Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal information(b) because it involved an unauthorised requirement or request for disclosure of a tax file number.
information request has the meaning given by section 6R.
pending correction request in relation to credit information or CRB derived information means:
(a) a request made under subsection 20T(1) in relation to the information if a notice has not been given under subsection 20U(2) or (3) in relation to the request; or
(b) a request made under subsection 21V(1) in relation to the information if:
(i) the credit reporting body referred to in subsection 20V(3) has been consulted about the request under subsection 21V(3); and
(ii) a notice has not been given under subsection 21W(2) or (3) in relation to the request.
solicits: an entity solicits personal information if the entity requests another entity to provide the personal information, or to provide a kind of information in which that personal information is included.
(a) be satisfied that the State or Territory has requested that the instrumentality be prescribed for those purposes; and
(a) be satisfied that the relevant State or Territory has requested that the authority or instrumentality be prescribed for those purposes; and
(ii) who is authorised, in writing, by the individual to make a request in relation to the information under subsection 20R(1) or 21T(1).
(d) a statement that an information request has been made in relation to the individual by a credit provider, mortgage insurer or trade insurer; or
(ii) in connection with which the provider has made an information request in relation to the individual; or
(b) the provider has given a written notice to the individual informing the individual of the overdue payment and requesting that the individual pay the amount of the overdue payment; and
(b) the notice requests that the individual pay the amount of the overdue payment; and
(1) A credit provider has made an information request in relation to an individual if the provider has sought information about the individual from a credit reporting body:
(2) A mortgage insurer has made an information request in relation to an individual if:
(3) A trade insurer has made an information request in relation to an individual if:
(b) a communication (including a complaint, notice, request or disclosure of information) made to a partner is taken to have been made to the organisation.
(b) a communication (including a complaint, notice, request or disclosure of information) made to a member of the committee of management of the association is taken to have been made to the organisation.
(b) a communication (including a complaint, notice or request or disclosure of information) made to a trustee is taken to have been made to the organisation.
(b) the act or practice involves an unauthorised requirement or request for disclosure of the tax file number of the individual.
(e) information about the effect of section 20G (which deals with direct marketing) and how the individual may make a request under subsection (5) of that section;
(g) information about the effect of section 20T (which deals with individuals requesting the correction of credit information etc.);
(6) If a person or body requests a copy, in a particular form, of the policy of a credit reporting body, the credit reporting body must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
| Permitted CRB disclosures | ||
|---|---|---|
| Item | If the disclosure is to ... | the condition or conditions are ... |
| 1 | a credit provider | the provider requests the information for a consumer credit related purpose of the provider in relation to the individual. |
| 2 | a credit provider | (a) the provider requests the information for a commercial credit related purpose of the provider in relation to a person; and (b) the individual expressly consents to the disclosure of the information to the provider for that purpose. |
| 3 | a credit provider | (a) the provider requests the information for a credit guarantee purpose of the provider in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the provider for that purpose. |
| 4 | a credit provider | the credit reporting body is satisfied that the provider, or another credit provider, believes on reasonable grounds that the individual has committed a serious credit infringement. |
| 5 | a credit provider | (a) the credit reporting body holds consumer credit liability information that relates to consumer credit provided by the provider to the individual; and (b) the consumer credit has not been terminated, or has not otherwise ceased to be in force. |
| 6 | a credit provider under subsection 6J(1) | the provider requests the information for a securitisation related purpose of the provider in relation to the individual. |
| 7 | a mortgage insurer | the insurer requests the information for a mortgage insurance purpose of the insurer in relation to the individual. |
| 8 | a trade insurer | (a) the insurer requests the information for a trade insurance purpose of the insurer in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the insurer for that purpose. |
(a) the credit provider referred to in that item requests the information for the purpose of assessing an application for commercial credit made by a person to the provider; and
(e) the individual has not made a request under subsection (5); and
Request not to use information for pre screening
(5) An individual may request a credit reporting body that holds credit information about the individual not to use the information under subsection (2).
(6) If the individual makes a request under subsection (5), the credit reporting body must not charge the individual for the making of the request or to give effect to the request.
(c) the individual requests the body not to use or disclose the information under this Division;
(a) starts when the individual makes a request under paragraph (1)(c); and
(i) 21 days after the day on which the request is made; or
(b) before the ban period ends, the individual requests the body to extend that period; and
No charge for request etc.
(6) If an individual makes a request under paragraph (1)(c) or (4)(b), a credit reporting body must not charge the individual for the making of the request or to give effect to the request.
(1) If a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Dealing with requests for access
(3) The credit reporting body must respond to the request within a reasonable period, but not longer than 10 days, after the request is made.
(5) If a request under subsection (1) in relation to the individual has not been made to the credit reporting body in the previous 12 months, the body must not charge the access seeker for the making of the request or for giving access to the information.
(6) If subsection (5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
Request
(1) An individual may request a credit reporting body to correct personal information about the individual if:
(a) the period of 30 days that starts on the day on which the request is made; or
the body must consult that interested party, or those interested parties, about the individual’s request.
(5) The credit reporting body must not charge the individual for the making of the request or for correcting the information.
(1) This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T(1).
(b) if the body consulted an interested party under subsection 20T(3) about the individual’s request—give the party written notice of the correction; and
(c) states that, if the individual is not satisfied with the response to the request, the individual may:
(a) there is a pending correction request in relation to the information; or
(a) there is a pending correction request in relation to the information; or
| Retention period | ||
|---|---|---|
| Item | If the credit information is ... | the retention period for the information is ... |
| 1 | consumer credit liability information | the period of 2 years that starts on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force. |
| 2 | repayment history information | the period of 2 years that starts on the day on which the monthly payment to which the information relates is due and payable. |
| 3 | information of a kind referred to in paragraph 6N(d) or (e) | the period of 5 years that starts on the day on which the information request to which the information relates is made. |
| 4 | default information | the period of 5 years that starts on the day on which the credit reporting body collects the information. |
| 5 | payment information | the period of 5 years that starts on the day on which the credit reporting body collects the default information to which the payment information relates. |
| 6 | new arrangement information within the meaning of subsection 6S(1) | the period of 2 years that starts on the day on which the credit reporting body collects the default information referred to in that subsection. |
| 7 | new arrangement information within the meaning of subsection 6S(2) | the period of 2 years that starts on the day on which the credit reporting body collects the information about the opinion referred to in that subsection. |
| 8 | court proceedings information | the period of 5 years that starts on the day on which the judgement to which the information relates is made or given. |
| 9 | information of a kind referred to in paragraph 6N(l) | the period of 7 years that starts on the day on which the credit reporting body collects the information. |
(a) the use or disclosure is for the purposes of the pending correction request, or pending dispute, in relation to the information; or
(6) If a person or body requests a copy, in a particular form, of the policy of a credit provider, the provider must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
(b) a credit provider requests the body to disclose the information to the provider for the purpose of assessing an application for consumer credit made to the provider by the individual, or a person purporting to be the individual; and
(1) If a credit provider holds credit eligibility information about an individual, the provider must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Dealing with requests for access
(3) The credit provider must respond to the request within a reasonable period after the request is made.
(5) If the credit provider is an agency, the provider must not charge the access seeker for the making of the request or for giving access to the information.
(6) If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
(b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
Request
(1) An individual may request a credit provider to correct personal information about the individual if:
(a) the period of 30 days that starts on the day on which the request is made; or
the provider must consult that interested party, or those interested parties, about the individual’s request.
(5) The credit provider must not charge the individual for the making of the request or for correcting the information.
(1) This section applies if an individual requests a credit provider to correct personal information under subsection 21V(1).
(b) if the provider consulted an interested party under subsection 21V(3) about the individual’s request—give the party written notice of the correction; and
(c) states that, if the individual is not satisfied with the response to the request, the individual may:
(6) If a person or body requests a copy, in a particular form, of the policy of an affected information recipient, the recipient must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
At the Commissioner’s request
(2) The Commissioner may, in writing, request an APP code developer to develop an APP code, and apply to the Commissioner for the code to be registered, if the Commissioner is satisfied it is in the public interest for the code to be developed.
(3) The request must:
(a) specify the period within which the request must be complied with; and
(a) must run for at least 120 days from the date the request is made; and
(5) The request may:
(7) The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.
(1) This section applies if the Commissioner made a request under subsection 26E(2) and either:
(a) the request has not been complied with; or
(b) the request has been complied with but the Commissioner has decided not to register, under section 26H, the APP code that was developed as requested.
(1) The Commissioner may, in writing, request a CR code developer to develop a CR code and apply to the Commissioner for the code to be registered.
(2) The request must:
(a) specify the period within which the request must be complied with; and
(a) must run for at least 120 days from the date the request is made; and
(4) The request may:
(5) The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.
(1) The Commissioner may develop a CR code if the Commissioner made a request under section 26P and either:
(a) the request has not been complied with; or
(b) the request has been complied with but the Commissioner has decided not to register, under section 26S, the CR code that was developed as requested.
(a) on request by a Minister; or
(2) The functions referred to in paragraphs (1)(a), (c) and (d) may be performed by the Commissioner on request or on the Commissioner’s own initiative.
(d) the applicant has requested the agency concerned to amend the document;
(db) the complainant has not responded, within the period specified by the Commissioner, to a request for information in relation to the complaint; or
(1) An interested party in relation to an investigation under this Division may, in writing, request that the Commissioner hold a hearing before the Commissioner makes a determination under section 52 in relation to the investigation.
(2) If an interested party makes request under subsection (1), the Commissioner must:
(a) notify any other interested party of the request; and
(b) give all interested parties a reasonable opportunity to make a submission about the request; and
(a) on request by the APP entity; or
(a) on its own initiative, or when requested by the Commissioner, to advise the Commissioner on matters relevant to his or her functions;
If a person asks a party to a Commonwealth contract to be informed of the content of provisions (if any) of the contract that are inconsistent with a registered APP code binding a party to the contract or with an Australian Privacy Principle, the party requested must inform the person in writing of that content (if any).
1.6 If a person or body requests a copy of the APP privacy policy of an APP entity in a particular form, the entity must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(d) the individual has not made such a request to the organisation.
(c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and
(i) the organisation includes a prominent statement that the individual may make such a request; or
(ii) the organisation otherwise draws the individual’s attention to the fact that the individual may make such a request; and
(e) the individual has not made such a request to the organisation.
Individual may request not to receive direct marketing communications etc.
(c) if paragraph (a) applies—request not to receive direct marketing communications from the first organisation; and
(d) if paragraph (b) applies—request the organisation not to use or disclose the information for the purpose referred to in that paragraph; and
(e) request the first organisation to provide its source of the information.
7.7 If an individual makes a request under subclause 7.6, the first organisation must not charge the individual for the making of, or to give effect to, the request and:
(a) if the request is of a kind referred to in paragraph 7.6(c) or (d)—the first organisation must give effect to the request within a reasonable period after the request is made; and
(b) if the request is of a kind referred to in paragraph 7.6(e)—the organisation must, within a reasonable period after the request is made, notify the individual of its source unless it is impracticable or unreasonable to do so.
12.1 If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
(c) the request for access is frivolous or vexatious; or
Dealing with requests for access
(a) respond to the request for access to the personal information:
(i) if the entity is an agency—within 30 days after the request is made; or
(ii) if the entity is an organisation—within a reasonable period after the request is made; and
(b) give access to the information in the manner requested by the individual, if it is reasonable and practicable to do so.
(b) to give access in the manner requested by the individual;
12.7 If the APP entity is an agency, the entity must not charge the individual for the making of the request or for giving access to the personal information.
the charge must not be excessive and must not apply to the making of the request.
12.9 If the APP entity refuses to give access to the personal information because of subclause 12.2 or 12.3, or to give access in the manner requested by the individual, the entity must give the individual a written notice that sets out:
(ii) the individual requests the entity to correct the information;
(b) the individual requests the entity to notify the other APP entity of the correction;
13.3 If the APP entity refuses to correct the personal information as requested by the individual, the entity must give the individual a written notice that sets out:
Request to associate a statement
(a) the APP entity refuses to correct the personal information as requested by the individual; and
(b) the individual requests the entity to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading;
Dealing with requests
13.5 If a request is made under subclause 13.1 or 13.4, the APP entity:
(a) must respond to the request:
(i) if the entity is an agency—within 30 days after the request is made; or
(ii) if the entity is an organisation—within a reasonable period after the request is made; and
(b) must not charge the individual for the making of the request, for correcting the personal information or for associating the statement with the personal information (as the case may be).
