6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health service6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit provider6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history information7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this Act
19 - Guide to this Part20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodies20B - Open and transparent management of credit reporting information20C - Collection of solicited credit information20D - Dealing with unsolicited credit information20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identified20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting information20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be given20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retained21 - Guide to this Division21A - Application of this Division to credit providers21B - Open and transparent management of credit information etc.21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban period21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer credit21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility information21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be given22 - Guide to this Division22A - Open and transparent management of regulated information22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaints24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit provider25 - Compensation orders25A - Other orders to compensate loss or damage
36A - Guide to this Part36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor General52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service provider54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificate57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agency63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisations
80U - Civil penalty provisions80V - Enforceable undertakings80W - Injunctions
It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
Note: Such a law can have effect for the purposes of the provisions of the Australian Privacy Principles that regulate the handling of personal information by organisations by reference to the effect of other laws.
Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
(b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or
Australian law means:
(d) a rule of common law or equity.
(c) an instrument (including rules, regulations or by laws) made under an Act to which paragraph (a) applies or under an Ordinance to which paragraph (b) applies; or
(d) any other legislation that applies as a law of the Commonwealth (other than legislation in so far as it is applied by an Act referred to in subparagraph (a)(i) or (ii)) or as a law of the Australian Capital Territory, to the extent that it operates as such a law.
(ea) the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or
(f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or
(g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or
(k) the Law Enforcement Conduct Commission of New South Wales; or
(m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or
(n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or
(o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.
(ii) breaches of a law imposing a penalty or sanction; or
(d) the enforcement of laws relating to the confiscation of the proceeds of crime; or
Integrity Commissioner has the same meaning as in the Law Enforcement Integrity Commissioner Act 2006.
(b) an instrument (including rules, regulations or by laws) made under such an enactment;
tax file number information means information, whether compiled lawfully or unlawfully, and whether recorded in a material form or not, that records the tax file number of a person in a manner connecting it with the person’s identity.
(e) an office of member of a tribunal that is established by or under a law of the Commonwealth and that is prescribed for the purposes of this paragraph; or
child: without limiting who is a child of a person for the purposes of subsection (10), someone is the child of a person if he or she is a child of the person within the meaning of the Family Law Act 1975.
(b) someone who is a child of the individual within the meaning of the Family Law Act 1975.
(b) the act or practice is required by an applicable law of a foreign country.
(b) the act or practice is required by an applicable law of a foreign country.
(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a law of a State or Territory, other than:
(ii) an association of employers or employees that is registered or recognised under a law of a State or Territory dealing with the resolution of industrial disputes; or
(d) a body established or appointed, otherwise than by or under a law of a State or Territory, by:
(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory, other than the office of head of a State or Territory Department (however described); or
(f) a person holding or performing the duties of an appointment made, otherwise than under a law of a State or Territory, by:
(iii) whether the law of the State or Territory regulates the collection, holding, use, correction and disclosure of personal information by the instrumentality to a standard that is at least equivalent to the standard that would otherwise apply to the instrumentality under this Act; and
(ga) the Integrity Commissioner or a staff member of ACLEI (within the meaning of the Law Enforcement Integrity Commissioner Act 2006); or
(a) an election under an electoral law; or
(b) a referendum under a law of the Commonwealth or a law of a State or Territory; or
(i) an election under an electoral law;
(ii) a referendum under a law of the Commonwealth or a law of a State or Territory;
(a) an election under an electoral law;
(b) a referendum under a law of the Commonwealth or a law of a State or Territory;
Meaning of electoral law and Parliament
electoral law means a law of the Commonwealth, or a law of a State or Territory, relating to elections to a Parliament or to a local government authority.
(1) A person who is (whether lawfully or unlawfully) in possession or control of a record that contains tax file number information shall be regarded, for the purposes of this Act, as a file number recipient.
(b) by virtue of having that application, would be a law with respect to, or with respect to matters including:
(1) An act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country.
Permitted general situations
Item Column 1
Kind of entity
Column 2
Item applies to
Column 3
Condition(s)
1APP entity(a) personal information; or
(b) a government related identifier.
(a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
2APP entity(a) personal information; or
(b) a government related identifier.
(a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.
3APP entityPersonal information(a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and
(b) the collection, use or disclosure complies with the rules made under subsection (2).
4APP entityPersonal informationThe collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.
5APP entityPersonal informationThe collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.
6AgencyPersonal informationThe entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities.
7Defence ForcePersonal informationThe entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories:
(a) war or warlike operations;
(b) peacekeeping or peace enforcement;
(c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief.
(i) the collection is required or authorised by or under an Australian law (other than this Act); or
(i) the collection is required by or under an Australian law (other than this Act);
(2) Subsection (1) does not apply if the collection of the credit information is required or authorised by or under an Australian law or a court/tribunal order.
(7) A credit reporting body must collect credit information only by lawful and fair means.
(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
(b) the use is required or authorised by or under an Australian law or a court/tribunal order; or
(e) the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
Note: Other Acts may provide that the note must not be made (see for example the Australian Crime Commission Act 2002 and the Law Enforcement Integrity Commissioner Act 2006).
(b) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the assessment.
(b) the use or disclosure of the credit reporting information is required by or under an Australian law or a court/tribunal order.
(2) Subsection (1) does not apply if the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order.
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(b) the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(5) Subsection (2) or (3) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(4) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
(7) Subsection (5) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the CRB derived information.
(3) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit reporting information.
(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notification.
(b) the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(d) the use is required or authorised by or under an Australian law or a court/tribunal order; or
(f) the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
(c) the provider is not required by or under an Australian law, or a court/tribunal order, to retain the information;
(a) giving access would be unlawful; or
(b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(b) the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(5) Subsection (2) or (3) does not apply if the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(c) the use is required or authorised by or under an Australian law or a court/tribunal order.
(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
(b) the use is required or authorised by or under an Australian law or a court/tribunal order.
(b) the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
(c) the use is required or authorised by or under an Australian law or a court/tribunal order.
(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
(b) the credit reporting body or credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notification under that subsection.
(a) is a provision of a law of the Commonwealth (other than this Act); and
(a) is a provision of a law of the Commonwealth (other than this Act); and
(ii) any other law of the Commonwealth;
(ii) are taking adequate measures to prevent the unlawful disclosure of such information;
(ii) is taking adequate measures to prevent the unlawful disclosure of the tax file number information that he or she holds;
(e) the disclosure, or the ascertaining by a person, of the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;
(g) prejudice to the proper enforcement of the law or the protection of public safety;
(c) all the complaints give rise to a substantial common issue of law or fact.
(d) specify the questions of law or fact that are common to the complaints of the class members.
(e) the act or practice is the subject of an application under another Commonwealth law, or a State or Territory law, and the subject matter of the complaint has been, or is being, dealt with adequately under that law; or
(f) another Commonwealth law, or a State or Territory law, provides a more appropriate remedy for the act or practice that is the subject of the complaint.
(ii) becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors.
(ii) becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors; and
(4) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of the Commonwealth or of a Territory, if the Director of Public Prosecutions has given the individual a written undertaking under subsection (5).
will not be used in evidence in any proceedings for an offence against a law of the Commonwealth or of a Territory, or in any disciplinary proceedings, against the individual, other than proceedings in respect of the falsity of evidence given by the individual;
(7) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of a State, if the Attorney General of the State, or a person authorised by that Attorney General (being the person holding the office of Director of Public Prosecutions, or a similar office, of the State) has given the individual a written undertaking under subsection (8).
will not be used in evidence in any proceedings for an offence against a law of the State, or in any disciplinary proceedings, against the individual, other than proceedings in respect of the falsity of evidence given by the individual;
(3B) An entry by an authorised person with the consent of the occupier or person in charge is not lawful if the consent was not voluntary.
(f) disclose, or enable a person to ascertain, the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;
(g) prejudice the effectiveness of the operational methods or investigative practices or techniques of agencies responsible for the enforcement of the criminal law; or
duty of confidence means any duty or obligation arising under the common law or at equity pursuant to which a person is obliged not to disclose information, but does not include legal professional privilege.
(b) whose presence in Australia is not subject to any limitation as to time imposed by law; and
secrecy provision means a provision of a law of the Commonwealth (including a provision of this Act), or of a Norfolk Island enactment, that prohibits or regulates the use or disclosure of personal information, whether the provision relates to the use or disclosure of personal information generally or in specified circumstances.
(c) assisting with law enforcement in relation to the emergency or disaster;
(d) a provision of a law of the Commonwealth prescribed by the regulations for the purposes of this paragraph;
(e) a provision of a law of the Commonwealth of a kind prescribed by the regulations for the purposes of this paragraph.
(1) The operation of this Part is not limited by a secrecy provision of any other law of the Commonwealth (whether made before or after the commencement of this Act) except to the extent that the secrecy provision expressly excludes the operation of this section.
Note: Section 3 provides for the concurrent operation of State and Territory laws.
(a) becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with the member’s creditors or makes an assignment of the member’s remuneration for their benefit;
(b) that arises under or by virtue of the law in force in the Australian Capital Territory; or
This Part does not, except to the extent that it does so expressly or by necessary implication, limit or restrict the operation of any other law or of any principle or rule of the common law or of equity, being a law, principle or rule:
(7) A reference in this section to a director of a body corporate includes a reference to a constituent member of a body corporate incorporated for a public purpose by a law of the Commonwealth, of a State or of a Territory.
(a) the APP entity is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or
(a) the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or
3.5 An APP entity must collect personal information only by lawful and fair means.
(ii) the entity is required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than the individual; or
the entity must, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de identified.
(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order—the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection);
(b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(i) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and
(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or
(c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or
(a) the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order; or
(c) the use or disclosure of the identifier is required or authorised by or under an Australian law or a court/tribunal order; or
(d) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;
(f) giving access would be unlawful; or
(g) denying access is required or authorised by or under an Australian law or a court/tribunal order; or
(i) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in;
the entity must take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.