or any personal information about the individual derived from that information.
Notification of recipients of disclosed information
(a) a credit reporting body discloses credit reporting information to which the complaint relates under Division 2 of this Part; and
(a) a credit provider discloses personal information to which the complaint relates under Division 3 of this Part or under the Australian Privacy Principles; and
(i) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(a) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(i) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(a) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(a) an APP entity has disclosed personal information about one or more individuals to an overseas recipient; and
(i) a credit provider has disclosed, under paragraph 21G(3)(b) or (c), credit eligibility information about one or more individuals to a related body corporate, or person, that does not have an Australian link; or
(ii) a credit provider has disclosed, under subsection 21M(1), credit eligibility information about one or more individuals to a body or person that does not have an Australian link; and
(f) disclose, or enable a person to ascertain, the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;
duty of confidence means any duty or obligation arising under the common law or at equity pursuant to which a person is obliged not to disclose information, but does not include legal professional privilege.
(1) At any time when an emergency declaration is in force in relation to an emergency or disaster, an entity may collect, use or disclose personal information relating to an individual if:
(6) A collection, use or disclose of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by subsection (1) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information.
(a) personal information that relates to an individual is disclosed to the first person because of the operation of this Part; and
(b) the first person subsequently discloses the personal information; and
(2) Nothing in this Part is to be taken to require an entity to collect, use or disclose personal information.
(1) A member who has a direct or indirect pecuniary interest in a matter being considered or about to be considered by the Advisory Committee, being an interest that could conflict with the proper performance of that member’s functions in relation to the consideration of the matter, shall, as soon as practicable after the relevant facts have come to the knowledge of that member, disclose the nature of that interest at a meeting of the Advisory Committee.
(c) the purposes for which the entity collects, holds, uses and discloses personal information;
(f) whether the entity is likely to disclose personal information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.
(f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity;
(i) whether the APP entity is likely to disclose the personal information to overseas recipients;
(j) if the APP entity is likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
(a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
the entity must take such steps as are reasonable in the circumstances to ensure that the information is de identified before the entity discloses it in accordance with subclause 6.1 or 6.2.
6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure.
7.1 If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.
7.2 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and
7.3 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(i) the individual and the individual would not reasonably expect the organisation to use or disclose the information for that purpose; or
7.4 Despite subclause 7.1, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.
7.5 Despite subclause 7.1, an organisation may use or disclose personal information for the purpose of direct marketing if:
7.6 If an organisation (the first organisation) uses or discloses personal information about an individual:
(d) if paragraph (b) applies—request the organisation not to use or disclose the information for the purpose referred to in that paragraph; and
8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
9.2 An organisation must not use or disclose a government related identifier of an individual unless:
10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
(a) the APP entity corrects personal information about an individual that the entity previously disclosed to another APP entity; and