6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health service6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit provider6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history information7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this Act
19 - Guide to this Part20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodies20B - Open and transparent management of credit reporting information20C - Collection of solicited credit information20D - Dealing with unsolicited credit information20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identified20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting information20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be given20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retained21 - Guide to this Division21A - Application of this Division to credit providers21B - Open and transparent management of credit information etc.21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban period21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer credit21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility information21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be given22 - Guide to this Division22A - Open and transparent management of regulated information22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaints24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit provider25 - Compensation orders25A - Other orders to compensate loss or damage
36A - Guide to this Part36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor General52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service provider54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificate57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agency63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisations
80U - Civil penalty provisions80V - Enforceable undertakings80W - Injunctions
(e) an entity or adviser referred to in paragraph 21N(2)(a).
(a) an APP entity; or
APP entity means an agency or organisation.
authorised agent of a reporting entity means a person authorised to act on behalf of the reporting entity as mentioned in section 37 of the Anti Money Laundering and Counter Terrorism Financing Act 2006.
collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
(a) an entity that is subject to Part IIIA; or
eligible hearing service provider means an entity (within the meaning of the Hearing Services Administration Act 1997):
entity means:
holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.
identifier of an individual means a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual, but does not include:
(d) if the recipient is an entity or adviser referred to in paragraph 21N(2)(a)—credit eligibility information disclosed to the recipient under subsection 21N(2).
reporting entity has the same meaning as in the Anti Money Laundering and Counter Terrorism Financing Act 2006.
solicits: an entity solicits personal information if the entity requests another entity to provide the personal information, or to provide a kind of information in which that personal information is included.
tax file number information means information, whether compiled lawfully or unlawfully, and whether recorded in a material form or not, that records the tax file number of a person in a manner connecting it with the person’s identity.
Note: The annual turnover for a financial year of a business carried on by an entity that does not carry on another business will often be similar to the total of the instalment income the entity notifies to the Commissioner of Taxation for the 4 quarters in the year (or for the year, if the entity pays tax in annual instalments).
Small business operator that is a reporting entity
(1A) If a small business operator is a reporting entity or an authorised agent of a reporting entity because of anything done in the course of a small business carried on by the small business operator, this Act applies, with the prescribed modifications (if any), in relation to the activities carried on by the small business operator for the purposes of, or in connection with, activities relating to:
(a) an organisation or small business operator (the securitisation entity) carries on a business that is involved in either or both of the following:
(b) the securitisation entity performs a task that is reasonably necessary for:
then, while the securitisation entity performs such a task, the securitisation entity is a credit provider.
(3) If subsection (1) applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by both the original credit provider and the securitisation entity.
(4) If subsection (1) applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to both the original credit provider and the securitisation entity.
(1) A credit reporting business is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.
(a) are done or engaged in by an agency specified in Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982 in relation to documents in respect of its commercial activities or the commercial activities of another entity; and
(1) An act or practice of an APP entity is an interference with the privacy of an individual if:
(b) the act or practice breaches a registered APP code that binds the entity in relation to personal information about the individual.
(2) An act or practice of an entity is an interference with the privacy of an individual if:
(b) the act or practice breaches the registered CR code in relation to personal information about the individual and the code binds the entity.
(4A) If an entity (within the meaning of Part IIIC) contravenes subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), the contravention is taken to be an act that is an interference with the privacy of an individual.
An entity contravenes this subsection if:
(a) the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or
(b) the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.
(1) A permitted general situation exists in relation to the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier of an individual, if:
(a) the entity is an entity of a kind specified in an item in column 1 of the table; and
Permitted general situations
Item Column 1
Kind of entity
Column 2
Item applies to
Column 3
Condition(s)
1APP entity(a) personal information; or
(b) a government related identifier.
(a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
2APP entity(a) personal information; or
(b) a government related identifier.
(a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.
3APP entityPersonal information(a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and
(b) the collection, use or disclosure complies with the rules made under subsection (2).
4APP entityPersonal informationThe collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.
5APP entityPersonal informationThe collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
6AgencyPersonal informationThe entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities.
7Defence ForcePersonal informationThe entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories:
(a) war or warlike operations;
(b) peacekeeping or peace enforcement;
(c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief.
(a) an APP entity discloses personal information about an individual to an overseas recipient; and
(a) to have been done, or engaged in, by the APP entity; and
(b) to be a breach of those Australian Privacy Principles by the APP entity.
(i) collects the credit information about the individual from an entity (other than a credit provider) in the course of carrying on a credit reporting business; and
(d) if the information is identification information about the individual—the body also collects from the entity, or already holds, credit information of another kind about the individual; and
(a) the disclosure is to an entity that is specified in an item of the table and that has an Australian link; and
(b) the recipient of the assessment is an entity (other than the provider) that has an Australian link.
(7) If the recipient is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in relation to a pre screening assessment.
(1) If an entity has possession or control of a pre screening assessment, the entity must destroy the assessment if:
(a) the entity no longer needs the assessment for any purpose for which it may be used or disclosed under section 20H; and
(b) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the assessment.
(2) If the entity is an APP entity but not a credit reporting body, Australian Privacy Principle 11.2 does not apply to the entity in relation to the pre screening assessment.
(b) the individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud (including identity fraud); and
(c) the body believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud (including identity fraud);
(i) the individual has been a victim of fraud (including identity fraud); and
If a credit provider is an APP entity, the rules apply in relation to that information in addition to, or instead of, any relevant Australian Privacy Principles.
(2) If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection (1) in addition to, or instead of, the Australian Privacy Principles.
(7) If a credit provider is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the provider in relation to credit information or credit eligibility information.
(2) If a credit provider is an APP entity, subsection (1) applies to the provider in relation to personal information in addition to Australian Privacy Principle 5.
(3) If a credit provider is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is credit information or credit eligibility information:
(7) If a credit provider is an APP entity, Australian Privacy Principles 6 and 8 do not apply to the disclosure by the provider of credit information to a credit reporting body.
(3) Subsection (2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual.
(7) If a credit provider is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the provider in relation to credit eligibility information.
(a) a credit provider is an APP entity; and
(i) an entity;
(ii) a professional legal adviser of the entity;
(iii) a professional financial adviser of the entity; and
(a) in the process of the entity considering whether to:
(3) If a credit provider is an APP entity, Australian Privacy Principle 10 does not apply to the provider in relation to credit eligibility information.
(3) If a credit provider is an APP entity, Australian Privacy Principle 11 does not apply to the provider in relation to credit eligibility information.
(8) If a credit provider is an APP entity, Australian Privacy Principle 12 does not apply to the provider in relation to credit eligibility information.
(4) If a credit provider is an APP entity, Australian Privacy Principle 13:
(6) If a credit provider is an APP entity, Australian Privacy Principle 13:
If an affected information recipient is an APP entity, the rules apply in relation to the regulated information of the recipient in addition to, or instead of, any relevant Australian Privacy Principles.
(7) If an affected information recipient is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the recipient in relation to the regulated information of the recipient.
If an affected information recipient is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is regulated information of the recipient:
(4) If the mortgage insurer or trade insurer is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the insurer in relation to the information.
(a) the mortgage insurer or trade insurer is an APP entity; and
(4) If the body corporate is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the body in relation to the information.
(a) the body corporate is an APP entity; and
(4) If the person is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the person in relation to the information.
(a) the person is an APP entity; and
(i) an entity;
(ii) a professional legal adviser of the entity;
(iii) a professional financial adviser of the entity; and
(a) for a recipient that is the entity—the information is used for a matter referred to in subsection 21N(3); or
(b) for a recipient that is the professional legal adviser, or professional financial adviser, of the entity—the information is used:
(i) in the adviser’s capacity as an adviser of the entity; and
(ii) in connection with advising the entity about a matter referred to in subsection 21N(3); or
(4) If the recipient is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in relation to the information.
(a) the recipient is an APP entity; and
(1) An entity commits an offence if:
(a) the entity obtains credit reporting information; and
(c) the entity is not:
(i) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(2) An entity commits an offence if:
(a) the entity obtains credit reporting information; and
(3) An entity must not obtain credit reporting information from a credit reporting body if the entity is not:
(a) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(4) An entity must not obtain, by false pretence, credit reporting information from a credit reporting body.
(1) An entity commits an offence if:
(a) the entity obtains credit eligibility information; and
(c) the entity is not:
(i) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(2) An entity commits an offence if:
(a) the entity obtains credit eligibility information; and
(3) An entity must not obtain credit eligibility information from a credit provider if the entity is not:
(a) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(4) An entity must not obtain, by false pretence, credit eligibility information from a credit provider.
(1) The Federal Court or the Federal Circuit Court may order an entity to compensate a person for loss or damage (including injury to the person’s feelings or humiliation) suffered by the person if:
(i) a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of this Act (other than section 13G); or
(ii) the entity is found guilty of an offence against this Part; and
(i) a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of this Act (other than section 13G); or
(ii) an entity is found guilty of an offence against this Part; and
(2) The Federal Court or the Federal Circuit Court may make such order as the Court considers appropriate against the entity to:
(a) an order directing the entity to perform any reasonable act, or carry out any reasonable course of conduct, to redress the loss or damage suffered by the person; and
(b) an order directing the entity to pay the person a specified amount to reimburse the person for expenses reasonably incurred by the person in connection with the contravention or commission of the offence; and
(5) If the court makes an order that the entity pay an amount to the person, the person may recover the amount as a debt due to the person.
If the Commissioner includes an APP code on the Codes Register, an APP entity bound by the code must not breach it. A breach of a registered APP code is an interference with the privacy of an individual.
If the Commissioner includes a CR code on the Codes Register, an entity bound by the code must not breach it. A breach of the registered CR code is an interference with the privacy of an individual.
An APP entity must not do an act, or engage in a practice, that breaches a registered APP code that binds the entity.
(b) a specified activity, or a specified class of activities, of an APP entity;
(b) on application by an APP entity that is bound by the code; or
(b) on application by an APP entity that is bound by the code; or
If an entity is bound by the registered CR code, the entity must not do an act, or engage in a practice, that breaches the code.
(b) on application by an entity that is bound by the code; or
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
• An entity must give a notification if:
For the purposes of this Part, entity includes a person who is a file number recipient.
(a) an APP entity has disclosed personal information about one or more individuals to an overseas recipient; and
(d) the personal information were held by the APP entity; and
(e) the APP entity were required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information.
(i) an APP entity holds personal information relating to one or more individuals; and
(ii) the APP entity is required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; or
(c) the access or disclosure covered by paragraph (a), or the loss covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to any of the individuals to whom the information relates; and
(e) an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(f) an eligible data breach of any other entity.
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the access or disclosure; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before the access or disclosure results in serious harm to a particular individual to whom the information relates; and
(e) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(f) any other entity;
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the loss; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so before there is unauthorised access to, or unauthorised disclosure of, the information; and
(e) an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(f) an eligible data breach of any other entity.
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the loss; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so:
(e) an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(f) an eligible data breach of any other entity.
(b) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, takes action in relation to the loss; and
(c) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be, does so:
(e) the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; or
(f) any other entity;
(a) an entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach of the entity; and
(b) the entity is not aware that there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity.
(2) The entity must:
(a) carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach of the entity; and
(b) take all reasonable steps to ensure that the assessment is completed within 30 days after the entity becomes aware as mentioned in paragraph (1)(a).
Note: Section 26WK applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.
(a) an entity complies with section 26WH in relation to an eligible data breach of the entity; and
(b) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities;
(1) This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.
(2) The entity must:
(b) do so as soon as practicable after the entity becomes so aware.
(a) the identity and contact details of the entity; and
(b) a description of the eligible data breach that the entity has reasonable grounds to believe has happened; and
(d) recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
(4) If the entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, the statement referred to in subparagraph (2)(a)(i) may also set out the identity and contact details of those other entities.
(a) an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity; and
(b) the entity has prepared a statement that:
(ii) relates to the eligible data breach that the entity has reasonable grounds to believe has happened.
(2) The entity must:
(a) if it is practicable for the entity to notify the contents of the statement to each of the individuals to whom the relevant information relates—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or
(b) if it is practicable for the entity to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or
(i) publish a copy of the statement on the entity’s website (if any); and
(3) The entity must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.
(4) If the entity normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).
(a) an entity complies with sections 26WK and 26WL in relation to an eligible data breach of the entity; and
(b) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities;
(a) an entity is an enforcement body; and
(b) the chief executive officer of the enforcement body believes on reasonable grounds that there has been an eligible data breach of the entity; and
(d) the eligible data breach of the entity; and
(e) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities.
(2) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), subsection 26WK(2) does not apply to the entity, in relation to the statement, to the extent of the inconsistency.
(3) If compliance by an entity with section 26WL in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), section 26WL does not apply to the entity, in relation to the statement, to the extent of the inconsistency.
(6) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, subsection 26WK(2) does not apply to the entity in relation to the statement.
(7) If compliance by an entity with section 26WL in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, section 26WL does not apply to the entity in relation to the statement.
(a) is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity; or
(b) is informed by an entity that the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity;
the Commissioner may, by written notice given to the entity:
(i) the eligible data breach of the entity; and
(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities; or
(i) the eligible data breach of the entity; and
(ii) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities;
(5) The Commissioner may give a notice of a declaration to an entity under subsection (1):
(b) on application made to the Commissioner by the entity.
(6) An application by an entity under paragraph (5)(b) may be expressed to be:
(7) If an entity applies to the Commissioner under paragraph (5)(b):
(b) if the Commissioner does so—the Commissioner must give written notice of the refusal to the entity.
(9) If an entity applies to the Commissioner under paragraph (5)(b) for a declaration that, to any extent, relates to an eligible data breach of the entity, sections 26WK and 26WL do not apply in relation to:
(b) if the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities—such an eligible data breach of those other entities;
(10) An entity is not entitled to make an application under paragraph (5)(b) in relation to an eligible data breach of the entity if:
(a) the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities; and
(b) one of those other entities has already made an application under paragraph (5)(b) in relation to the eligible data breach of the other entity.
(11) If notice of a paragraph (1)(d) declaration has been given to an entity, the Commissioner may, by written notice given to the entity, extend the period specified in the declaration.
(1) If the Commissioner is aware that there are reasonable grounds to believe that there has been an eligible data breach of an entity, the Commissioner may, by written notice given to the entity, direct the entity to:
(2) The direction must also require the entity to:
(a) if it is practicable for the entity to notify the contents of the statement to each of the individuals to whom the relevant information relates—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals to whom the relevant information relates; or
(b) if it is practicable for the entity to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach—take such steps as are reasonable in the circumstances to notify the contents of the statement to each of the individuals who are at risk from the eligible data breach; or
(i) publish a copy of the statement on the entity’s website (if any); and
(3) Before giving a direction to an entity under subsection (1), the Commissioner must invite the entity to make a submission to the Commissioner in relation to the direction within the period specified in the invitation.
(a) the identity and contact details of the entity; and
(6) In deciding whether to give a direction to an entity under subsection (1), the Commissioner must have regard to the following:
(b) any relevant submission that was made by the entity:
(8) If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out the identity and contact details of those other entities.
(9) If an entity normally communicates with a particular individual using a particular method, the notification to the individual mentioned in paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).
(10) An entity must comply with a direction under subsection (1) as soon as practicable after the direction is given.
An entity is not required to comply with a direction under subsection 26WR(1) if:
(a) the entity is an enforcement body; and
(2) If compliance by an entity with paragraph 26WR(1)(b) or subsection 26WR(2) in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be, does not apply to the entity, in relation to the statement, to the extent of the inconsistency.
(5) If compliance by an entity with paragraph 26WR(1)(b) or subsection 26WR(2) in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be, does not apply to the entity in relation to the statement.
(a) monitoring the security and accuracy of information held by an entity that is information to which Part IIIA applies;
(a) examining a proposed enactment that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals;
(a) providing advice to a Minister or entity about any matter relevant to the operation of this Act;
(2) If the Commissioner thinks that the proposed enactment would require or authorise acts or practices of an entity that would be interferences with the privacy of individuals, the Commissioner shall:
(e) the disclosure, or the ascertaining by a person, of the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;
(a) whether personal information held by an APP entity is being maintained and handled in accordance with the following:
(ii) a registered APP code that binds the entity;
(b) whether information held by an entity is being maintained and handled in accordance with the following to the extent that they apply to the information:
(ii) the registered CR code if it binds the entity;
(a) for an entity or a class of entities; or
After an investigation, the Commissioner may make a determination in relation to the investigation. An entity to which a determination relates must comply with certain declarations included in the determination. Court proceedings may be commenced to enforce a determination.
(8) The respondent to a complaint about an act or practice described in subsection 13(2), (4) or (5), other than an act or practice of an agency or organisation, is the person or entity who engaged in the act or practice.
(a) the class members have complaints against the same person or entity; and
(1AA) Before commencing an investigation of an act or practice of a person or entity under subsection 40(2), the Commissioner must inform the person or entity that the act or practice is to be investigated.
(ii) otherwise—the person or entity that engaged in the act or practice that is being investigated; and
(b) otherwise—the person or entity that engaged in the act or practice that is being investigated.
(1A) After investigating an act or practice of a person or entity under subsection 40(2), the Commissioner may make a determination that includes one or more of the following:
(ii) the person or entity must not repeat or continue the act or practice;
(b) a declaration that the person or entity must take specified steps within a specified period to ensure that the act or practice is not repeated or continued;
(c) a declaration that the person or entity must perform any reasonable act or course of conduct to redress any loss or damage suffered by one or more of those individuals;
(2) If the court is satisfied that the person or entity in relation to which the determination applies has engaged in conduct that constitutes an interference with the privacy of an individual, the court may make such orders (including a declaration of right) as it thinks fit.
(5) The court is to deal by way of a hearing de novo with the question whether the person or entity in relation to which the determination applies has engaged in conduct that constitutes an interference with the privacy of an individual.
(a) a specified APP entity had breached an Australian Privacy Principle; or
(b) a specified APP entity had breached a registered APP code that binds the entity.
(a) a specified APP entity had breached an Australian Privacy Principle; or
(b) a specified APP entity had breached a registered APP code that binds the entity.
(1A) For the purposes of subsection (1B), a journalist has a reasonable excuse if giving the information, answering the question or producing the document or record would tend to reveal the identity of a person who gave information or a document or record to the journalist in confidence.
(a) the occupant or person in charge asks the authorised person to produce his or her identity card; and
(1) The Commissioner must issue to a person authorised for the purposes of section 68 an identity card in the form approved by the Commissioner. The identity card must contain a recent photograph of the authorised person.
(2) As soon as practicable after the person ceases to be authorised, he or she must return the identity card to the Commissioner.
(f) disclose, or enable a person to ascertain, the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;
Determinations about an APP entity’s acts and practices
(a) an act or practice of an APP entity breaches, or may breach:
(ii) a registered APP code that binds the entity; but
(b) the public interest in the entity doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that code or principle;
(3) The APP entity is taken not to contravene section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force under subsection (2).
(4) The Commissioner may, by legislative instrument, make a determination that no APP entity is taken to contravene section 15 or 26A if, while that determination is in force, an APP entity does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that entity or any other APP entity.
(1) An APP entity may apply in accordance with the regulations for a determination under section 72 about an act or practice of the entity.
(a) the act or practice of an APP entity that is the subject of an application under section 73 for a determination under section 72 breaches, or may breach:
(ii) a registered APP code that binds the entity; and
(b) the public interest in the entity doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to that principle or code; and
(a) on request by the APP entity; or
APP entity covered by a determination
(1) If an act or practice of an APP entity is the subject of a temporary public interest determination, the entity is taken not to breach section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force.
(3) The Commissioner may, by legislative instrument, make a determination that no APP entity is taken to contravene section 15 or 26A if, while that determination is in force, an APP entity does an act, or engages in a practice, that is the subject of a temporary public interest determination in relation to that entity or another APP entity.
(1) At any time when an emergency declaration is in force in relation to an emergency or disaster, an entity may collect, use or disclose personal information relating to an individual if:
(a) the entity reasonably believes that the individual may be involved in the emergency or disaster; and
(iv) an entity not covered by subparagraph (i), (ii) or (iii) that is, or is likely to be, involved in managing, or assisting in the management of, the emergency or disaster; or
(ii) an entity that is directly involved in providing repatriation services, medical or other treatment, health services or financial or other humanitarian assistance services to individuals involved in the emergency or disaster; or
(iii) a person or entity prescribed by the regulations for the purposes of this paragraph; or
(iv) a person or entity specified by the Minister, by legislative instrument, for the purposes of this paragraph; and
(2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1), unless the secrecy provision is a designated secrecy provision (see subsection (7)).
(3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1).
(4) An entity does not breach an Australian Privacy Principle, or a registered APP code that binds the entity, in respect of a collection, use or disclosure of personal information authorised by subsection (1).
entity includes the following:
(a) if the first person is an APP entity—a disclosure permitted under an Australian Privacy Principle or a registered APP code that binds the person;
(2) Nothing in this Part is to be taken to require an entity to collect, use or disclose personal information.
(a) the entity that made the application for a declaration; or
(b) if another entity’s compliance with subsection 26WL(2) is affected by the decision to refuse the application for a declaration—that other entity.
(a) the entity to whom notice of the declaration was given; or
(b) if another entity’s compliance with subsection 26WL(2) is affected by the declaration—that other entity.
(2C) An application under paragraph (1)(bc) may only be made by the entity to whom the direction was given.
(2D) For the purposes of subsections (2A), (2B) and (2C), entity has the same meaning as in Part IIIC.
1.2 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:
(a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and
(b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.
1.3 An APP entity must have a clearly expressed and up to date policy (the APP privacy policy) about the management of personal information by the entity.
1.4 Without limiting subclause 1.3, the APP privacy policy of the APP entity must contain the following information:
(a) the kinds of personal information that the entity collects and holds;
(b) how the entity collects and holds personal information;
(c) the purposes for which the entity collects, holds, uses and discloses personal information;
(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
(e) how an individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
(f) whether the entity is likely to disclose personal information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
1.5 An APP entity must take such steps as are reasonable in the circumstances to make its APP privacy policy available:
Note: An APP entity will usually make its APP privacy policy available on the entity’s website.
1.6 If a person or body requests a copy of the APP privacy policy of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
2.1 Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity in relation to a particular matter.
(a) the APP entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or
(b) it is impracticable for the APP entity to deal with individuals who have not identified themselves or who have used a pseudonym.
3.1 If an APP entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.
3.2 If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.
3.3 An APP entity must not collect sensitive information about an individual unless:
(i) if the entity is an agency—the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
(ii) if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or
(b) a permitted general situation exists in relation to the collection of the information by the APP entity; or
(c) the APP entity is an organisation and a permitted health situation exists in relation to the collection of the information by the entity; or
(d) the APP entity is an enforcement body and the entity reasonably believes that:
(i) if the entity is the Immigration Department—the collection of the information is reasonably necessary for, or directly related to, one or more enforcement related activities conducted by, or on behalf of, the entity; or
(ii) otherwise—the collection of the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
(e) the APP entity is a non profit organisation and both of the following apply:
3.5 An APP entity must collect personal information only by lawful and fair means.
3.6 An APP entity must collect personal information about an individual only from the individual unless:
(a) if the entity is an agency:
(ii) the entity is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or
3.7 This principle applies to the collection of personal information that is solicited by an APP entity.
(a) an APP entity receives personal information; and
(b) the entity did not solicit the information;
the entity must, within a reasonable period after receiving the information, determine whether or not the entity could have collected the information under Australian Privacy Principle 3 if the entity had solicited the information.
4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.
(a) the APP entity determines that the entity could not have collected the personal information; and
the entity must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de identified.
4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if the entity had collected the information under Australian Privacy Principle 3.
5.1 At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:
(a) the identity and contact details of the APP entity;
(i) the APP entity collects the personal information from someone other than the individual; or
(ii) the individual may not be aware that the APP entity has collected the personal information;
the fact that the entity so collects, or has collected, the information and the circumstances of that collection;
(d) the purposes for which the APP entity collects the personal information;
(e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity;
(f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity;
(g) that the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information;
(h) that the APP privacy policy of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint;
(i) whether the APP entity is likely to disclose the personal information to overseas recipients;
(j) if the APP entity is likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
(a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is:
(c) a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or
(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
(e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if:
(a) the APP entity is an organisation; and
(b) subsection 16B(2) applied in relation to the collection of the personal information by the entity;
the entity must take such steps as are reasonable in the circumstances to ensure that the information is de identified before the entity discloses it in accordance with subclause 6.1 or 6.2.
6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure.
(a) an APP entity is a body corporate; and
(b) the entity collects personal information from a related body corporate;
this principle applies as if the entity’s primary purpose for the collection of the information were the primary purpose for which the related body corporate collected the information.
8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
(b) who is not the entity or the individual;
the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.
8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
(a) the entity reasonably believes that:
(i) the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or
(e) the entity is an agency and the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
(f) the entity is an agency and both of the following apply:
(i) the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body;
(a) the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or
10.1 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up to date and complete.
10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) an APP entity holds personal information about an individual; and
(b) the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;
the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de identified.
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
(a) the APP entity is an agency; and
(b) the entity is required or authorised to refuse to give the individual access to the personal information by or under:
then, despite subclause 12.1, the entity is not required to give access to the extent that the entity is required or authorised to refuse to give access.
12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:
(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or
(d) the information relates to existing or anticipated legal proceedings between the entity and the individual, and would not be accessible by the process of discovery in those proceedings; or
(e) giving access would reveal the intentions of the entity in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(i) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in;
(j) giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision making process.
12.4 The APP entity must:
(i) if the entity is an agency—within 30 days after the request is made; or
(ii) if the entity is an organisation—within a reasonable period after the request is made; and
12.5 If the APP entity refuses:
the entity must take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual.
12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.
(a) the APP entity is an organisation; and
(b) the entity charges the individual for giving access to the personal information;
12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:
12.10 If the APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.
(a) an APP entity holds personal information about an individual; and
(i) the entity is satisfied that, having regard to a purpose for which the information is held, the information is inaccurate, out of date, incomplete, irrelevant or misleading; or
(ii) the individual requests the entity to correct the information;
the entity must take such steps (if any) as are reasonable in the circumstances to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up to date, complete, relevant and not misleading.
(a) the APP entity corrects personal information about an individual that the entity previously disclosed to another APP entity; and
(b) the individual requests the entity to notify the other APP entity of the correction;
the entity must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.
13.3 If the APP entity refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out:
(a) the APP entity refuses to correct the personal information as requested by the individual; and
(b) the individual requests the entity to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;
the entity must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.
13.5 If a request is made under subclause 13.1 or 13.4, the APP entity:
(i) if the entity is an agency—within 30 days after the request is made; or
(ii) if the entity is an organisation—within a reasonable period after the request is made; and