Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal information(c) to provide the basis for nationally consistent regulation of privacy and the handling of personal information; and
(d) to promote responsible and transparent handling of personal information by entities; and
It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
Note: Such a law can have effect for the purposes of the provisions of the Australian Privacy Principles that regulate the handling of personal information by organisations by reference to the effect of other laws.
(c) the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.
collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
CP derived information about an individual means any personal information (other than sensitive information) about the individual:
CRB derived information about an individual means any personal information (other than sensitive information) about the individual:
de identified: personal information is de identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
employee record, in relation to an employee, means a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:
holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.
overseas recipient, in relation to personal information, has the meaning given by Australian Privacy Principle 8.1.
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5 1A of that Act.
(a) if the recipient is a mortgage insurer or trade insurer—personal information disclosed to the recipient under Division 2 or 3 of Part IIIA; or
that is also personal information; or
solicits: an entity solicits personal information if the entity requests another entity to provide the personal information, or to provide a kind of information in which that personal information is included.
(3) An act or practice does not breach an Australian Privacy Principle if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
(3) An act or practice does not breach a registered APP code if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
(ii) the desirability of regulating under this Act the collection, holding, use, correction and disclosure of personal information by the instrumentality; and
(iii) whether the law of the State or Territory regulates the collection, holding, use, correction and disclosure of personal information by the instrumentality to a standard that is at least equivalent to the standard that would otherwise apply to the instrumentality under this Act; and
(c) discloses personal information about another individual to anyone else for a benefit, service or advantage; or
(d) provides a benefit, service or advantage to collect personal information about another individual from anyone else; or
(7) Paragraph (4)(c) does not prevent an individual, body corporate, partnership, unincorporated association or trust from being a small business operator only because he, she or it discloses personal information about another individual:
(a) collects personal information about another individual from someone else:
(b) consult the Commissioner about the desirability of regulating under this Act the collection, holding, use, correction and disclosure of personal information by the authority or instrumentality.
that is also personal information;
(b) other personal information collected to provide, or in providing, a health service to an individual;
(c) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;
Credit information about an individual is personal information (other than sensitive information) that is:
(1) A credit reporting business is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.
(1A) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to:
(1B) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice by an agency with an intelligence role or function (within the meaning of the Office of National Intelligence Act 2018) so far as it involves the disclosure of personal information to the Office of National Intelligence.
Note: To avoid doubt, this section does not make exempt for the purposes of paragraph 7(1)(ee) an act or practice of the political representative, contractor, subcontractor or volunteer for a registered political party involving the use or disclosure (by way of sale or otherwise) of personal information in a way not covered by subsection (1), (2), (3) or (4) (as appropriate). The rest of this Act operates normally in relation to that act or practice.
(a) a record of personal information (not being a record relating to the administration of the National Archives of Australia) is in the care (within the meaning of the Archives Act 1983) of the National Archives of Australia; or
(b) a record of personal information (not being a record relating to the administration of the Australian War Memorial) is in the custody of the Australian War Memorial;
(5) Where a record of personal information was placed by or on behalf of an agency in the memorial collection within the meaning of the Australian War Memorial Act 1980, that agency or, if that agency no longer exists, the agency to whose functions the contents of the record are most closely related, shall be regarded, for the purposes of this Act, to be the agency that holds that record.
(a) the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual; or
(b) the act or practice breaches a registered APP code that binds the entity in relation to personal information about the individual.
(a) the act or practice breaches a provision of Part IIIA in relation to personal information about the individual; or
(b) the act or practice breaches the registered CR code in relation to personal information about the individual and the code binds the entity.
(a) the act or practice relates to personal information about the individual; and
in relation to the personal information because of a provision of the contract that is inconsistent with the principle or code; and
(a) the collection of personal information (other than sensitive information) about the individual by the body corporate from a related body corporate;
(b) the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate.
Note: Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, there is an interference with privacy if:
(a) a body corporate uses personal information it has collected from a related body corporate; and
(1A) However, paragraph (1)(a) does not apply to the collection by a body corporate of personal information (other than sensitive information) from:
Note: The effect of subsection (1A) is that a body corporate’s failure to comply with the Australian Privacy Principles, or a registered APP code that binds the body, in collecting personal information about an individual from a related body corporate covered by that subsection is an interference with the privacy of the individual.
(d) the new partnership holds, immediately after its formation, personal information about an individual that the old partnership held immediately before its dissolution;
Note: Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, the new partnership’s use of personal information collected from the old partnership may constitute an interference with privacy if it breaches Australian Privacy Principle 6.
(a) the collection, holding, use or disclosure of personal information by an individual; or
(b) personal information held by an individual;
(1) A permitted general situation exists in relation to the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier of an individual, if:
| Permitted general situations | |||
|---|---|---|---|
| Item | Column 1 Kind of entity | Column 2 Item applies to | Column 3 Condition(s) |
| 1 | APP entity | (a) personal information; or (b) a government related identifier. | (a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and (b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. |
| 2 | APP entity | (a) personal information; or (b) a government related identifier. | (a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and (b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter. |
| 3 | APP entity | Personal information | (a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and (b) the collection, use or disclosure complies with the rules made under subsection (2). |
| 4 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim. |
| 5 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process. |
| 6 | Agency | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities. |
| 7 | Defence Force | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories: (a) war or warlike operations; (b) peacekeeping or peace enforcement; (c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief. |
(2) The Commissioner may, by legislative instrument, make rules relating to the collection, use or disclosure of personal information that apply for the purposes of item 3 of the table in subsection (1).
(d) in the case of disclosure—the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
(a) an APP entity discloses personal information about an individual to an overseas recipient; and
(2) The Australian Privacy Principles do not apply to a credit reporting body in relation to personal information that is:
Note: The Australian Privacy Principles apply to the credit reporting body in relation to other kinds of personal information.
(c) the kinds of personal information that the body usually derives from credit information that the body holds;
(1) An individual may request a credit reporting body to correct personal information about the individual if:
(a) the personal information is:
(b) the body holds at least one kind of the personal information referred to in paragraph (a).
(2) If the credit reporting body is satisfied that the personal information is inaccurate, out of date, incomplete, irrelevant or misleading, the body must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(3) If the credit reporting body considers that the body cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
(1) This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T(1).
(2) If the credit reporting body corrects the personal information under subsection 20T(2), the body must, within a reasonable period:
(3) If the credit reporting body does not correct the personal information under subsection 20T(2), the body must, within a reasonable period, give the individual written notice that:
(1) At or before the time a credit provider collects personal information about an individual that the provider is likely to disclose to a credit reporting body, the provider must:
(2) If a credit provider is an APP entity, subsection (1) applies to the provider in relation to personal information in addition to Australian Privacy Principle 5.
(3) If a credit provider is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is credit information or credit eligibility information:
(1) An individual may request a credit provider to correct personal information about the individual if:
(a) the personal information is:
(b) the provider holds at least one kind of the personal information referred to in paragraph (a).
(2) If the credit provider is satisfied that the personal information is inaccurate, out of date, incomplete, irrelevant or misleading, the provider must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(3) If the credit provider considers that the provider cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
(a) applies to the provider in relation to personal information referred to in paragraph (1)(a) that is identification information; but
(b) does not apply to the provider in relation to any other kind of personal information referred to in that paragraph.
(1) This section applies if an individual requests a credit provider to correct personal information under subsection 21V(1).
(2) If the credit provider corrects personal information about the individual under subsection 21V(2), the provider must, within a reasonable period:
(3) If the credit provider does not correct the personal information under subsection 21V(2), the provider must, within a reasonable period, give the individual written notice that:
If an affected information recipient is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is regulated information of the recipient:
(a) a mortgage insurer or trade insurer holds or held personal information about an individual; and
the insurer must not use or disclose the information, or any personal information about the individual derived from that information.
the body must not use or disclose the information, or any personal information about the individual derived from that information.
the person must not use or disclose the information, or any personal information about the individual derived from that information.
the recipient must not use or disclose the information, or any personal information about the individual derived from that information.
(4) The complaint may relate to personal information that has been destroyed or de identified.
(3) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
(1) This section applies if an individual makes a complaint under section 23A about an act or practice that may breach section 20S or 21U (which deal with the correction of personal information by credit reporting bodies and credit providers).
(a) a credit provider discloses personal information to which the complaint relates under Division 3 of this Part or under the Australian Privacy Principles; and
(a) all personal information or a specified type of personal information;
(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
(a) an APP entity has disclosed personal information about one or more individuals to an overseas recipient; and
(b) Australian Privacy Principle 8.1 applied to the disclosure of the personal information; and
(c) the overseas recipient holds the personal information;
(d) the personal information were held by the APP entity; and
(e) the APP entity were required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information.
(i) an APP entity holds personal information relating to one or more individuals; and
(ii) the APP entity is required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; or
(a) whether personal information held by an APP entity is being maintained and handled in accordance with the following:
(a) an agency proposes to engage in an activity or function involving the handling of personal information about individuals; and
The object of this Part is to make special provision for the collection, use and disclosure of personal information in emergencies and disasters.
secrecy provision means a provision of a law of the Commonwealth (including a provision of this Act), or of a Norfolk Island enactment, that prohibits or regulates the use or disclosure of personal information, whether the provision relates to the use or disclosure of personal information generally or in specified circumstances.
(2) For the purposes of this Part, a reference in the definition of personal information in subsection 6(1) to an individual is taken to include a reference to an individual who is not living.
(1) At any time when an emergency declaration is in force in relation to an emergency or disaster, an entity may collect, use or disclose personal information relating to an individual if:
(c) in the case of a disclosure of the personal information by an agency—the disclosure is to:
(d) in the case of a disclosure of the personal information by an organisation or another person—the disclosure is to:
(e) in the case of any disclosure of the personal information—the disclosure is not to a media organisation.
(2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1), unless the secrecy provision is a designated secrecy provision (see subsection (7)).
(3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1).
(4) An entity does not breach an Australian Privacy Principle, or a registered APP code that binds the entity, in respect of a collection, use or disclosure of personal information authorised by subsection (1).
(6) A collection, use or disclose of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by subsection (1) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information.
(a) personal information that relates to an individual is disclosed to the first person because of the operation of this Part; and
(b) the first person subsequently discloses the personal information; and
(d) a disclosure made with the consent of the individual to whom the personal information relates;
(e) a disclosure to the individual to whom the personal information relates;
(3) If a disclosure of personal information is covered by subsection (2), the disclosure is authorised by this section.
(2) Nothing in this Part is to be taken to require an entity to collect, use or disclose personal information.
(1) This Part applies where a person (in this Part called a confidant) is subject to an obligation of confidence to another person (in this Part called a confider) in respect of personal information, whether the information relates to the confider or to a third person, being an obligation in respect of a breach of which relief may be obtained (whether in the exercise of a discretion or not) in legal proceedings.
Where a person has acquired personal information about another person and the first mentioned person knows or ought reasonably to know that the person from whom he or she acquired the information was subject to an obligation of confidence with respect to the information, the first mentioned person, whether he or she is in the Australian Capital Territory or not, is subject to a like obligation.
(1) A confider may recover damages from a confidant in respect of a breach of an obligation of confidence with respect to personal information.
(3) Where an obligation of confidence exists with respect to personal information about a person other than the confider, whether the obligation arose under a contract or otherwise, the person to whom the information relates has the same rights against the confidant in respect of a breach or threatened breach of the obligation as the confider has.
1.1 The object of this principle is to ensure that APP entities manage personal information in an open and transparent way.
1.3 An APP entity must have a clearly expressed and up to date policy (the APP privacy policy) about the management of personal information by the entity.
(a) the kinds of personal information that the entity collects and holds;
(b) how the entity collects and holds personal information;
(c) the purposes for which the entity collects, holds, uses and discloses personal information;
(d) how an individual may access personal information about the individual that is held by the entity and seek the correction of such information;
(f) whether the entity is likely to disclose personal information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.
Personal information other than sensitive information
3.1 If an APP entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities.
3.2 If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.
3.5 An APP entity must collect personal information only by lawful and fair means.
3.6 An APP entity must collect personal information about an individual only from the individual unless:
Solicited personal information
3.7 This principle applies to the collection of personal information that is solicited by an APP entity.
(a) an APP entity receives personal information; and
4.2 The APP entity may use or disclose the personal information for the purposes of making the determination under subclause 4.1.
(a) the APP entity determines that the entity could not have collected the personal information; and
4.4 If subclause 4.3 does not apply in relation to the personal information, Australian Privacy Principles 5 to 13 apply in relation to the information as if the entity had collected the information under Australian Privacy Principle 3.
5.1 At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:
(i) the APP entity collects the personal information from someone other than the individual; or
(ii) the individual may not be aware that the APP entity has collected the personal information;
(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order—the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection);
(d) the purposes for which the APP entity collects the personal information;
(e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity;
(f) any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity;
(g) that the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information;
(i) whether the APP entity is likely to disclose the personal information to overseas recipients;
(j) if the APP entity is likely to disclose the personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
Note: Australian Privacy Principle 8 sets out requirements for the disclosure of personal information to a person who is not in Australia or an external Territory.
6.2 This subclause applies in relation to the use or disclosure of personal information about an individual if:
6.3 This subclause applies in relation to the disclosure of personal information about an individual by an APP entity that is an agency if:
(b) subsection 16B(2) applied in relation to the collection of the personal information by the entity;
6.5 If an APP entity uses or discloses personal information in accordance with paragraph 6.2(e), the entity must make a written note of the use or disclosure.
(b) the entity collects personal information from a related body corporate;
(a) personal information for the purpose of direct marketing; or
7.1 If an organisation holds personal information about an individual, the organisation must not use or disclose the information for the purpose of direct marketing.
Exceptions—personal information other than sensitive information
7.2 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
7.3 Despite subclause 7.1, an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if:
7.5 Despite subclause 7.1, an organisation may use or disclose personal information for the purpose of direct marketing if:
7.6 If an organisation (the first organisation) uses or discloses personal information about an individual:
8.1 Before an APP entity discloses personal information about an individual to a person (the overseas recipient):
8.2 Subclause 8.1 does not apply to the disclosure of personal information about an individual by an APP entity to the overseas recipient if:
10.1 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity collects is accurate, up to date and complete.
10.2 An APP entity must take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that the entity uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up to date, complete and relevant.
11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:
(a) an APP entity holds personal information about an individual; and
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
(b) the entity is required or authorised to refuse to give the individual access to the personal information by or under:
12.3 If the APP entity is an organisation then, despite subclause 12.1, the entity is not required to give the individual access to the personal information to the extent that:
(a) respond to the request for access to the personal information:
(a) to give access to the personal information because of subclause 12.2 or 12.3; or
12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.
(b) the entity charges the individual for giving access to the personal information;
12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:
12.10 If the APP entity refuses to give access to the personal information because of paragraph 12.3(j), the reasons for the refusal may include an explanation for the commercially sensitive decision.
(a) an APP entity holds personal information about an individual; and
(a) the APP entity corrects personal information about an individual that the entity previously disclosed to another APP entity; and
13.3 If the APP entity refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out:
(a) the APP entity refuses to correct the personal information as requested by the individual; and
(b) must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).
