6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health service6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit provider6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history information7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this Act
19 - Guide to this Part20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodies20B - Open and transparent management of credit reporting information20C - Collection of solicited credit information20D - Dealing with unsolicited credit information20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identified20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting information20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be given20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retained21 - Guide to this Division21A - Application of this Division to credit providers21B - Open and transparent management of credit information etc.21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban period21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer credit21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility information21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be given22 - Guide to this Division22A - Open and transparent management of regulated information22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaints24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit provider25 - Compensation orders25A - Other orders to compensate loss or damage
36A - Guide to this Part36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor General52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service provider54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificate57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agency63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisations
80U - Civil penalty provisions80V - Enforceable undertakings80W - Injunctions
(l) the service operator under the Healthcare Identifiers Act 2010.
employee record, in relation to an employee, means a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:
healthcare identifier has the meaning given by the Healthcare Identifiers Act 2010.
healthcare identifier offence means:
(a) an offence against section 26 of the Healthcare Identifiers Act 2010; or
health information has the meaning given by section 6FA.
health service has the meaning given by section 6FB.
permitted health situation has the meaning given by section 16B.
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(f) a person exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or
(b) provides a health service to another individual and holds any health information except in an employee record; or
The following information is health information:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of health services to the individual; or
(iii) a health service provided, or to be provided, to an individual;
(b) other personal information collected to provide, or in providing, a health service to an individual;
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
(1) An activity performed in relation to an individual is a health service if the activity is intended or claimed (expressly or otherwise) by the individual or the person performing it:
(a) to assess, maintain or improve the individual’s health; or
(b) where the individual’s health cannot be maintained or improved—to manage the individual’s health; or
(e) to record the individual’s health for the purposes of assessing, maintaining, improving or managing the individual’s health.
(2) The dispensing on prescription of a drug or medicinal preparation by a pharmacist is a health service.
(a) a reference in this section to an individual’s health includes the individual’s physical or psychological health; and
(b) an activity mentioned in subsection (1) or (2) that takes place in the course of providing aged care, palliative care or care for a person with a disability is a health service.
(4) The regulations may prescribe an activity that, despite subsections (1) and (2) is not to be treated as a health service for the purposes of this Act.
Note: Subsection 27(4) applies in relation to an investigation of an act or practice referred to in subsection 29(1) of the Healthcare Identifiers Act 2010.
(b) constitutes a breach of the rules issued under section 135AA of the National Health Act 1953.
Note: Other Acts may provide that an act or practice is an interference with the privacy of an individual. For example, see the Healthcare Identifiers Act 2010, the Anti Money Laundering and Counter Terrorism Financing Act 2006 and the Personal Property Securities Act 2009.
Permitted general situations
Item Column 1
Kind of entity
Column 2
Item applies to
Column 3
Condition(s)
1APP entity(a) personal information; or
(b) a government related identifier.
(a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
2APP entity(a) personal information; or
(b) a government related identifier.
(a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.
3APP entityPersonal information(a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and
(b) the collection, use or disclosure complies with the rules made under subsection (2).
4APP entityPersonal informationThe collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.
5APP entityPersonal informationThe collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
6AgencyPersonal informationThe entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities.
7Defence ForcePersonal informationThe entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories:
(a) war or warlike operations;
(b) peacekeeping or peace enforcement;
(c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief.
Collection—provision of a health service
(1) A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:
(a) the information is necessary to provide a health service to the individual; and
(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
(1A) A permitted health situation exists in relation to the collection by an organisation of health information about an individual (the third party) if:
(a) it is necessary for the organisation to collect the family, social or medical history of an individual (the patient) to provide a health service to the patient; and
(b) the health information about the third party is part of the family, social or medical history necessary for the organisation to provide the health service to the patient; and
(c) the health information is collected by the organisation from the patient or, if the patient is physically or legally incapable of giving the information, a responsible person for the patient.
(2) A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation;
(3) A permitted health situation exists in relation to the use or disclosure by an organisation of health information about an individual if:
(a) the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and
(4) A permitted health situation exists in relation to the use or disclosure by an organisation of genetic information about an individual (the first individual) if:
(a) the organisation has obtained the information in the course of providing a health service to the first individual; and
(b) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual; and
(5) A permitted health situation exists in relation to the disclosure by an organisation of health information about an individual if:
(a) the organisation provides a health service to the individual; and
(d) another individual (the carer) providing the health service for the organisation is satisfied that either:
has been, or is required to be, notified under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss.
(4) Section 38 of the Healthcare Identifiers Act 2010, rather than section 12B of this Act, applies in relation to an investigation of an act or practice referred to in subsection 29(1) of that Act in the same way as it applies to Parts 3 and 4 of that Act.
Note: Section 38 of the Healthcare Identifiers Act 2010 deals with the additional effect of Parts 3 and 4 of that Act.
(e) whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section.
(1) Where, in the course of an investigation under section 40, the Commissioner forms the opinion that a tax file number offence, a healthcare identifier offence, an AML/CTF verification offence or a credit reporting offence may have been committed, the Commissioner shall:
(2) The CEO of the National Health and Medical Research Council may make an application under subsection (1) on behalf of other agencies concerned with medical research or the provision of health services.
(3) Where an application is made by virtue of subsection (2), a reference in the succeeding provisions of this Part to the agency is a reference to the CEO of the National Health and Medical Research Council.
(b) assisting individuals involved in the emergency or disaster to obtain services such as repatriation services, medical or other treatment, health services and financial or other humanitarian assistance;
(ii) an entity that is directly involved in providing repatriation services, medical or other treatment, health services or financial or other humanitarian assistance services to individuals involved in the emergency or disaster; or
(ab) at least one must be a person who has had extensive experience in health privacy; and
(1) The CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy by agencies in the conduct of medical research.
(1) This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the CEO of the National Health and Medical Research Council or a prescribed authority.
(2) For the purposes of paragraph 16B(3)(c), the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.
(3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(3)).
(4) For the purposes of subparagraph 16B(2)(d)(iii), the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:
(a) research, or the compilation or analysis of statistics, relevant to public health or public safety; or
(b) the management, funding or monitoring of a health service.
(5) The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(2)).
(1) This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the National Health and Medical Research Council.
(2) For the purposes of paragraph 16B(4)(c), the Commissioner may, by legislative instrument, approve guidelines that relate to the use and disclosure of genetic information for the purposes of lessening or preventing a serious threat to the life, health or safety of an individual who is a genetic relative of the individual to whom the genetic information relates.
(c) the APP entity is an organisation and a permitted health situation exists in relation to the collection of the information by the entity; or
Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.
(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.
(a) the entity reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety; or