Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal informationIt is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
(b) because it involved an unauthorised requirement or request for disclosure of a tax file number.
permitted CP disclosure has the meaning given by sections 21J to 21N.
permitted CRB disclosure has the meaning given by section 20F.
No breach—disclosure to the National Archives of Australia
(3) An act or practice does not breach an Australian Privacy Principle if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
No breach—disclosure to the National Archives of Australia
(3) An act or practice does not breach a registered APP code if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
(ii) the desirability of regulating under this Act the collection, holding, use, correction and disclosure of personal information by the instrumentality; and
(iii) whether the law of the State or Territory regulates the collection, holding, use, correction and disclosure of personal information by the instrumentality to a standard that is at least equivalent to the standard that would otherwise apply to the instrumentality under this Act; and
Disclosure compelled or made with consent
(b) consult the Commissioner about the desirability of regulating under this Act the collection, holding, use, correction and disclosure of personal information by the authority or instrumentality.
(1A) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to:
(1B) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice by an agency with an intelligence role or function (within the meaning of the Office of National Intelligence Act 2018) so far as it involves the disclosure of personal information to the Office of National Intelligence.
Note: To avoid doubt, this section does not make exempt for the purposes of paragraph 7(1)(ee) an act or practice of the political representative, contractor, subcontractor or volunteer for a registered political party involving the use or disclosure (by way of sale or otherwise) of personal information in a way not covered by subsection (1), (2), (3) or (4) (as appropriate). The rest of this Act operates normally in relation to that act or practice.
(b) a communication (including a complaint, notice, request or disclosure of information) made to a partner is taken to have been made to the organisation.
(b) a communication (including a complaint, notice, request or disclosure of information) made to a member of the committee of management of the association is taken to have been made to the organisation.
(b) a communication (including a complaint, notice or request or disclosure of information) made to a trustee is taken to have been made to the organisation.
(b) the act or practice involves an unauthorised requirement or request for disclosure of the tax file number of the individual.
(b) the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate.
(b) a related body corporate whose disclosure of the information to the body corporate is an exempt act or exempt practice for the purposes of paragraph 7(1)(ee); or
(c) a related body corporate whose disclosure of the information to the body corporate is not an interference with privacy because of section 13D.
neither the disclosure (if any) by the old partnership, nor the collection (if any) by the new partnership, of the information that was necessary for the new partnership to hold the information immediately after its formation constitutes an interference with the privacy of the individual.
(a) the collection, holding, use or disclosure of personal information by an individual; or
(1) A permitted general situation exists in relation to the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier of an individual, if:
| Permitted general situations | |||
|---|---|---|---|
| Item | Column 1 Kind of entity | Column 2 Item applies to | Column 3 Condition(s) |
| 1 | APP entity | (a) personal information; or (b) a government related identifier. | (a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and (b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. |
| 2 | APP entity | (a) personal information; or (b) a government related identifier. | (a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and (b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter. |
| 3 | APP entity | Personal information | (a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and (b) the collection, use or disclosure complies with the rules made under subsection (2). |
| 4 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim. |
| 5 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process. |
| 6 | Agency | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities. |
| 7 | Defence Force | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories: (a) war or warlike operations; (b) peacekeeping or peace enforcement; (c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief. |
(2) The Commissioner may, by legislative instrument, make rules relating to the collection, use or disclosure of personal information that apply for the purposes of item 3 of the table in subsection (1).
Use or disclosure—research etc.
(3) A permitted health situation exists in relation to the use or disclosure by an organisation of health information about an individual if:
(a) the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and
(b) it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure; and
(c) the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes of this paragraph; and
(d) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
Use or disclosure—genetic information
(4) A permitted health situation exists in relation to the use or disclosure by an organisation of genetic information about an individual (the first individual) if:
(b) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual; and
(c) the use or disclosure is conducted in accordance with guidelines approved under section 95AA; and
(d) in the case of disclosure—the recipient of the information is a genetic relative of the first individual.
Disclosure—responsible person for an individual
(5) A permitted health situation exists in relation to the disclosure by an organisation of health information about an individual if:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically cannot communicate consent to the disclosure; and
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(e) the disclosure is not contrary to any wish:
(f) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d).
(b) Australian Privacy Principle 8.1 applies to the disclosure of the information; and
Prohibition on use or disclosure
Permitted disclosures
(3) Subsection (1) does not apply to the disclosure of credit reporting information about the individual if:
(a) the disclosure is a permitted CRB disclosure in relation to the individual; or
(b) the disclosure is to another credit reporting body that has an Australian link; or
(i) the disclosure is for the purposes of a recognised external dispute resolution scheme;
(i) the disclosure is to an enforcement body;
(e) the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
(f) the disclosure is a disclosure prescribed by the regulations.
(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
No use or disclosure for the purposes of direct marketing
(6) This section does not apply to the use or disclosure of credit reporting information for the purposes of direct marketing.
Note: Section 20G deals with the use or disclosure of credit reporting information for the purposes of direct marketing.
(1) A disclosure by a credit reporting body of credit reporting information about an individual is a permitted CRB disclosure in relation to the individual if:
(a) the disclosure is to an entity that is specified in an item of the table and that has an Australian link; and
| Permitted CRB disclosures | ||
|---|---|---|
| Item | If the disclosure is to ... | the condition or conditions are ... |
| 1 | a credit provider | the provider requests the information for a consumer credit related purpose of the provider in relation to the individual. |
| 2 | a credit provider | (a) the provider requests the information for a commercial credit related purpose of the provider in relation to a person; and (b) the individual expressly consents to the disclosure of the information to the provider for that purpose. |
| 3 | a credit provider | (a) the provider requests the information for a credit guarantee purpose of the provider in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the provider for that purpose. |
| 4 | a credit provider | the credit reporting body is satisfied that the provider, or another credit provider, believes on reasonable grounds that the individual has committed a serious credit infringement. |
| 5 | a credit provider | (a) the credit reporting body holds consumer credit liability information that relates to consumer credit provided by the provider to the individual; and (b) the consumer credit has not been terminated, or has not otherwise ceased to be in force. |
| 6 | a credit provider under subsection 6J(1) | the provider requests the information for a securitisation related purpose of the provider in relation to the individual. |
| 7 | a mortgage insurer | the insurer requests the information for a mortgage insurance purpose of the insurer in relation to the individual. |
| 8 | a trade insurer | (a) the insurer requests the information for a trade insurance purpose of the insurer in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the insurer for that purpose. |
Use or disclosure by credit reporting bodies
(3) If the credit reporting body discloses the pre screening assessment under subsection (2), the body must make a written note of that disclosure.
Use or disclosure by recipients
(a) the individual expressly consents, in writing, to the use or disclosure of the credit reporting information under this Division; or
(b) the use or disclosure of the credit reporting information is required by or under an Australian law or a court/tribunal order.
Use or disclosure
(2) Subsection (1) does not apply to the use or disclosure of the de identified information if:
(a) the use or disclosure is for the purposes of conducting research in relation to credit; and
(3) The Commissioner may, by legislative instrument, make rules relating to the use or disclosure by a credit reporting body of de identified information for the purposes of conducting research in relation to credit.
(2) A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(b) from unauthorised access, modification or disclosure.
(ii) from unauthorised access, modification or disclosure; and
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
Use or disclosure
(a) the use or disclosure is for the purposes of the pending correction request, or pending dispute, in relation to the information; or
(b) the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(5) If the credit reporting body uses or discloses the information under subsection (4), the body must make a written note of the use or disclosure.
Use or disclosure
(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(4) If the credit reporting body uses or discloses the information under subsection (3), the body must make a written note of the use or disclosure.
(5) Subdivision E of this Division (other than section 20Q) does not apply in relation to the use or disclosure of the information.
Prohibition on disclosure
Permitted disclosure
(2) Subsection (1) does not apply to the disclosure of credit information about the individual if:
Note: Section 21F limits the disclosure of credit information if there is a ban period for the information.
(iii) the provider complies with any requirements relating to the disclosure of the information that are prescribed by the regulations; and
Written note of disclosure
(6) If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.
(7) If a credit provider is an APP entity, Australian Privacy Principles 6 and 8 do not apply to the disclosure by the provider of credit information to a credit reporting body.
Prohibition on use or disclosure
Permitted disclosures
(3) Subsection (1) does not apply to the disclosure of credit eligibility information about the individual if:
(a) the disclosure is a permitted CP disclosure in relation to the individual; or
(b) the disclosure is to a related body corporate of the credit provider; or
(c) the disclosure is to:
(i) the disclosure is for the purposes of a recognised external dispute resolution scheme;
(f) the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
(g) the disclosure is a disclosure prescribed by the regulations.
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under paragraph (3)(b) or (c).
(b) the disclosure is a permitted CP disclosure within the meaning of section 21L; or
Written note of use or disclosure
(6) If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider (the recipient) for a particular purpose; and
(c) the individual expressly consents to the disclosure of the information to the recipient for that purpose.
(i) the disclosure of the information to the recipient is for the purpose of assessing an application for consumer credit or commercial credit made to the recipient; and
(3) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(4) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(e) the disclosure of the information is reasonably necessary for:
(5) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider that has an Australian link; and
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(b) the disclosure is to a person for the purpose of that person considering whether:
(d) the individual expressly consents to the disclosure of the information to the person for that purpose.
(3) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a person who:
(i) the individual expressly consents to the disclosure of the information to the person; or
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if the disclosure is to a mortgage insurer that has an Australian link for:
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a person or body that carries on a business or undertaking that involves the collection of debts on behalf of others; and
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under this subsection.
(1) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a State or Territory authority; and
(2) A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to one or more of the following (the recipient):
(a) for a disclosure under paragraph 21G(3)(b)—section 22D;
(b) for a disclosure under paragraph 21G(3)(c)—section 22E;
(2) A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(b) from unauthorised access, modification or disclosure.
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
Prohibition on use or disclosure
Permitted disclosure
(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Prohibition on use or disclosure
Permitted use or disclosure
(2) Subsection (1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.
Prohibition on use or disclosure
Permitted disclosure
(3) Subsection (1) does not apply to the disclosure of the information if:
(a) the disclosure is to the credit provider; or
(b) the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Prohibition on use or disclosure
Permitted disclosure
(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
(3) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
(b) at the time of the disclosure, a decision about the complaint under subsection 23B(4) has not been made;
(b) at the time of the disclosure, a decision about the complaint under subsection 23B(4) has not been made;
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
(b) Australian Privacy Principle 8.1 applied to the disclosure of the personal information; and
(b) an unauthorised disclosure of information; or
has been, or is required to be, notified under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss.
(i) there is unauthorised access to, or unauthorised disclosure of, the information;
(ii) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
(i) unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
(ii) assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;
(c) the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
Access to, or disclosure of, information
(a) an access to, or disclosure of, information is covered by paragraph 26WE(2)(a); and
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals;
the access or disclosure is not, and is taken never to have been:
(a) an access to, or disclosure of, information is covered by paragraph 26WE(2)(a); and
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to the individual;
to take steps to notify the individual of the contents of a statement that relates to the access or disclosure.
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before there is unauthorised access to, or unauthorised disclosure of, the information; and
(d) as a result of the action, there is no unauthorised access to, or unauthorised disclosure of, the information;
(i) after there is unauthorised access to, or unauthorised disclosure of, the information; and
(ii) before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals;
(i) after there is unauthorised access to, or unauthorised disclosure of, the information; and
(ii) before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
(d) as a result of the action, a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to the individual;
For the purposes of this Division, in determining whether a reasonable person would conclude that an access to, or a disclosure of, information:
(b) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities;
(4) If the entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, the statement referred to in subparagraph (2)(a)(i) may also set out the identity and contact details of those other entities.
(b) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities;
(e) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities.
(b) prohibits or regulates the use or disclosure of information.
are taken not to be provisions that require or authorise the use or disclosure of information.
(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities; or
(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities;
(b) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities;
(a) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities; and
(8) If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out the identity and contact details of those other entities.
(b) prohibits or regulates the use or disclosure of information.
are taken not to be provisions that require or authorise the use or disclosure of information.
(ii) are taking adequate measures to prevent the unlawful disclosure of such information;
(ii) is taking adequate measures to prevent the unlawful disclosure of the tax file number information that he or she holds;
(c) the disclosure of deliberations or decisions of the Cabinet, or of a Committee of the Cabinet, of the Commonwealth or of a State;
(d) the disclosure of deliberations or advice of the Federal Executive Council or the Executive Council of a State;
(da) the disclosure of the deliberations or decisions of the Australian Capital Territory Executive or of a committee of that Executive;
(e) the disclosure, or the ascertaining by a person, of the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;
(h) the disclosure of information the disclosure of which is prohibited, absolutely or subject to qualifications, by or under another enactment;
(j) the unreasonable disclosure of the personal affairs of any person; and
(k) the unreasonable disclosure of confidential commercial information.
(b) involve the disclosure of communications between a Minister of the Commonwealth and a Minister of a State, being a disclosure that would prejudice relations between the Commonwealth Government and the Government of a State;
(c) involve the disclosure of deliberations or decisions of the Cabinet or of a Committee of the Cabinet;
(d) involve the disclosure of deliberations or advice of the Executive Council;
(2) The Commissioner shall not, except with the consent of the agency, permit the disclosure to another body or person of information contained in a document provided by an agency as part of, or in support of, an application if the agency has informed the Commissioner in writing that the agency claims that the document is an exempt document within the meaning of Part IV of the Freedom of Information Act 1982.
The object of this Part is to make special provision for the collection, use and disclosure of personal information in emergencies and disasters.
secrecy provision means a provision of a law of the Commonwealth (including a provision of this Act), or of a Norfolk Island enactment, that prohibits or regulates the use or disclosure of personal information, whether the provision relates to the use or disclosure of personal information generally or in specified circumstances.
(b) the collection, use or disclosure is for a permitted purpose in relation to the emergency or disaster; and
(c) in the case of a disclosure of the personal information by an agency—the disclosure is to:
(d) in the case of a disclosure of the personal information by an organisation or another person—the disclosure is to:
(e) in the case of any disclosure of the personal information—the disclosure is not to a media organisation.
(2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1), unless the secrecy provision is a designated secrecy provision (see subsection (7)).
(3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1).
(4) An entity does not breach an Australian Privacy Principle, or a registered APP code that binds the entity, in respect of a collection, use or disclosure of personal information authorised by subsection (1).
(2) Subsection (1) does not apply to the following disclosures:
(a) if the first person is an APP entity—a disclosure permitted under an Australian Privacy Principle or a registered APP code that binds the person;
(c) a disclosure permitted under section 80P;
(d) a disclosure made with the consent of the individual to whom the personal information relates;
(e) a disclosure to the individual to whom the personal information relates;
(f) a disclosure to a court;
(g) a disclosure prescribed by the regulations.
(3) If a disclosure of personal information is covered by subsection (2), the disclosure is authorised by this section.
(1) Without limiting its effect apart from each of the following subsections of this section, this Part has effect in relation to a collection, use or disclosure as provided by that subsection.
(2) This Part has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure by a corporation.
(3) This Part also has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure taking place in the course of, or in relation to, trade or commerce:
(4) This Part also has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure using a postal, telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution.
(5) This Part also has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure taking place in a Territory.
(6) This Part also has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure taking place in a place acquired by the Commonwealth for public purposes.
(7) This Part also has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure by an agency.
(8) This Part also has the effect it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure for purposes relating to the defence of the Commonwealth.
(9) This Part also has the effect that it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure taking place outside Australia.
(10) This Part also has the effect that it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure:
(11) This Part also has the effect that it would have if its operation in relation to a collection, use or disclosure were expressly confined to a collection, use or disclosure in relation to an emergency of national significance.
(2) A disclosure under subsection (1) at a meeting of the Advisory Committee shall be recorded in the minutes of the meeting.
(b) that has the effect of restricting or prohibiting, or imposing a liability (including a criminal liability) on a person in respect of, a disclosure or use of information.
Approving guidelines for use and disclosure
(2) For the purposes of paragraph 16B(3)(c), the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.
(3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(3)).
Approving guidelines for use and disclosure
(2) For the purposes of paragraph 16B(4)(c), the Commissioner may, by legislative instrument, approve guidelines that relate to the use and disclosure of genetic information for the purposes of lessening or preventing a serious threat to the life, health or safety of an individual who is a genetic relative of the individual to whom the genetic information relates.
(i) has agreed that the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances is appropriate; and
(ii) has consulted the Commissioner about that adoption, use or disclosure; and
(b) the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances can only be for the benefit of the individual to whom the identifier relates.
(3) Subsection (2) does not apply to the making of regulations for the purposes of Australian Privacy Principle 9.3 that relate to the use or disclosure of a government related identifier by an organisation, or a class of organisations, in particular circumstances if:
(b) the circumstances of the use or disclosure of the identifier relate to the provision by:
Use or disclosure
(a) the individual has consented to the use or disclosure of the information; or
(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.
Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.
6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:
(b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(c) a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or
(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
(e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if:
(d) the disclosure is conducted in accordance with the guidelines made by the Commissioner for the purposes of this paragraph.
Written note of use or disclosure
6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure.
6.7 This principle does not apply to the use or disclosure by an organisation of:
(i) the individual has consented to the use or disclosure of the information for that purpose; or
7.4 Despite subclause 7.1, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.
(c) the use or disclosure is necessary to meet (directly or indirectly) such an obligation.
8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
(i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;
(ii) after being so informed, the individual consents to the disclosure; or
(c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or
(e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
(i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;
Use or disclosure of government related identifiers
(a) the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or
(b) the use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or
(c) the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or
(e) the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
(f) subclause 9.3 applies in relation to the use or disclosure.
Regulations about adoption, use or disclosure
9.3 This subclause applies in relation to the adoption, use or disclosure by an organisation of a government related identifier of an individual if:
(c) the adoption, use or disclosure occurs in the circumstances prescribed by the regulations.
10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
(b) from unauthorised access, modification or disclosure.
