Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal informationNote: Such a law can have effect for the purposes of the provisions of the Australian Privacy Principles that regulate the handling of personal information by organisations by reference to the effect of other laws.
Organisations and small business operators
(1A) This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link.
(2) An organisation or small business operator has an Australian link if the organisation or operator is:
(3) An organisation or small business operator also has an Australian link if all of the following apply:
(a) the organisation or operator is not described in subsection (2);
(b) the organisation or operator carries on business in Australia or an external Territory;
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
(ii) an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation; or
APP entity means an agency or organisation.
(a) an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to an agency or a State or Territory authority under the government contract; or
(a) an organisation; or
(b) an organisation; or
(a) the Australian Security Intelligence Organisation;
media organisation means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:
mortgage insurer means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to mortgage credit provided by providers to other persons.
non profit organisation means an organisation:
(a) that is a non profit organisation; and
organisation has the meaning given by section 6C.
subcontractor, for a government contract, means an organisation:
trade insurer means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to commercial credit provided by providers to other persons.
(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(3) An act or practice does not breach an Australian Privacy Principle if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(3) An act or practice does not breach a registered APP code if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
What is an organisation?
organisation means:
Note 1: Under section 187LA of the Telecommunications (Interception and Access) Act 1979, service providers are, in relation to their activities relating to retained data, treated as organisations for the purposes of this Act.
Legal person treated as different organisations in different capacities
(2) A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a different organisation.
Example: In addition to his or her personal capacity, an individual may be the trustee of one or more trusts. In his or her personal capacity, he or she is one organisation. As trustee of each trust, he or she is a different organisation.
Making regulations to stop instrumentalities being organisations
(4) Before the Governor General makes regulations prescribing an instrumentality of a State or Territory for the purposes of the definition of organisation in subsection (1), the Minister must:
(i) whether treating the instrumentality as an organisation for the purposes of this Act adversely affects the government of the State or Territory; and
as if the small business operator were an organisation.
(1B) If a small business operator is the protected action ballot agent for a protected action ballot conducted under Part 3 3 of the Fair Work Act 2009, this Act applies, with the prescribed modifications (if any), in relation to the activities carried on by the small business operator for the purpose of, or in connection with, the conduct of the protected action ballot, as if the small business operator were an organisation.
Small business operator that is an association of employees that is registered or recognised under the Fair Work (Registered Organisations) Act 2009
(1C) If a small business operator is an association of employees that is registered or recognised under the Fair Work (Registered Organisations) Act 2009, this Act applies, with the prescribed modifications (if any), in relation to the activities carried on by the small business operator, as if the small business operator were an organisation (within the meaning of this Act).
Regulations treating a small business operator as an organisation
(1) This Act applies, with the prescribed modifications (if any), in relation to a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.
Regulations treating a small business operator as an organisation for particular acts or practices
(2) This Act also applies, with the prescribed modifications (if any), in relation to the prescribed acts or practices of a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.
(1) This Act applies in relation to a small business operator as if the operator were an organisation while a choice by the operator to be treated as an organisation is registered under this section.
(2) A small business operator may make a choice in writing given to the Commissioner to be treated as an organisation.
(3) If the Commissioner is satisfied that a small business operator has made the choice to be treated as an organisation, the Commissioner must enter in a register of operators who have made such a choice:
(4) If a small business operator revokes a choice to be treated as an organisation, the Commissioner must remove from the register the material relating to the operator.
Regulations treating a State instrumentality etc. as an organisation
(1) This Act applies, with the prescribed modifications (if any), in relation to a prescribed State or Territory authority or a prescribed instrumentality of a State or Territory (except an instrumentality that is an organisation because of section 6C) as if the authority or instrumentality were an organisation.
Making regulations to treat instrumentality etc. as organisation
(b) an organisation or small business operator if:
(i) the organisation or operator carries on a business or undertaking; and
(c) an organisation or small business operator:
(ii) that, in the course of the business, issues credit cards to individuals in connection with the sale of goods, or the supply of services, by the organisation or operator (as the case may be);
(d) an agency, organisation or small business operator:
(a) an organisation or small business operator (the supplier) carries on a business or undertaking in the course of which the supplier provides credit in connection with the sale of goods, or the supply of services, by the supplier; and
(a) an organisation or small business operator (the lessor) carries on a business or undertaking in the course of which the lessor provides credit in connection with the hiring, leasing or renting of goods; and
(4) An organisation or small business operator is a credit provider if subsection 6H(1), 6J(1) or 6K(1) provides that the organisation or operator is a credit provider.
(5) Despite subsections (1) to (4) of this section, an organisation or small business operator acting in the capacity of:
(6) Despite subsections (1) to (4) of this section, an organisation or small business operator is not a credit provider if it is included in a class of organisations or operators prescribed by the regulations.
(1) If an organisation or small business operator (the agent) is acting as an agent of a credit provider (the principal) in performing, on behalf of the principal, a task that is reasonably necessary:
(2) Subsection (1) does not apply if the principal is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(a) an organisation or small business operator (the securitisation entity) carries on a business that is involved in either or both of the following:
(2) Subsection (1) does not apply if the original credit provider is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(a) an organisation or small business operator (the acquirer) acquires, whether by assignment, subrogation or any other means, the rights of a credit provider (the original credit provider) in relation to the repayment of an amount of credit; and
(ee) an act done, or a practice engaged in, by an organisation, other than an exempt act or exempt practice (see sections 7B and 7C);
(g) the Defence Intelligence Organisation or the Australian Geospatial Intelligence Organisation; or
(a) the Australian Security Intelligence Organisation; or
(b) the Defence Intelligence Organisation or the Australian Geospatial Intelligence Organisation; or
(a) the act or practice were an act done, or practice engaged in, by an organisation; and
(b) the agency mentioned in that subsection were the organisation.
(1) An act done, or practice engaged in, by an organisation that is an individual is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, other than in the course of a business carried on by the individual.
Organisation acting under Commonwealth contract
(2) An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:
(a) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(b) the organisation would be a small business operator if it were not a contracted service provider for a Commonwealth contract; and
(c) the act is done, or the practice is engaged in, otherwise than for the purposes of meeting (directly or indirectly) an obligation under a Commonwealth contract for which the organisation is the contracted service provider.
Note: This puts the organisation in the same position as a small business operator as far as its activities that are not for the purposes of a Commonwealth contract are concerned, so the organisation need not comply with the Australian Privacy Principles, or a registered APP code that binds the organisation, in relation to those activities.
(3) An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:
(b) an employee record held by the organisation and relating to the individual.
(4) An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:
(a) by the organisation in the course of journalism; and
(b) at a time when the organisation is publicly committed to observe standards that:
(i) deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and
(ii) have been published in writing by the organisation or a person or body representing a class of media organisations.
Organisation acting under State contract
(5) An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:
(a) the organisation is a contracted service provider for a State contract (whether or not the organisation is a party to the contract); and
(1) An act done, or practice engaged in, by an organisation (the political representative) consisting of a member of a Parliament, or a councillor (however described) of a local government authority, is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, for any purpose in connection with:
(2) An act done, or practice engaged in, by an organisation (the contractor) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:
Subcontractors for organisations covered by subsection (1) etc.
(3) An act done, or practice engaged in, by an organisation (the subcontractor) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:
(4) An act done voluntarily, or practice engaged in voluntarily, by an organisation for or on behalf of a registered political party and with the authority of the party is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in for any purpose in connection with one or more of the following:
(a) an act done or practice engaged in by, or information disclosed to, a person employed by, or in the service of, an agency, organisation, file number recipient, credit reporting body or credit provider in the performance of the duties of the person’s employment shall be treated as having been done or engaged in by, or disclosed to, the agency, organisation, recipient, credit reporting body or credit provider;
(b) an act done or practice engaged in by, or information disclosed to, a person on behalf of, or for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub committee or other body established by or under a Commonwealth enactment or a Norfolk Island enactment for the purpose of assisting, or performing functions in connection with, an agency or organisation, shall be treated as having been done or engaged in by, or disclosed to, the agency or organisation; and
(3) For the purposes of the application of this Act in relation to an organisation that is a partnership:
(a) an act done or practice engaged in by a partner is taken to have been done or engaged in by the organisation; and
(b) a communication (including a complaint, notice, request or disclosure of information) made to a partner is taken to have been made to the organisation.
(4) For the purposes of the application of this Act in relation to an organisation that is an unincorporated association:
(a) an act done or practice engaged in by a member of the committee of management of the association is taken to have been done or engaged in by the organisation; and
(b) a communication (including a complaint, notice, request or disclosure of information) made to a member of the committee of management of the association is taken to have been made to the organisation.
(5) For the purposes of the application of this Act in relation to an organisation that is a trust:
(a) an act done or practice engaged in by a trustee is taken to have been done or engaged in by the organisation; and
(b) a communication (including a complaint, notice or request or disclosure of information) made to a trustee is taken to have been made to the organisation.
(b) an organisation;
(3) An act or practice of an organisation is an interference with the privacy of an individual if:
(b) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(ii) a registered APP code that binds the organisation;
(1) Despite subsection 13(1), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual:
(a) a related body corporate that is not an organisation; or
(2) Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(3).
(a) an organisation (the new partnership) that is a partnership forms at the same time as, or immediately after, the dissolution of another partnership (the old partnership); and
(1) An act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country.
Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(2), (4) or (5).
(1) A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:
(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
(1A) A permitted health situation exists in relation to the collection by an organisation of health information about an individual (the third party) if:
(a) it is necessary for the organisation to collect the family, social or medical history of an individual (the patient) to provide a health service to the patient; and
(b) the health information about the third party is part of the family, social or medical history necessary for the organisation to provide the health service to the patient; and
(c) the health information is collected by the organisation from the patient or, if the patient is physically or legally incapable of giving the information, a responsible person for the patient.
(2) A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:
(c) it is impracticable for the organisation to obtain the individual’s consent to the collection; and
(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation;
(3) A permitted health situation exists in relation to the use or disclosure by an organisation of health information about an individual if:
(b) it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure; and
(d) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
(4) A permitted health situation exists in relation to the use or disclosure by an organisation of genetic information about an individual (the first individual) if:
(a) the organisation has obtained the information in the course of providing a health service to the first individual; and
(b) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual; and
(5) A permitted health situation exists in relation to the disclosure by an organisation of health information about an individual if:
(a) the organisation provides a health service to the individual; and
(d) another individual (the carer) providing the health service for the organisation is satisfied that either:
(ii) an organisation that has an Australian link; and
(6) If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
(7) Before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.
(7) In the case of a complaint about an act or practice of an organisation, the organisation is the respondent.
Note: Sections 98A to 98C contain further rules about how this Part operates in relation to respondent organisations that are not legal persons.
(8) The respondent to a complaint about an act or practice described in subsection 13(2), (4) or (5), other than an act or practice of an agency or organisation, is the person or entity who engaged in the act or practice.
(1) This section lets the Commissioner substitute an agency for an organisation as respondent to a complaint if:
(a) the organisation is a contracted service provider for a Commonwealth contract to provide services to the agency; and
(b) before the Commissioner makes a determination under section 52 in relation to the complaint, the organisation:
(2) The Commissioner may amend the complaint to specify as a respondent to the complaint the agency or its principal executive, instead of the organisation.
Note 1: The complaint still relates to the act or practice of the organisation.
Note 2: The Commissioner may determine under section 53B that the determination applies in relation to an agency if the organisation has not complied with the determination.
If the determination applies in relation to an organisation or small business operator, the organisation or operator:
(1) Subject to subsection (3), for the purposes of the performance by the Commissioner of his or her functions under this Act, a person authorised by the Commissioner in writing for the purposes of this section may, at any reasonable time of the day, enter premises occupied by an agency, an organisation, a file number recipient, a credit reporting body or a credit provider and inspect any documents that are kept at those premises and that are relevant to the performance of those functions, other than documents in respect of which the Attorney General has furnished a certificate under subsection 70(1) or (2).
If an individual, body corporate, partnership, unincorporated association or trust ceases to be an organisation but continues to exist, this Part operates in relation to:
(a) an act or practice of the organisation (while it was an organisation); and
as if he, she or it were still (and had been at all relevant times) an organisation.
(b) the complaint may be investigated (and further proceedings taken) under this Part as though the individual were still an organisation.
Example 2: A small business operator chooses under section 6EA to be treated as an organisation, but later revokes the choice. A complaint about an act or practice the operator engaged in while the choice was registered under that section may be made and investigated under this Part as if the operator were an organisation.
(2A) If the applicant is an organisation, the Commissioner must:
(a) send a written invitation to the organisation to notify the Commissioner, within the period specified in the invitation, whether or not the organisation wishes the Commissioner to hold a conference about the draft determination; and
(1) If an agency, organisation or person notifies the Commissioner, within the period specified in an invitation sent to the agency, organisation or person, that the agency, organisation or person wishes a conference to be held about the draft determination, the Commissioner shall hold such a conference.
(4) The Commissioner shall give notice of the day, time and place of the conference to the agency or organisation and to each person to whom an invitation was sent.
(1) At the conference, the agency or organisation is entitled to be represented by a person who is, or persons each of whom is, an officer or employee of the agency or organisation.
(2) The Commissioner shall, in making a determination, take account of all submissions about the application that have been made, whether at a conference or not, by the agency, organisation or any other person.
(iii) an organisation; or
(d) in the case of a disclosure of the personal information by an organisation or another person—the disclosure is to:
(e) in the case of any disclosure of the personal information—the disclosure is not to a media organisation.
(a) sections 18, 18A, 18B and 92 of the Australian Security Intelligence Organisation Act 1979;
(c) an organisation.
(2) Before the Governor General makes regulations for the purposes of Australian Privacy Principle 9.3 prescribing a government related identifier, an organisation or a class of organisations, and circumstances, the Minister must be satisfied that:
(i) has agreed that the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances is appropriate; and
(b) the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances can only be for the benefit of the individual to whom the identifier relates.
(3) Subsection (2) does not apply to the making of regulations for the purposes of Australian Privacy Principle 9.3 that relate to the use or disclosure of a government related identifier by an organisation, or a class of organisations, in particular circumstances if:
(i) the organisation; or
(ii) the class of organisations;
3.2 If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.
(ii) if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or
(c) the APP entity is an organisation and a permitted health situation exists in relation to the collection of the information by the entity; or
(e) the APP entity is a non profit organisation and both of the following apply:
(i) the information relates to the activities of the organisation;
(ii) the information relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.
(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
(a) the APP entity is an organisation; and
6.7 This principle does not apply to the use or disclosure by an organisation of:
7.1 If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.
Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.
7.2 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(a) the organisation collected the information from the individual; and
(b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and
(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(d) the individual has not made such a request to the organisation.
7.3 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
(a) the organisation collected the information from:
(i) the individual and the individual would not reasonably expect the organisation to use or disclose the information for that purpose; or
(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(i) the organisation includes a prominent statement that the individual may make such a request; or
(ii) the organisation otherwise draws the individual’s attention to the fact that the individual may make such a request; and
(e) the individual has not made such a request to the organisation.
7.4 Despite subclause 7.1, an organisation may use or disclose sensitive information about an individual for the purpose of direct marketing if the individual has consented to the use or disclosure of the information for that purpose.
7.5 Despite subclause 7.1, an organisation may use or disclose personal information for the purpose of direct marketing if:
(a) the organisation is a contracted service provider for a Commonwealth contract; and
(b) the organisation collected the information for the purpose of meeting (directly or indirectly) an obligation under the contract; and
7.6 If an organisation (the first organisation) uses or discloses personal information about an individual:
(a) for the purpose of direct marketing by the first organisation; or
(b) for the purpose of facilitating direct marketing by other organisations;
(c) if paragraph (a) applies—request not to receive direct marketing communications from the first organisation; and
(d) if paragraph (b) applies—request the organisation not to use or disclose the information for the purpose referred to in that paragraph; and
(e) request the first organisation to provide its source of the information.
7.7 If an individual makes a request under subclause 7.6, the first organisation must not charge the individual for the making of, or to give effect to, the request and:
(a) if the request is of a kind referred to in paragraph 7.6(c) or (d)—the first organisation must give effect to the request within a reasonable period after the request is made; and
(b) if the request is of a kind referred to in paragraph 7.6(e)—the organisation must, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so.
9.1 An organisation must not adopt a government related identifier of an individual as its own identifier of the individual unless:
Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.
9.2 An organisation must not use or disclose a government related identifier of an individual unless:
(a) the use or disclosure of the identifier is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions; or
(b) the use or disclosure of the identifier is reasonably necessary for the organisation to fulfil its obligations to an agency or a State or Territory authority; or
(e) the organisation reasonably believes that the use or disclosure of the identifier is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
Note 1: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.
9.3 This subclause applies in relation to the adoption, use or disclosure by an organisation of a government related identifier of an individual if:
(b) the organisation is prescribed by the regulations, or is included in a class of organisations prescribed by the regulations; and
Exception to access—organisation
12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:
(ii) if the entity is an organisation—within a reasonable period after the request is made; and
(a) the APP entity is an organisation; and
(ii) if the entity is an organisation—within a reasonable period after the request is made; and