Division 1 - General definitions
6 - Interpretation6AA - Meaning of responsible person6A - Breach of an Australian Privacy Principle6B - Breach of a registered APP code6BA - Breach of the registered CR code6C - Organisations6D - Small business and small business operators6DA - What is the annual turnover of a business?6E - Small business operator treated as organisation6EA - Small business operators choosing to be treated as organisations6F - State instrumentalities etc. treated as organisations6FA - Meaning of health information6FB - Meaning of health serviceDivision 2 - Key definitions relating to credit reporting
Subdivision A - Credit provider
6G - Meaning of credit provider6H - Agents of credit providers6J - Securitisation arrangements etc.6K - Acquisition of the rights of a credit providerSubdivision B - Other definitions
6L - Meaning of access seeker6M - Meaning of credit and amount of credit6N - Meaning of credit information6P - Meaning of credit reporting business6Q - Meaning of default information6R - Meaning of information request6S - Meaning of new arrangement information6T - Meaning of payment information6U - Meaning of personal insolvency information6V - Meaning of repayment history informationDivision 3 - Other matters
7 - Acts and practices of agencies, organisations etc.7A - Acts of certain agencies treated as acts of organisation7B - Exempt acts and exempt practices of organisations7C - Political acts and practices are exempt8 - Acts and practices of, and disclosure of information to, staff of agency, organisation etc.10 - Agencies that are taken to hold a record11 - File number recipients12A - Act not to apply in relation to State banking or insurance within that State12B - Severability—additional effect of this ActDivision 1 - Interferences with privacy
13 - Interferences with privacy13B - Related bodies corporate13C - Change in partnership because of change in partners13D - Overseas act required by foreign law13E - Effect of sections 13B, 13C and 13D13F - Act or practice not covered by section 13 is not an interference with privacy13G - Serious and repeated interferences with privacyDivision 2 - Australian Privacy Principles
14 - Australian Privacy Principles15 - APP entities must comply with Australian Privacy Principles16 - Personal, family or household affairs16A - Permitted general situations in relation to the collection, use or disclosure of personal information16B - Permitted health situations in relation to the collection, use or disclosure of health information16C - Acts and practices of overseas recipients of personal informationDivision 4 - Tax file number information
17 - Rules relating to tax file number information18 - File number recipients to comply with rulesDivision 1 - Introduction
19 - Guide to this PartDivision 2 - Credit reporting bodies
Subdivision A - Introduction and application of this Division etc.
20 - Guide to this Division20A - Application of this Division and the Australian Privacy Principles to credit reporting bodiesSubdivision B - Consideration of information privacy
20B - Open and transparent management of credit reporting informationSubdivision C - Collection of credit information
20C - Collection of solicited credit information20D - Dealing with unsolicited credit informationSubdivision D - Dealing with credit reporting information etc.
20E - Use or disclosure of credit reporting information20F - Permitted CRB disclosures in relation to individuals20G - Use or disclosure of credit reporting information for the purposes of direct marketing20H - Use or disclosure of pre screening assessments20J - Destruction of pre screening assessment20K - No use or disclosure of credit reporting information during a ban period20L - Adoption of government related identifiers20M - Use or disclosure of credit reporting information that is de identifiedSubdivision E - Integrity of credit reporting information
20N - Quality of credit reporting information20P - False or misleading credit reporting information20Q - Security of credit reporting informationSubdivision F - Access to, and correction of, information
20R - Access to credit reporting information20S - Correction of credit reporting information20T - Individual may request the correction of credit information etc.20U - Notice of correction etc. must be givenSubdivision G - Dealing with credit reporting information after the retention period ends etc.
20V - Destruction etc. of credit reporting information after the retention period ends20W - Retention period for credit information—general20X - Retention period for credit information—personal insolvency information20Y - Destruction of credit reporting information in cases of fraud20Z - Dealing with information if there is a pending correction request etc.20ZA - Dealing with information if an Australian law etc. requires it to be retainedDivision 3 - Credit providers
Subdivision A - Introduction and application of this Division
21 - Guide to this Division21A - Application of this Division to credit providersSubdivision B - Consideration of information privacy
21B - Open and transparent management of credit information etc.Subdivision C - Dealing with credit information
21C - Additional notification requirements for the collection of personal information etc.21D - Disclosure of credit information to a credit reporting body21E - Payment information must be disclosed to a credit reporting body21F - Limitation on the disclosure of credit information during a ban periodSubdivision D - Dealing with credit eligibility information etc.
21G - Use or disclosure of credit eligibility information21H - Permitted CP uses in relation to individuals21J - Permitted CP disclosures between credit providers21K - Permitted CP disclosures relating to guarantees etc.21L - Permitted CP disclosures to mortgage insurers21M - Permitted CP disclosures to debt collectors21N - Permitted CP disclosures to other recipients21NA - Disclosures to certain persons and bodies that do not have an Australian link21P - Notification of a refusal of an application for consumer creditSubdivision E - Integrity of credit information and credit eligibility information
21Q - Quality of credit eligibility information21R - False or misleading credit information or credit eligibility information21S - Security of credit eligibility informationSubdivision F - Access to, and correction of, information
21T - Access to credit eligibility information21U - Correction of credit information or credit eligibility information21V - Individual may request the correction of credit information etc.21W - Notice of correction etc. must be givenDivision 4 - Affected information recipients
22 - Guide to this DivisionSubdivision A - Consideration of information privacy
22A - Open and transparent management of regulated informationSubdivision B - Dealing with regulated information
22B - Additional notification requirements for affected information recipients22C - Use or disclosure of information by mortgage insurers or trade insurers22D - Use or disclosure of information by a related body corporate22E - Use or disclosure of information by credit managers etc.22F - Use or disclosure of information by advisers etc.Division 5 - Complaints
23 - Guide to this Division23A - Individual may complain about a breach of a provision of this Part etc.23B - Dealing with complaints23C - Notification requirements relating to correction complaintsDivision 6 - Unauthorised obtaining of credit reporting information etc.
24 - Obtaining credit reporting information from a credit reporting body24A - Obtaining credit eligibility information from a credit providerDivision 7 - Court orders
25 - Compensation orders25A - Other orders to compensate loss or damageDivision 1 - Introduction
26 - Guide to this PartDivision 2 - Registered APP codes
Subdivision A - Compliance with registered APP codes etc.
26A - APP entities to comply with binding registered APP codes26B - What is a registered APP code26C - What is an APP code26D - Extension of Act to exempt acts or practices covered by registered APP codesSubdivision B - Development and registration of APP codes
26E - Development of APP codes by APP code developers26F - Application for registration of APP codes26G - Development of APP codes by the Commissioner26H - Commissioner may register APP codesSubdivision C - Variation and removal of registered APP codes
26J - Variation of registered APP codes26K - Removal of registered APP codesDivision 3 - Registered CR code
Subdivision A - Compliance with the registered CR code
26L - Entities to comply with the registered CR code if bound by the code26M - What is the registered CR code26N - What is a CR codeSubdivision B - Development and registration of CR code
26P - Development of CR code by CR code developers26Q - Application for registration of CR code26R - Development of CR code by the Commissioner26S - Commissioner may register CR codeSubdivision C - Variation of the registered CR code
26T - Variation of the registered CR codeDivision 4 - General matters
26U - Codes Register26V - Guidelines relating to codes26W - Review of operation of registered codesDivision 1 - Introduction
26WA - Simplified outline of this Part26WB - Entity26WC - Deemed holding of information26WD - Exception—notification under the My Health Records Act 2012Division 2 - Eligible data breach
26WE - Eligible data breach26WF - Exception—remedial action26WG - Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant mattersDivision 3 - Notification of eligible data breaches
Subdivision A - Suspected eligible data breaches
26WH - Assessment of suspected eligible data breach26WJ - Exception—eligible data breaches of other entitiesSubdivision B - General notification obligations
26WK - Statement about eligible data breach26WL - Entity must notify eligible data breach26WM - Exception—eligible data breaches of other entities26WN - Exception—enforcement related activities26WP - Exception—inconsistency with secrecy provisions26WQ - Exception—declaration by CommissionerSubdivision C - Commissioner may direct entity to notify eligible data breach
26WR - Commissioner may direct entity to notify eligible data breach26WS - Exception—enforcement related activities26WT - Exception—inconsistency with secrecy provisionsDivision 2 - Functions of Commissioner
27 - Functions of the Commissioner28 - Guidance related functions of the Commissioner28A - Monitoring related functions of the Commissioner28B - Advice related functions of the Commissioner29 - Commissioner must have due regard to the objects of the ActDivision 3 - Reports by Commissioner
30 - Reports following investigation of act or practice31 - Report following examination of proposed enactment32 - Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.33 - Exclusion of certain matters from reportsDivision 3A - Assessments by, or at the direction of, the Commissioner
33C - Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.33D - Commissioner may direct an agency to give a privacy impact assessmentDivision 4 - Miscellaneous
34 - Provisions relating to documents exempt under the Freedom of Information Act 198235 - Direction where refusal or failure to amend exempt document35A - Commissioner may recognise external dispute resolution schemesDivision 1A - Introduction
36A - Guide to this PartDivision 1 - Investigation of complaints and investigations on the Commissioner’s initiative
36 - Complaints37 - Principal executive of agency38 - Conditions for making a representative complaint38A - Commissioner may determine that a complaint is not to continue as a representative complaint38B - Additional rules applying to the determination of representative complaints38C - Amendment of representative complaints39 - Class member for representative complaint not entitled to lodge individual complaint40 - Investigations40A - Conciliation of complaints41 - Commissioner may or must decide not to investigate etc. in certain circumstances42 - Preliminary inquiries43 - Conduct of investigations43A - Interested party may request a hearing44 - Power to obtain information and documents45 - Power to examine witnesses46 - Directions to persons to attend compulsory conference47 - Conduct of compulsory conference48 - Complainant and certain other persons to be informed of various matters49 - Investigation under section 40 to cease if certain offences may have been committed49A - Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened50 - Reference of matters to other authorities50A - Substitution of respondent to complaint51 - Effect of investigation by Auditor GeneralDivision 2 - Determinations following investigation of complaints
52 - Determination of the Commissioner53 - Determination must identify the class members who are to be affected by the determination53A - Notice to be given to outsourcing agency53B - Substituting an agency for a contracted service providerDivision 3 - Enforcement
54 - Application of Division55 - Obligations of organisations and small business operators55A - Proceedings in the Federal Court or Federal Circuit Court to enforce a determination55B - Evidentiary certificateDivision 4 - Review and enforcement of determinations involving Commonwealth agencies
57 - Application of Division58 - Obligations of agencies59 - Obligations of principal executive of agency60 - Compensation and expenses62 - Enforcement of determination against an agencyDivision 5 - Miscellaneous
63 - Legal assistance64 - Commissioner etc. not to be sued65 - Failure to attend etc. before Commissioner66 - Failure to give information etc.67 - Protection from civil actions68 - Power to enter premises68A - Identity cards70 - Certain documents and information not required to be disclosed70B - Application of this Part to former organisationsDivision 1 - Public interest determinations
71 - Interpretation72 - Power to make, and effect of, determinations73 - Application by APP entity74 - Publication of application etc.75 - Draft determination76 - Conference77 - Conduct of conference78 - Determination of application79 - Making of determinationDivision 2 - Temporary public interest determinations
80A - Temporary public interest determinations80B - Effect of temporary public interest determination80D - Commissioner may continue to consider applicationDivision 3 - Register of determinations
80E - Register of determinationsDivision 1 - Object and interpretation
80F - Object80G - Interpretation80H - Meaning of permitted purposeDivision 2 - Declaration of emergency
80J - Declaration of emergency—events of national significance80K - Declaration of emergency—events outside Australia80L - Form of declarations80M - When declarations take effect80N - When declarations cease to have effectDivision 3 - Provisions dealing with the use and disclosure of personal information
80P - Authorisation of collection, use and disclosure of personal informationDivision 4 - Other matters
80Q - Disclosure of information—offence80R - Operation of Part80S - Severability—additional effect of Part80T - Compensation for acquisition of property—constitutional safety netDivision 1 - Civil penalties
80U - Civil penalty provisionsDivision 2 - Enforceable undertakings
80V - Enforceable undertakingsDivision 3 - Injunctions
80W - Injunctions95 - Medical research guidelines95A - Guidelines for Australian Privacy Principles about health information95AA - Guidelines for Australian Privacy Principles about genetic information95B - Requirements for Commonwealth contracts95C - Disclosure of certain provisions of Commonwealth contracts96 - Review by the Administrative Appeals Tribunal98A - Treatment of partnerships98B - Treatment of unincorporated associations98C - Treatment of trusts99A - Conduct of directors, employees and agents100 - Regulations
Part 1 - Consideration of personal information privacy
1 - Australian Privacy Principle 1—open and transparent management of personal information2 - Australian Privacy Principle 2—anonymity and pseudonymityPart 2 - Collection of personal information
3 - Australian Privacy Principle 3—collection of solicited personal information4 - Australian Privacy Principle 4—dealing with unsolicited personal information5 - Australian Privacy Principle 5—notification of the collection of personal informationPart 3 - Dealing with personal information
6 - Australian Privacy Principle 6—use or disclosure of personal information7 - Australian Privacy Principle 7—direct marketing8 - Australian Privacy Principle 8—cross border disclosure of personal information9 - Australian Privacy Principle 9—adoption, use or disclosure of government related identifiersPart 4 - Integrity of personal information
10 - Australian Privacy Principle 10—quality of personal information11 - Australian Privacy Principle 11—security of personal informationPart 5 - Access to, and correction of, personal information
12 - Australian Privacy Principle 12—access to personal information13 - Australian Privacy Principle 13—correction of personal informationNote: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
(a) the organisation or operator is not described in subsection (2);
(4) Part V of this Act has extra territorial operation so far as that Part relates to complaints and investigation concerning acts and practices to which this Act extends because of subsection (1) or (1A).
access seeker has the meaning given by subsection 6L(1).
advice related functions has the meaning given by subsection 28B(1).
amount of credit has the meaning given by subsection 6M(2).
annual turnover of a business has the meaning given by section 6DA.
APP code has the meaning given by section 26C.
at risk from an eligible data breach has the meaning given by section 26WE.
Australian link has the meaning given by subsections 5B(2) and (3).
Australian Privacy Principle has the meaning given by section 14.
authorised agent of a reporting entity means a person authorised to act on behalf of the reporting entity as mentioned in section 37 of the Anti Money Laundering and Counter Terrorism Financing Act 2006.
ban period has the meaning given by subsection 20K(3).
Board of the ACC means the Board of the Australian Crime Commission established under section 7B of the Australian Crime Commission Act 2002.
(a) in relation to an Australian Privacy Principle, has the meaning given by section 6A; and
(b) in relation to a registered APP code, has the meaning given by section 6B; and
(c) in relation to the registered CR code, has the meaning given by section 6BA.
class member, in relation to a representative complaint, means any of the persons on whose behalf the complaint was lodged, but does not include a person who has withdrawn under section 38B.
Codes Register has the meaning given by subsection 26U(1).
Note: See also subsection (9) about provision of services to an agency.
CR code has the meaning given by section 26N.
credit has the meaning given by subsections 6M(1) and (3).
credit information has the meaning given by section 6N.
credit provider has the meaning given by sections 6G to 6K, and, for the purposes of sections 7 and 8 and Parts III, IIIB, IV and V, is taken to include a mortgage insurer and a trade insurer.
credit reporting business has the meaning given by section 6P.
default information has the meaning given by section 6Q.
Defence Department means the Department of State that deals with defence and that is administered by the Minister administering section 1 of the Defence Act 1903.
(a) because it breached a rule issued under section 17; or
guidance related functions has the meaning given by subsection 28(1).
(a) an offence against section 26 of the Healthcare Identifiers Act 2010; or
(b) an offence against section 6 of the Crimes Act 1914 that relates to an offence mentioned in paragraph (a) of this definition.
Note: For ancillary offences, see section 11.6 of the Criminal Code.
health information has the meaning given by section 6FA.
health service has the meaning given by section 6FB.
Note: See section 10 for when an agency is taken to hold a record.
information request has the meaning given by section 6R.
interested party has the meaning given by subsections 20T(3) and 21V(3).
interference with the privacy of an individual has the meaning given by sections 13 to 13F.
monitoring related functions has the meaning given by subsections 28A(1) and (2).
new arrangement information has the meaning given by section 6S.
offence against this Act includes an offence against section 6 of the Crimes Act 1914, or section 11.1, 11.2, 11.2A, 11.4 or 11.5 of the Criminal Code, that relates to an offence against this Act.
organisation has the meaning given by section 6C.
payment information has the meaning given by section 6T.
penalty unit has the meaning given by section 4AA of the Crimes Act 1914.
(a) a request made under subsection 20T(1) in relation to the information if a notice has not been given under subsection 20U(2) or (3) in relation to the request; or
(b) a request made under subsection 21V(1) in relation to the information if:
(i) the credit reporting body referred to in subsection 20V(3) has been consulted about the request under subsection 21V(3); and
(ii) a notice has not been given under subsection 21W(2) or (3) in relation to the request.
(a) a complaint made under section 23A that relates to the information if a decision about the complaint has not been made under subsection 23B(4); or
permitted CP disclosure has the meaning given by sections 21J to 21N.
permitted CP use has the meaning given by section 21H.
permitted CRB disclosure has the meaning given by section 20F.
permitted general situation has the meaning given by section 16A.
permitted health situation has the meaning given by section 16B.
Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5 1A of that Act.
personal insolvency information has the meaning given by section 6U.
principal executive, of an agency, has a meaning affected by section 37.
recognised external dispute resolution scheme means an external dispute resolution scheme recognised under section 35A.
(f) Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or
Note: For document, see section 2B of the Acts Interpretation Act 1901.
registered APP code has the meaning given by section 26B.
registered CR code has the meaning given by section 26M.
(d) if the recipient is an entity or adviser referred to in paragraph 21N(2)(a)—credit eligibility information disclosed to the recipient under subsection 21N(2).
repayment history information has the meaning given by subsection 6V(1).
residential property has the meaning given by section 204 of the National Credit Code (within the meaning of the National Consumer Credit Protection Act 2009).
respondent for a complaint made under section 23A means the credit reporting body or credit provider to which the complaint is made.
responsible person has the meaning given by section 6AA.
retention period has the meaning given by sections 20W and 20X.
small business has the meaning given by section 6D.
small business operator has the meaning given by section 6D.
staff of the Ombudsman means the persons appointed or employed for the purposes of section 31 of the Ombudsman Act 1976.
Note: See also subsection (9) about provision of services to a State or Territory authority.
State or Territory authority has the meaning given by section 6C.
temporary public interest determination means a determination made under section 80A.
(3) For the purposes of this Act, an act or practice breaches a rule issued under section 17 if, and only if, it is contrary to, or inconsistent with, the rule.
(4) The definition of individual in subsection (1) shall not be taken to imply that references to persons do not include persons other than natural persons.
(10) For the purposes of this Act, a reference to family in the definition of consumer credit in subsection 6(1), and in sections 6D and 16, in relation to any individual is taken to include the following (without limitation):
(b) someone who is the child of the person, or of whom the person is the child, because of the definition of child in subsection (11);
(11) In this section:
child: without limiting who is a child of a person for the purposes of subsection (10), someone is the child of a person if he or she is a child of the person within the meaning of the Family Law Act 1975.
(2) In this section:
child: without limiting who is a child of an individual for the purposes of subsection (1), each of the following is a child of an individual:
parent: without limiting who is a parent of an individual for the purposes of subsection (1), someone is a parent of an individual if the individual is his or her child because of the definition of child in this subsection.
(b) the child of the first individual because of the definition of child in this subsection.
Effect despite subsection (1)
(5) Subsections (2), (3) and (4) have effect despite subsection (1).
Effect despite subsection (1)
(5) Subsections (2), (3) and (4) have effect despite subsection (1).
Note 1: Under section 187LA of the Telecommunications (Interception and Access) Act 1979, service providers are, in relation to their activities relating to retained data, treated as organisations for the purposes of this Act.
Note: 2: Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 13(3) of the Legislation Act 2003.
(4) Before the Governor General makes regulations prescribing an instrumentality of a State or Territory for the purposes of the definition of organisation in subsection (1), the Minister must:
(5) In this section:
State does not include the Australian Capital Territory or the Northern Territory (despite subsection 6(1)).
(ii) the commencement of this section; or
(5) Subsection (4) does not prevent an individual from being a small business operator merely because he or she does something described in paragraph (4)(b), (c) or (d):
(6) Subsection (4) does not prevent a body corporate, partnership, unincorporated association or trust from being a small business operator merely because it does something described in paragraph (4)(b), (c) or (d) otherwise than in the course of a business it carries on.
(9) Despite subsection (3), a body corporate is not a small business operator if it is related to a body corporate that carries on a business that is not a small business.
Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
(1) This Act applies, with the prescribed modifications (if any), in relation to a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.
Note 1: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe a small business operator by reference to one or more classes of small business operator. See subsection 13(3) of the Legislation Act 2003.
(2) This Act also applies, with the prescribed modifications (if any), in relation to the prescribed acts or practices of a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.
Note 1: The regulations may prescribe different modifications of the Act for different acts, practices or small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe an act, practice or small business operator by reference to one or more classes of acts, practices or small business operators. See subsection 13(3) of the Legislation Act 2003.
(3) In this section:
(4) Before the Governor General makes regulations prescribing a small business operator, act or practice for the purposes of subsection (1) or (2), the Minister must:
(1) This Act applies in relation to a small business operator as if the operator were an organisation while a choice by the operator to be treated as an organisation is registered under this section.
Note: A small business operator may revoke such a choice by writing given to the Commissioner. See subsection 33(3) of the Acts Interpretation Act 1901.
(6) The Commissioner must make the register available to the public in the way that the Commissioner determines. However, the Commissioner must not make available to the public in the register information other than that described in subsection (3).
(1) This Act applies, with the prescribed modifications (if any), in relation to a prescribed State or Territory authority or a prescribed instrumentality of a State or Territory (except an instrumentality that is an organisation because of section 6C) as if the authority or instrumentality were an organisation.
Note 1: The regulations may prescribe different modifications of the Act for different authorities or instrumentalities. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe an authority or instrumentality by reference to one or more classes of authority or instrumentality. See subsection 13(3) of the Legislation Act 2003.
(3) Before the Governor General makes regulations prescribing a State or Territory authority or instrumentality of a State or Territory for the purposes of subsection (1), the Minister must:
(a) a reference in this section to an individual’s health includes the individual’s physical or psychological health; and
(b) an activity mentioned in subsection (1) or (2) that takes place in the course of providing aged care, palliative care or care for a person with a disability is a health service.
(4) The regulations may prescribe an activity that, despite subsections (1) and (2) is not to be treated as a health service for the purposes of this Act.
(c) the supplier is not a credit provider under subsection (1);
(d) the lessor is not a credit provider under subsection (1);
(4) An organisation or small business operator is a credit provider if subsection 6H(1), 6J(1) or 6K(1) provides that the organisation or operator is a credit provider.
(5) Despite subsections (1) to (4) of this section, an organisation or small business operator acting in the capacity of:
(6) Despite subsections (1) to (4) of this section, an organisation or small business operator is not a credit provider if it is included in a class of organisations or operators prescribed by the regulations.
(2) Subsection (1) does not apply if the principal is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(3) If subsection (1) applies in relation to credit that has been provided by the principal, the credit is taken, for the purposes of this Act, to have been provided by both the principal and the agent.
(4) If subsection (1) applies in relation to credit for which an application has been made to the principal, the application is taken, for the purposes of this Act, to have been made to both the principal and the agent.
(2) Subsection (1) does not apply if the original credit provider is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
(3) If subsection (1) applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by both the original credit provider and the securitisation entity.
(4) If subsection (1) applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to both the original credit provider and the securitisation entity.
(b) the acquirer is not a credit provider under subsection 6G(1);
(2) If subsection (1) of this section applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by the acquirer.
(3) If subsection (1) of this section applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to the acquirer.
(ii) who is authorised, in writing, by the individual to make a request in relation to the information under subsection 20R(1) or 21T(1).
(d) a person who is prevented from being a credit provider by subsection 6G(5) or (6).
(3) Without limiting subsection (1), credit includes:
(b) a contract, arrangement or understanding of a kind referred to in that subsection that is for the hire, lease or rental of goods, or for the supply of services, other than a contract, arrangement or understanding under which:
(2) Subsection (1) applies whether or not the information about the credit worthiness of an individual is:
(4) Despite subsection (1), a business or undertaking is not a credit reporting business if the business or undertaking is included in a class of businesses or undertakings prescribed by the regulations.
(v) a direction given, or an order made, under section 50 of the Bankruptcy Act that relates to the property of the individual; or
(vi) an authority signed under section 188 of that Act that relates to the property of the individual.
(1) Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice is a reference to:
(ee) an act done, or a practice engaged in, by an organisation, other than an exempt act or exempt practice (see sections 7B and 7C);
(1A) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to:
(1B) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice by an agency with an intelligence role or function (within the meaning of the Office of National Intelligence Act 2018) so far as it involves the disclosure of personal information to the Office of National Intelligence.
(2) Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice includes, in the application of this Act otherwise than in respect of the Australian Privacy Principles, a registered APP code and the performance of the Commissioner’s functions in relation to the principles and such a code, a reference to an act done, or a practice engaged in, as the case may be, by an agency specified in Part I of Schedule 2 to the Freedom of Information Act 1982 or in Division 1 of Part II of that Schedule other than:
(4) For the purposes of section 28, of paragraphs 28A(2)(a) to (e), of subsection 31(2) and of Part VI, this section has effect as if a reference in subsection (1) of this section to an act done, or to a practice engaged in, included a reference to an act that is proposed to be done, or to a practice that is proposed to be engaged in, as the case may be.
(1) This Act applies, with the prescribed modifications (if any), in relation to an act or practice described in subsection (2) or (3) as if:
(b) the agency mentioned in that subsection were the organisation.
(2) Subsection (1) applies to acts done, and practices engaged in, by a prescribed agency. Regulations for this purpose may prescribe an agency only if it is specified in Part I of Schedule 2 to the Freedom of Information Act 1982.
(3) Subsection (1) also applies to acts and practices that:
(4) This section has effect despite subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2).
Note: See also section 16 which provides that the Australian Privacy Principles do not apply for the purposes of, or in connection with, an individual’s personal, family or household affairs.
(a) for the purposes of meeting an obligation under a contract between the contractor and a registered political party or a political representative described in subsection (1); and
Subcontractors for organisations covered by subsection (1) etc.
(a) for the purposes of meeting an obligation under a contract between the subcontractor and a contractor described in subsection (2); and
Effect of subsection (4) on other operation of Act
(5) Subsection (4) does not otherwise affect the operation of the Act in relation to agents or principals.
(6) In this section:
Note: To avoid doubt, this section does not make exempt for the purposes of paragraph 7(1)(ee) an act or practice of the political representative, contractor, subcontractor or volunteer for a registered political party involving the use or disclosure (by way of sale or otherwise) of personal information in a way not covered by subsection (1), (2), (3) or (4) (as appropriate). The rest of this Act operates normally in relation to that act or practice.
(a) an act done or a practice engaged in by a person, in relation to a record, is to be treated, under subsection (1), as having been done or engaged in by an agency; and
(2) Subject to subsection (3), where a record that contains tax file number information is in the possession or under the control of a person:
Where, but for this section, a provision of this Act:
(1) Without limiting its effect apart from this section, this Act has effect in relation to the following (the regulated entities) as provided by this section:
Note: Subsection 27(4) applies in relation to an investigation of an act or practice referred to in subsection 29(1) of the Healthcare Identifiers Act 2010.
(3) This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices covered by section 5B (which deals with acts and practices outside Australia and the external Territories).
Note: See subsections 6A(2) and 6B(2) for when an act or practice does not breach an Australian Privacy Principle or a registered APP code.
(a) it is an act or practice of a file number recipient and the act or practice breaches a rule issued under section 17 in relation to tax file number information that relates to the individual; or
(4A) If an entity (within the meaning of Part IIIC) contravenes subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), the contravention is taken to be an act that is an interference with the privacy of an individual.
(a) constitutes a breach of Part 2 of the Data matching Program (Assistance and Tax) Act 1990 or the rules issued under section 12 of that Act; or
(b) constitutes a breach of the rules issued under section 135AA of the National Health Act 1953.
(1) Despite subsection 13(1), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual:
Note: Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, there is an interference with privacy if:
(c) a related body corporate whose disclosure of the information to the body corporate is not an interference with privacy because of section 13D.
Note: The effect of subsection (1A) is that a body corporate’s failure to comply with the Australian Privacy Principles, or a registered APP code that binds the body, in collecting personal information about an individual from a related body corporate covered by that subsection is an interference with the privacy of the individual.
Relationship with subsection 13(3)
(2) Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(3).
Note: Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, the new partnership’s use of personal information collected from the old partnership may constitute an interference with privacy if it breaches Australian Privacy Principle 6.
Effect of subsection (1)
(2) Subsection (1) has effect despite subsections 13(1) and (3).
Effect of subsection (1)
(2) Subsection (1) has effect despite subsections 13(1) and (3).
Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(2), (4) or (5).
An act or practice that is not covered by section 13 is not an interference with the privacy of an individual.
An entity contravenes this subsection if:
Permitted general situations | |||
---|---|---|---|
Item | Column 1 Kind of entity | Column 2 Item applies to | Column 3 Condition(s) |
1 | APP entity | (a) personal information; or (b) a government related identifier. | (a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and (b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. |
2 | APP entity | (a) personal information; or (b) a government related identifier. | (a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and (b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter. |
3 | APP entity | Personal information | (a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and (b) the collection, use or disclosure complies with the rules made under subsection (2). |
4 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim. |
5 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process. |
6 | Agency | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities. |
7 | Defence Force | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories: (a) war or warlike operations; (b) peacekeeping or peace enforcement; (c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief. |
(2) The Commissioner may, by legislative instrument, make rules relating to the collection, use or disclosure of personal information that apply for the purposes of item 3 of the table in subsection (1).
(iii) the information is collected in accordance with guidelines approved under section 95A for the purposes of this subparagraph.
(c) the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes of this paragraph; and
(c) the use or disclosure is conducted in accordance with guidelines approved under section 95AA; and
(1) This section applies if:
A file number recipient shall not do an act, or engage in a practice, that breaches a rule issued under section 17.
(1) The object of this section is to ensure that credit reporting bodies manage credit reporting information in an open and transparent way.
(4) Without limiting subsection (3), the policy of the credit reporting body must contain the following information:
(e) information about the effect of section 20G (which deals with direct marketing) and how the individual may make a request under subsection (5) of that section;
(g) information about the effect of section 20T (which deals with individuals requesting the correction of credit information etc.);
(2) Subsection (1) does not apply if the collection of the credit information is required or authorised by or under an Australian law or a court/tribunal order.
(3) Subsection (1) does not apply if:
(a) the credit reporting body collects the credit information about the individual from a credit provider who is permitted under section 21D to disclose the information to the body; and
(4) Subsection (1) does not apply if:
(8) This section applies to the collection of credit information that is solicited by a credit reporting body.
the body must, within a reasonable period after receiving the information, determine whether or not the body could have collected the information under section 20C if the body had solicited the information.
(2) The credit reporting body may use or disclose the credit information for the purposes of making the determination under subsection (1).
(3) If the credit reporting body determines that it could have collected the credit information, sections 20E to 20ZA apply in relation to the information as if the body had collected the information under section 20C.
(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
(2) Subsection (1) does not apply to the use of credit reporting information about the individual if:
(3) Subsection (1) does not apply to the disclosure of credit reporting information about the individual if:
(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
(6) This section does not apply to the use or disclosure of credit reporting information for the purposes of direct marketing.
Note: Section 20G deals with the use or disclosure of credit reporting information for the purposes of direct marketing.
Permitted CRB disclosures | ||
---|---|---|
Item | If the disclosure is to ... | the condition or conditions are ... |
1 | a credit provider | the provider requests the information for a consumer credit related purpose of the provider in relation to the individual. |
2 | a credit provider | (a) the provider requests the information for a commercial credit related purpose of the provider in relation to a person; and (b) the individual expressly consents to the disclosure of the information to the provider for that purpose. |
3 | a credit provider | (a) the provider requests the information for a credit guarantee purpose of the provider in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the provider for that purpose. |
4 | a credit provider | the credit reporting body is satisfied that the provider, or another credit provider, believes on reasonable grounds that the individual has committed a serious credit infringement. |
5 | a credit provider | (a) the credit reporting body holds consumer credit liability information that relates to consumer credit provided by the provider to the individual; and (b) the consumer credit has not been terminated, or has not otherwise ceased to be in force. |
6 | a credit provider under subsection 6J(1) | the provider requests the information for a securitisation related purpose of the provider in relation to the individual. |
7 | a mortgage insurer | the insurer requests the information for a mortgage insurance purpose of the insurer in relation to the individual. |
8 | a trade insurer | (a) the insurer requests the information for a trade insurance purpose of the insurer in relation to the individual; and (b) the individual expressly consents, in writing, to the disclosure of the information to the insurer for that purpose. |
(2) The consent of the individual under paragraph (b) of item 2 of the table in subsection (1) must be given in writing unless:
(2) Subsection (1) does not apply to the use by the credit reporting body of credit information about the individual for the purposes of direct marketing by, or on behalf of, a credit provider if:
(e) the individual has not made a request under subsection (5); and
(5) An individual may request a credit reporting body that holds credit information about the individual not to use the information under subsection (2).
(6) If the individual makes a request under subsection (5), the credit reporting body must not charge the individual for the making of the request or to give effect to the request.
(7) If a credit reporting body uses credit information under subsection (2), the body must make a written note of that use.
(2) Subsection (1) does not apply if:
(3) If the credit reporting body discloses the pre screening assessment under subsection (2), the body must make a written note of that disclosure.
(4) If the credit reporting body discloses the pre screening assessment under subsection (2), the recipient must not use or disclose the assessment.
(5) Subsection (4) does not apply if the recipient uses the pre screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider.
(6) If the recipient uses the pre screening assessment under subsection (5), the recipient must make a written note of that use.
(a) the entity no longer needs the assessment for any purpose for which it may be used or disclosed under section 20H; and
(2) Subsection (1) does not apply if:
(ii) if the period is extended under subsection (4)—on the day after the extended period ends.
(5) A ban period for credit reporting information may be extended more than once under subsection (4).
(2) Subsection (1) does not apply if the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order.
(2) Subsection (1) does not apply to the use or disclosure of the de identified information if:
(b) the credit reporting body complies with the rules made under subsection (3).
(4) Without limiting subsection (3), the rules may relate to the following matters:
(3) Without limiting subsections (1) and (2), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to ensure that credit information that they disclose to the body under section 21D is accurate, up to date and complete; and
(a) the body uses or discloses credit reporting information under this Division (other than subsections 20D(2) and 20T(4)); and
(2) A credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D(2) and 20T(4)) if the information is false or misleading in a material particular.
(2) Without limiting subsection (1), a credit reporting body must:
(2) Despite subsection (1), the credit reporting body is not required to give the access seeker access to the credit reporting information to the extent that:
(5) If a request under subsection (1) in relation to the individual has not been made to the credit reporting body in the previous 12 months, the body must not charge the access seeker for the making of the request or for giving access to the information.
(6) If subsection (5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.
(7) If the credit reporting body refuses to give access to the information because of subsection (2), the body must give the access seeker a written notice that:
(a) the credit reporting body corrects credit reporting information under subsection (1); and
(b) the body has previously disclosed the information under this Division (other than subsections 20D(2) and 20T(4));
(3) Subsection (2) does not apply if:
(a) it is impracticable for the credit reporting body to give the notice under that subsection; or
(b) the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(3) If the credit reporting body considers that the body cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
(1) This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T(1).
(2) If the credit reporting body corrects the personal information under subsection 20T(2), the body must, within a reasonable period:
(b) if the body consulted an interested party under subsection 20T(3) about the individual’s request—give the party written notice of the correction; and
(c) if the correction relates to information that the body has previously disclosed under this Division (other than subsections 20D(2) and 20T(4))—give each recipient of the information written notice of the correction.
(3) If the credit reporting body does not correct the personal information under subsection 20T(2), the body must, within a reasonable period, give the individual written notice that:
(5) Subsection (2) or (3) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(1) This section applies if:
(3) Despite subsection (2), the credit reporting body must neither destroy the credit information nor ensure that the information is de identified, if immediately before the retention period ends:
(4) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
(ii) the body is required to do a thing referred to in subsection (2) to one of those kinds of credit information;
(b) otherwise—at the same time that the body is required to do a thing referred to in subsection (2) to the credit information from which the CRB derived information was derived.
(6) Despite subsection (5), the credit reporting body must neither destroy the CRB derived information nor ensure that the information is de identified, if immediately before the retention period ends:
(7) Subsection (5) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the CRB derived information.
Retention period | ||
---|---|---|
Item | If the credit information is ... | the retention period for the information is ... |
1 | consumer credit liability information | the period of 2 years that starts on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force. |
2 | repayment history information | the period of 2 years that starts on the day on which the monthly payment to which the information relates is due and payable. |
3 | information of a kind referred to in paragraph 6N(d) or (e) | the period of 5 years that starts on the day on which the information request to which the information relates is made. |
4 | default information | the period of 5 years that starts on the day on which the credit reporting body collects the information. |
5 | payment information | the period of 5 years that starts on the day on which the credit reporting body collects the default information to which the payment information relates. |
6 | new arrangement information within the meaning of subsection 6S(1) | the period of 2 years that starts on the day on which the credit reporting body collects the default information referred to in that subsection. |
7 | new arrangement information within the meaning of subsection 6S(2) | the period of 2 years that starts on the day on which the credit reporting body collects the information about the opinion referred to in that subsection. |
8 | court proceedings information | the period of 5 years that starts on the day on which the judgement to which the information relates is made or given. |
9 | information of a kind referred to in paragraph 6N(l) | the period of 7 years that starts on the day on which the credit reporting body collects the information. |
Retention period | ||
---|---|---|
Item | If personal insolvency information relates to ... | the retention period for the information is whichever of the following periods ends later ... |
1 | a bankruptcy of an individual | (a) the period of 5 years that starts on the day on which the individual becomes a bankrupt; (b) the period of 2 years that starts on the day the bankruptcy ends. |
2 | a personal insolvency agreement to which item 3 of this table does not apply | (a) the period of 5 years that starts on the day on which the agreement is executed; (b) the period of 2 years that starts on the day the agreement is terminated or set aside under the Bankruptcy Act. |
3 | a personal insolvency agreement in relation to which a certificate has been signed under section 232 of the Bankruptcy Act | (a) the period of 5 years that starts on the day on which the agreement is executed; (b) the period that ends on the day on which the certificate is signed. |
4 | a debt agreement to which item 5 of this table does not apply | (a) the period of 5 years that starts on the day on which the agreement is made; (b) the period of 2 years that starts on the day: (i) the agreement is terminated under the Bankruptcy Act; or (ii) an order declaring that all the agreement is void is made under that Act. |
5 | a debt agreement that ends under section 185N of the Bankruptcy Act | (a) the period of 5 years that starts on the day on which the agreement is made; (b) the period that ends on the day on which the agreement ends. |
(b) the proposal is not accepted under section 185EC of the Bankruptcy Act; or
(c) the acceptance of the proposal for processing is cancelled under section 185ED of that Act; or
(d) the proposal lapses under section 185G of that Act.
(3) If personal insolvency information relates to a direction given, or an order made, under section 50 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the control of the property to which the direction or order relates ends.
Note: See subsection 50(1B) of the Bankruptcy Act for when the control of the property ends.
(4) If the personal insolvency information relates to an authority signed under section 188 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the property to which the authority relates is no longer subject to control under Division 2 of Part X of that Act.
(5) An expression used in this section that is also used in the Bankruptcy Act has the same meaning in this section as it has in that Act.
(1) This section applies if:
(i) give the individual a written notice that states that the information has been destroyed and sets out the effect of subsection (4); and
(3) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit reporting information.
(a) a credit reporting body destroys credit reporting information about an individual under subsection (2); and
(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notification.
(1) This section applies if a credit reporting body holds credit reporting information about an individual and either:
(a) subsection 20V(3) applies in relation to the information; or
(b) subsection 20V(6) applies in relation to the information.
(2) The credit reporting body must, as soon as practicable, notify in writing the Commissioner of the matter referred to in paragraph (1)(a) or (b) of this section.
(4) However, the credit reporting body may use or disclose the information under this subsection if:
(5) If the credit reporting body uses or discloses the information under subsection (4), the body must make a written note of the use or disclosure.
(7) If the Commissioner gives a direction under subsection (6) to the credit reporting body, the body must comply with the direction.
(8) To avoid doubt, section 20M applies in relation to credit reporting information that is de identified as a result of the credit reporting body complying with the direction.
(1) This section applies if a credit reporting body is not required:
(a) to do a thing referred to in subsection 20V(2) to credit information because of subsection 20V(4); or
(b) to do a thing referred to in subsection 20V(5) to CRB derived information because of subsection 20V(7); or
(c) to destroy credit reporting information under subsection 20Y(2) because of subsection 20Y(3).
(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
(4) If the credit reporting body uses or discloses the information under subsection (3), the body must make a written note of the use or disclosure.
(5) Subdivision E of this Division (other than section 20Q) does not apply in relation to the use or disclosure of the information.
Note: Section 20Q deals with the security of credit reporting information.
(2) If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection (1) in addition to, or instead of, the Australian Privacy Principles.
(1) The object of this section is to ensure that credit providers manage credit information and credit eligibility information in an open and transparent way.
(4) Without limiting subsection (3), the policy of the credit provider must contain the following information:
(2) If a credit provider is an APP entity, subsection (1) applies to the provider in relation to personal information in addition to Australian Privacy Principle 5.
(a) that the policy (the credit reporting policy) of the provider that is referred to in subsection 21B(3) contains information about how an individual may access the credit eligibility information about the individual that is held by the provider;
(2) Subsection (1) does not apply to the disclosure of credit information about the individual if:
(c) the information meets the requirements of subsection (3).
Note: Section 21F limits the disclosure of credit information if there is a ban period for the information.
(3) Credit information about an individual meets the requirements of this subsection if:
(6) If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.
(a) a credit provider has disclosed default information about an individual to a credit reporting body under section 21D; and
the provider must, within a reasonable period after the amount is paid, disclose payment information about the amount to the body under that section.
(1) This section applies if:
(2) If the credit provider holds credit information about the individual that relates to the consumer credit, the provider must not, despite sections 21D and 21E, disclose the information to a credit reporting body.
(3) Subsection (2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual.
(2) Subsection (1) does not apply to the use of credit eligibility information about the individual if:
(3) Subsection (1) does not apply to the disclosure of credit eligibility information about the individual if:
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under paragraph (3)(b) or (c).
(4) However, if the credit eligibility information about the individual is, or was derived from, repayment history information about the individual, the credit provider must not disclose the information under subsection (3).
(5) Subsection (4) does not apply if:
(b) the disclosure is a permitted CP disclosure within the meaning of section 21L; or
(6) If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.
Permitted CP uses | ||
---|---|---|
Column 1 | Column 2 | |
Item | The relevant credit reporting information was disclosed to the credit provider under ... | The credit provider uses the credit eligibility information for ... |
1 | item 1 of the table in subsection 20F(1) for the purpose of assessing an application for consumer credit made by the individual to the provider. | (a) a securitisation related purpose of the provider in relation to the individual; or (b) the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider. |
2 | item 2 of the table in subsection 20F(1) for a particular commercial credit related purpose of the provider in relation to the individual. | that particular commercial credit related purpose. |
3 | item 2 of the table in subsection 20F(1) for the purpose of assessing an application for commercial credit made by a person to the provider. | the internal management purposes of the provider that are directly related to the provision or management of commercial credit by the provider. |
4 | item 3 of the table in subsection 20F(1) for a credit guarantee purpose of the provider in relation to the individual. | (a) the credit guarantee purpose; or (b) the internal management purposes of the provider that are directly related to the provision or management of any credit by the provider. |
5 | item 5 of the table in subsection 20F(1). | the purpose of assisting the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the provider to the individual. |
6 | item 6 of the table in subsection 20F(1) for a particular securitisation related purpose of the provider in relation to the individual. | that particular securitisation related purpose. |
(b) while the provider is so acting, the provider is a credit provider under subsection 6H(1); and
(a) the provider is a credit provider under subsection 6J(1) in relation to credit; and
(c) the original credit provider is not a credit provider under that subsection; and
(ii) another credit provider that is a credit provider under that subsection in relation to the credit and that has an Australian link; and
(d) the information is information of a kind referred to in subsection (2).
Note: See section 21NA for additional rules about the disclosure of credit eligibility information under this subsection.
(c) subsection (3) applies to the information.
(3) This subsection applies to the credit eligibility information if the recipient proposes to use the information:
(a) for a disclosure under paragraph 21G(3)(b)—section 22D;
(b) for a disclosure under paragraph 21G(3)(c)—section 22E;
(3) Before a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the person or body does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
(a) a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link; and
(1) This section applies if:
(a) the provider discloses credit information under section 21D; and
(3) A credit provider must not disclose credit information under section 21D if the information is false or misleading in a material particular.
(2) Despite subsection (1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that:
(7) If the provider refuses to give access to the information because of subsection (2), the provider must give the access seeker a written notice that:
(a) the credit provider corrects credit information or credit eligibility information under subsection (1); and
(i) this Division (other than subsection 21V(4)); or
(3) Subsection (2) does not apply if:
(a) it is impracticable for the credit provider to give the notice under that subsection; or
(b) the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
Note: Identification information may be corrected under this section or Australian Privacy Principle 13.
(3) If the credit provider considers that the provider cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):
(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
Note: Identification information may be corrected under this section or Australian Privacy Principle 13.
(1) This section applies if an individual requests a credit provider to correct personal information under subsection 21V(1).
(2) If the credit provider corrects personal information about the individual under subsection 21V(2), the provider must, within a reasonable period:
(b) if the provider consulted an interested party under subsection 21V(3) about the individual’s request—give the party written notice of the correction; and
(i) this Division (other than subsection 21V(4)); or
(3) If the credit provider does not correct the personal information under subsection 21V(2), the provider must, within a reasonable period, give the individual written notice that:
(5) Subsection (2) or (3) does not apply if the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
(1) The object of this section is to ensure that an affected information recipient manages the regulated information of the recipient in an open and transparent way.
(4) Without limiting subsection (3), the policy of the affected information recipient must contain the following information:
(a) that the policy (the credit reporting policy) of the recipient that is referred to in subsection 22A(3) contains information about how an individual may access the regulated information about the individual that is held by the recipient, and seek the correction of such information;
(2) Subsection (1) does not apply to the use of the information if:
(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
(2) Subsection (1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.
(3) In determining whether the body corporate would be permitted to use or disclose the information under section 21G, assume that the body is whichever of the following is applicable:
(2) Subsection (1) does not apply to the use of the information if:
(3) Subsection (1) does not apply to the disclosure of the information if:
(b) the information was disclosed to the recipient by a credit provider under subsection 21N(2);
(2) Subsection (1) does not apply to the use of the information if:
(a) for a recipient that is the entity—the information is used for a matter referred to in subsection 21N(3); or
(ii) in connection with advising the entity about a matter referred to in subsection 21N(3); or
(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
(a) a provision of this Part (other than section 20R or 20T);
(b) a provision of the registered CR code (other than a provision that relates to that section).
Note: A complaint about a breach of section 20R or 20T, or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.
(a) a provision of this Part (other than section 21T or 21V);
(b) a provision of the registered CR code (other than a provision that relates to that section) if it binds the credit provider.
Note: A complaint about a breach of section 21T or 21V, or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.
(1) If an individual makes a complaint under section 23A, the respondent for the complaint:
(3) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
(4) After investigating the complaint, the respondent must, within the period referred to in subsection (5), make a decision about the complaint and give the individual a written notice that:
(5) The period for the purposes of subsection (4) is:
(1) This section applies if an individual makes a complaint under section 23A about an act or practice that may breach section 20S or 21U (which deal with the correction of personal information by credit reporting bodies and credit providers).
(d) notify the provider of the making of a decision about the complaint under subsection 23B(4) as soon as practicable after it is made.
(d) notify the body or other provider (as the case may be) of the making of a decision about the complaint under subsection 23B(4) as soon as practicable after it is made.
(b) at the time of the disclosure, a decision about the complaint under subsection 23B(4) has not been made;
(b) at the time of the disclosure, a decision about the complaint under subsection 23B(4) has not been made;
(6) Subsection (2), (3), (4) or (5) does not apply if:
(a) it is impracticable for the credit reporting body or credit provider to give the notification under that subsection; or
(b) the credit reporting body or credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notification under that subsection.
(i) a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of this Act (other than section 13G); or
(a) the person applies for an order under this section; and
(1) This section applies if:
(i) a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of this Act (other than section 13G); or
(3) Without limiting subsection (2), examples of orders the court may make include:
(a) the person applies for an order under this section; and
(3) Subsection 12(2) (retrospective application of legislative instruments) of the Legislation Act 2003 does not apply to a registered APP code.
(c) set out the period during which the code is in force (which must not start before the day the code is registered under section 26H).
(b) cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3);
If a registered APP code covers an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3), this Act applies in relation to the code as if that act or practice were not exempt.
(b) set out the effect of section 26A.
(6) Despite paragraph (5)(a), the Commissioner must not require an APP code to cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). However, the APP code that is developed by the APP code developer may cover such an act or practice.
(1) This section applies if the Commissioner made a request under subsection 26E(2) and either:
(b) the request has been complied with but the Commissioner has decided not to register, under section 26H, the APP code that was developed as requested.
(2) The Commissioner may develop an APP code if the Commissioner is satisfied that it is in public interest to develop the code. However, despite subsection 26C(3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
(3) Before registering the APP code under section 26H, the Commissioner must:
(a) an application for registration of an APP code is made under section 26F; or
(b) the Commissioner develops an APP code under section 26G;
(b) consider the matters specified in any relevant guidelines made under section 26V.
(3) If the Commissioner varies a registered APP code on his or her own initiative, then, despite subsection 26C(3)(b), the variation must not deal with an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
(5) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.
Note: The APP code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26B.
(4) In deciding whether to remove the registered APP code, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.
Note: There must always be one, and only one, registered CR code at all times after this Part commences: see subsection 26S(4).
(3) Subsection 12(2) (retrospective application of legislative instruments) of the Legislation Act 2003 does not apply to the registered CR code.
(b) set out the effect of section 26L.
(1) The Commissioner may develop a CR code if the Commissioner made a request under section 26P and either:
(b) the request has been complied with but the Commissioner has decided not to register, under section 26S, the CR code that was developed as requested.
(2) Before registering the CR code under section 26S, the Commissioner must:
(a) an application for registration of a CR code is made under section 26Q; or
(b) the Commissioner develops a CR code under section 26R;
(b) consider the matters specified in any guidelines made under section 26V.
(4) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.
Note: The CR code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26M.
(a) the APP codes the Commissioner has decided to register under section 26H; and
(b) the APP codes the Commissioner must register under section 26J; and
(c) the CR code the Commissioner has decided to register under section 26S; and
(d) the CR code the Commissioner must register under section 26T.
(2) Despite subsection (1), the Commissioner is not required to include on the Codes Register:
(a) an APP code removed from the Register under section 26J or 26K; or
(b) the CR code removed from the Register under section 26T.
(e) the APP entity were required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information.
(ii) a credit provider has disclosed, under subsection 21M(1), credit eligibility information about one or more individuals to a body or person that does not have an Australian link; and
(d) the credit provider were required to comply with subsection 21S(1) in relation to the credit eligibility information.
Note: See section 21NA.
has been, or is required to be, notified under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss.
(1) This section applies if:
(ii) the APP entity is required under section 15 not to do an act, or engage in a practice, that breaches Australian Privacy Principle 11.1 in relation to the personal information; or
(ii) the credit reporting body is required to comply with section 20Q in relation to the credit reporting information; or
(ii) the credit provider is required to comply with subsection 21S(1) in relation to the credit eligibility information; or
(ii) the file number recipient is required under section 18 not to do an act, or engage in a practice, that breaches a section 17 rule that relates to the tax file number information.
(3) Subsection (2) has effect subject to section 26WF.
(1) This section applies if:
Note: Section 26WK applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.
(a) an entity complies with section 26WH in relation to an eligible data breach of the entity; and
that section does not apply in relation to those eligible data breaches of those other entities.
(1) This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.
(i) prepare a statement that complies with subsection (3); and
(1) This section applies if:
(i) complies with subsection 26WK(3); and
Note: See also subsections 26WF(2) and (5), which deal with remedial action.
(3) The entity must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.
(4) If the entity normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).
(a) an entity complies with sections 26WK and 26WL in relation to an eligible data breach of the entity; and
those sections do not apply in relation to those eligible data breaches of those other entities.
(c) the chief executive officer of the enforcement body believes on reasonable grounds that compliance with section 26WL in relation to the eligible data breach would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, the enforcement body;
paragraph 26WK(3)(d) and section 26WL do not apply in relation to:
(1) For the purposes of this section, secrecy provision means a provision that:
(2) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), subsection 26WK(2) does not apply to the entity, in relation to the statement, to the extent of the inconsistency.
(3) If compliance by an entity with section 26WL in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), section 26WL does not apply to the entity, in relation to the statement, to the extent of the inconsistency.
(4) For the purposes of this section, prescribed secrecy provision means a secrecy provision that is specified in the regulations.
(b) section 26WL;
(6) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, subsection 26WK(2) does not apply to the entity in relation to the statement.
(7) If compliance by an entity with section 26WL in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, section 26WL does not apply to the entity in relation to the statement.
(c) declare that sections 26WK and 26WL do not apply in relation to:
(d) declare that subsection 26WL(3) has effect in relation to:
as if that subsection required compliance with subsection 26WL(2) before the end of a period specified in the declaration.
(2) The Commissioner’s power in paragraph (1)(d) may only be used to extend the time for compliance with subsection 26WL(2) to the end of a period that the Commissioner is satisfied is reasonable in the circumstances.
(3) The Commissioner must not make a declaration under subsection (1) unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the following:
(5) The Commissioner may give a notice of a declaration to an entity under subsection (1):
(9) If an entity applies to the Commissioner under paragraph (5)(b) for a declaration that, to any extent, relates to an eligible data breach of the entity, sections 26WK and 26WL do not apply in relation to:
(a) prepare a statement that complies with subsection (4); and
Note: See also subsections 26WF(2) and (5), which deal with remedial action.
(3) Before giving a direction to an entity under subsection (1), the Commissioner must invite the entity to make a submission to the Commissioner in relation to the direction within the period specified in the invitation.
(5) A direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out specified information that relates to the eligible data breach that the Commissioner has reasonable grounds to believe has happened.
(6) In deciding whether to give a direction to an entity under subsection (1), the Commissioner must have regard to the following:
(i) in response to an invitation under subsection (3); and
(8) If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out the identity and contact details of those other entities.
(9) If an entity normally communicates with a particular individual using a particular method, the notification to the individual mentioned in paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).
(10) An entity must comply with a direction under subsection (1) as soon as practicable after the direction is given.
An entity is not required to comply with a direction under subsection 26WR(1) if:
(1) For the purposes of this section, secrecy provision means a provision that:
(2) If compliance by an entity with paragraph 26WR(1)(b) or subsection 26WR(2) in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be, does not apply to the entity, in relation to the statement, to the extent of the inconsistency.
(3) For the purposes of this section, prescribed secrecy provision means a secrecy provision that is specified in the regulations.
(b) subsection 26WR(2);
(5) If compliance by an entity with paragraph 26WR(1)(b) or subsection 26WR(2) in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be, does not apply to the entity in relation to the statement.
(3) Without limiting subsection (2), the Commissioner may establish a panel of persons with expertise in relation to a particular matter to assist the Commissioner in performing any of the Commissioner’s functions.
(4) Section 38 of the Healthcare Identifiers Act 2010, rather than section 12B of this Act, applies in relation to an investigation of an act or practice referred to in subsection 29(1) of that Act in the same way as it applies to Parts 3 and 4 of that Act.
Note: Section 38 of the Healthcare Identifiers Act 2010 deals with the additional effect of Parts 3 and 4 of that Act.
(d) evaluating compliance with the rules issued under section 17;
Note: The objects of this Act are set out in section 2A.
(1) Where the Commissioner has investigated an act or practice without a complaint having been made under section 36, the Commissioner may report to the Minister about the act or practice, and shall do so:
(2) Where the Commissioner reports under subsection (1) about an act done in accordance with a practice, the Commissioner shall also report to the Minister about the practice.
(3) Where, after an investigation of an act or practice of an agency, file number recipient, credit reporting body or credit provider that is an interference with the privacy of an individual under subsection 13(1), (2) or (4), the Commissioner is required by virtue of paragraph (1)(b) of this section to report to the Minister about the act or practice, the Commissioner:
(4) Where, at the end of 60 days after a copy of a report about an act or practice of an agency, file number recipient, credit reporting body or credit provider was served under subsection (3), the Commissioner:
(5) The Minister shall cause a copy of a report given to the Minister under subsection (4) to be laid before each House of the Parliament within 15 sitting days of that House after the report is received by the Minister.
(1) Where the Commissioner has examined a proposed enactment under paragraph 28A(2)(a), subsections (2) and (3) of this section have effect.
(5) The Minister shall cause a copy of a report given under subsection (4) to be laid before each House of the Parliament as soon as practicable, and no later than 15 sitting days of that House, after the report is received by the Minister.
(b) conducted an assessment under section 33C;
(3) The Minister shall cause a copy of a report given under subsection (2) to be laid before each House of the Parliament as soon as practicable, and no later than 15 sitting days of that House, after the report is received by the Minister.
(1) In setting out findings, opinions and reasons in a report to be given under section 30, 31 or 32, the Commissioner may exclude a matter if the Commissioner considers it desirable to do so having regard to the obligations of the Commissioner under subsections (2) and (3).
(2) In deciding under subsection (1) whether or not to exclude matter from a report, the Commissioner shall have regard to the need to prevent:
(3) The Commissioner shall try to achieve an appropriate balance between meeting the need referred to in subsection (2) and the desirability of ensuring that interested persons are sufficiently informed of the results of the Commissioner’s investigation, examination or monitoring.
(5) In this section:
(c) whether tax file number information held by a file number recipient is being maintained and handled in accordance with any relevant rules issued under section 17;
(d) whether the data matching program (within the meaning of the Data matching Program (Assistance and Tax) Act 1990) of an agency complies with Part 2 of that Act and the rules issued under section 12 of that Act;
(e) whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section.
(2) A direction under subsection (1) is not a legislative instrument.
(4) Subsection (3) does not limit the matters that the privacy impact assessment may deal with.
(6) If an agency does not comply with a direction under subsection (1), the Commissioner must advise both of the following of the failure:
(7) Before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.
(a) an exempt document by virtue of section 33 or subsection 37(1) or 45A(1) of the Freedom of Information Act 1982; or
(b) an exempt document to the extent referred to in subsection 45A(2) or (3) of that Act.
(3) An expression used in this section and in the Freedom of Information Act 1982 has the same meaning in this section as in that Act.
(a) an application made under subsection 55(1) of the Freedom of Information Act 1982 for review of a decision under that Act refusing access to a document has been finally determined or otherwise disposed of;
(f) the Commissioner has, as a result of the complaint, recommended under subsection 30(3) of this Act that the agency amend the document, or amend a part of the document, to which the applicant has been refused access; and
(2) An agency shall comply with a direction given in accordance with subsection (1).
(3) In subsection (1), amend, in relation to a document, means amend by making a correction, deletion or addition.
(4) An expression used in this section and in the Freedom of Information Act 1982 has the same meaning in this section as in that Act.
(4) A notice under subsection (1) is not a legislative instrument.
(2) In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any one of those individuals may make a complaint under subsection (1) on behalf of all of the individuals.
(2A) In the case of a representative complaint, this section has effect subject to section 38.
(b) members of the staff of the Ombudsman who have had powers of the Commissioner delegated to them under section 99;
Note: Sections 98A to 98C contain further rules about how this Part operates in relation to respondent organisations that are not legal persons.
(8) The respondent to a complaint about an act or practice described in subsection 13(2), (4) or (5), other than an act or practice of an agency or organisation, is the person or entity who engaged in the act or practice.
Item | Column 1 Agency | Column 2 Principal executive |
---|---|---|
1 | Department | The Secretary of the Department |
2 | An unincorporated body, or a tribunal, referred to in paragraph (c) of the definition of agency in subsection 6(1) | The chief executive officer of the body or tribunal |
3 | A body referred to in paragraph (d) of the definition of agency in subsection 6(1) | The chief executive officer of the body |
4 | A federal court | The principal registrar of the court or the person occupying an equivalent office |
5 | The Australian Federal Police | The Australian Federal Police The Commissioner of Police |
5A | A public sector agency (within the meaning of the Public Sector Management Act 2000 of Norfolk Island) | The Chief Executive Officer (within the meaning of the Public Sector Management Act 2000 of Norfolk Island) |
5B | An unincorporated body, or a tribunal, referred to in paragraph (c) of the definition of Norfolk Island agency in subsection 6(1) | The Chief Executive Officer (within the meaning of the Public Service Act 2014 of Norfolk Island) |
5D | A court of Norfolk Island | The registrar or principal registrar of the court or the person occupying an equivalent office |
9 | An eligible hearing service provider that is an individual | The individual |
10 | An eligible hearing service provider that is not an individual | An eligible hearing service provider that is not an individual |
(1) A representative complaint may be lodged under section 36 only if:
(2) A representative complaint made under section 36 must:
Note: If a class member withdraws from a representative complaint that relates to a matter, the former member may make a complaint under section 36 that relates to the matter.
(1) Subject to subsection (1A), the Commissioner shall investigate an act or practice if:
(b) a complaint about the act or practice has been made under section 36.
(1A) The Commissioner must not investigate a complaint if the complainant did not complain to the respondent before making the complaint to the Commissioner under section 36. However, the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.
(1B) Subsection (1A) does not apply if the complaint is about an act or practice that may breach:
(a) section 20R, 20T, 21T or 21V (which are about access to, and correction of, credit reporting information etc.); or
(b) a provision of the registered CR code that relates to that section.
(3) This section has effect subject to section 41.
(a) a complaint about an act or practice is made under section 36; and
(2) Subsection (1) does not apply if the Commissioner has decided under section 41 or 50 not to investigate, or not to investigate further, the act or practice.
(4) If a notification is given under subsection (3), the Commissioner may decide not to investigate, or not to investigate further, the act or practice.
(1) The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that:
(1A) The Commissioner must not investigate, or investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that the complainant has withdrawn the complaint.
(2) The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that the complainant has complained to the respondent about the act or practice and either:
(3) The Commissioner may defer the investigation or further investigation of an act or practice about which a complaint has been made under section 36 if:
(a) an application has been made by the respondent for a determination under section 72 in relation to the act or practice; and
(2) The Commissioner may make inquiries of any person for the purpose of determining whether to investigate an act or practice under subsection 40(2).
(1AA) Before commencing an investigation of an act or practice of a person or entity under subsection 40(2), the Commissioner must inform the person or entity that the act or practice is to be investigated.
Note: See subsection 6(9) about provision of services to an agency.
(4) The Commissioner may make a determination under section 52 in relation to an investigation under this Division without holding a hearing, if:
(i) in the case of an investigation under subsection 40(1)—the complainant and respondent; or
(c) an application for a hearing has not been made under section 43A.
(7) Where, in connection with an investigation of a matter under this Division, the Commissioner proposes to hold a hearing, or proposes to make a requirement of a person under section 44, the Commissioner shall, if he or she has not previously informed the responsible Minister (if any) that the matter is being investigated, inform that Minister accordingly.
(8A) Subsection (8) does not allow the Commissioner to discuss a matter relevant to an investigation of a breach of the Australian Privacy Principles or a registered APP code with a Minister, unless the investigation is of an act done, or practice engaged in:
(1) An interested party in relation to an investigation under this Division may, in writing, request that the Commissioner hold a hearing before the Commissioner makes a determination under section 52 in relation to the investigation.
(2) If an interested party makes request under subsection (1), the Commissioner must:
(3) In this section:
(a) in the case of an investigation under subsection 40(1)—the complainant or respondent; or
(2) A notice given by the Commissioner under subsection (1) shall state:
(2A) If documents are produced to the Commissioner in accordance with a requirement under subsection (1), the Commissioner:
(4) This section is subject to section 70 but it has effect regardless of any other enactment.
(1) The Commissioner may administer an oath or affirmation to a person required under section 44 to attend before the Commissioner and may examine such a person on oath or affirmation.
(2) The oath or affirmation to be taken or made by a person for the purposes of this section is an oath or affirmation that the answers the person will give will be true.
(2A) Subsection (2) does not apply if the person has a reasonable excuse.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2A) (see subsection 13.3(3) of the Criminal Code).
(3) A person who has been directed under subsection (1) to attend a conference is entitled to be paid by the Commonwealth a reasonable sum for the person’s attendance at the conference.
(4) The Commissioner may, in a notice given to a person under subsection (1), require the person to produce such documents at the conference as are specified in the notice.
(3) A body of persons, whether corporate or unincorporate, that is directed under section 46 to attend a conference shall be deemed to attend if a member, officer or employee of that body attends on behalf of that body.
Note: See subsection 6(9) about provision of services to an agency.
(1) Where, in the course of an investigation under section 40, the Commissioner forms the opinion that a tax file number offence, a healthcare identifier offence, an AML/CTF verification offence or a credit reporting offence may have been committed, the Commissioner shall:
(b) in the case of an investigation under subsection 40(1), give a copy of the complaint to the Commissioner of Police or the Director of Public Prosecutions, as the case may be; and
(c) subject to subsection (3), discontinue the investigation except to the extent that it concerns matters unconnected with the offence that the Commissioner believes may have been committed.
(4) In subsection (1):
AML/CTF verification offence (short for anti money laundering and counter terrorism financing offence) means an offence against section 35H, 35J or 35K of the Anti Money Laundering and Counter Terrorism Financing Act 2006.
(a) an offence against subsection 20P(1), 21R(1) or (2), 24(1) or (2) or 24A(1) or (2); or
(b) an offence against section 6 of the Crimes Act 1914, or section 11.1, 11.4 or 11.5 of the Criminal Code, being an offence that relates to an offence referred to in paragraph (a) of this definition.
(a) an offence against section 8WA or 8WB of the Taxation Administration Act 1953; or
(b) an offence against section 6 of the Crimes Act 1914, or section 11.1, 11.4 or 11.5 of the Criminal Code, being an offence that relates to an offence referred to in paragraph (a) of this definition.
(1) If, in the course of an investigation under section 40, the Commissioner forms the opinion that subsection 172(3) of the Personal Property Securities Act 2009 (civil penalty for searching otherwise than for authorised purposes) may have been contravened, the Commissioner must:
(b) in the case of an investigation under subsection 40(1), give a copy of the complaint to the Registrar of Personal Property Securities; and
(a) not to apply for an order under section 222 of the Personal Property Securities Act 2009; or
(b) to discontinue a proceeding that is an application for an order under section 222 of that Act.
(3) Upon receiving a notice under subsection (2), the Commissioner may continue an investigation discontinued under paragraph (1)(c).
(1) In this section:
(3) A complaint transferred under subsection (2) shall be taken to be:
(1) This section lets the Commissioner substitute an agency for an organisation as respondent to a complaint if:
(b) before the Commissioner makes a determination under section 52 in relation to the complaint, the organisation:
Note 2: The Commissioner may determine under section 53B that the determination applies in relation to an agency if the organisation has not complied with the determination.
(4) If the Commissioner amends the complaint after starting to investigate it, the Commissioner is taken to have satisfied subsection 43(1A) in relation to the agency.
(1A) After investigating an act or practice of a person or entity under subsection 40(2), the Commissioner may make a determination that includes one or more of the following:
(1AB) The loss or damage referred to in paragraph (1)(b) or subsection (1A) includes:
(1B) A determination of the Commissioner under subsection (1) or (1A) is not binding or conclusive between any of the parties to the determination.
(3A) A determination under paragraph (1)(b) or subsection (1A) may include any order that the Commissioner considers necessary or appropriate.
(6) In this section:
A determination under section 52 on a representative complaint must describe or otherwise identify those of the class members who are to be affected by the determination.
(1) This section applies if:
(a) a determination under section 52 applies in relation to a contracted service provider for a Commonwealth contract; and
(ii) a declaration under subsection 52(3) that the complainant is entitled to a specified amount by way of reimbursement; and
(2) The Commissioner may determine in writing that the determination under section 52 instead applies in relation to a specified agency to which services were or were to be provided under the contract. The determination has effect according to its terms for the purposes of section 60.
(1) This Division applies to a determination made under section 52 after the commencement of this Division, except where the determination applies in relation to an agency or the principal executive of an agency.
(2) In this section:
(a) if the determination was made under subsection 52(1)—the complainant;
(6) Despite subsection (5), the court may receive any of the following as evidence in proceedings about a determination made by the Commissioner under section 52:
(7A) In conducting a hearing and making an order under this section, the court is to have due regard to the objects of this Act.
(8) In this section:
(3) In any proceedings under section 55A, a certificate under subsection (1) of this section is prima facie evidence of the facts found by the Commissioner and set out in the certificate. However, the certificate is not prima facie evidence of a finding that:
(4) A document purporting to be a certificate under subsection (1) must, unless the contrary is established, be taken to be a certificate and to have been properly given.
(1) This Division applies to a determination that is made under section 52 and that applies in relation to an agency or the principal executive of an agency.
(2) In this section:
(1) If a determination to which this Division applies includes a declaration of the kind referred to in subparagraph 52(1)(b)(iii), paragraph 52(1A)(d) or subsection 52(3), the complainant or individual is entitled to be paid the amount specified in the declaration.
(2B) If a determination relates to a Norfolk Island agency, the reference in subsection (2) to the Commonwealth is to be read as a reference to Norfolk Island.
(3) In this section:
(1) If an agency fails to comply with section 58, an application may be made to the Federal Court or the Federal Circuit Court for an order directing the agency to comply.
(2) If the principal executive of an agency fails to comply with section 59, an application may be made to the Federal Court or the Federal Circuit Court for an order directing the principal executive to comply.
(a) if the determination was made under subsection 52(1)—the complainant; or
(4) On an application under this section, the court may make such other orders as it thinks fit with a view to securing compliance by the agency or principal executive.
(5) An application may not be made under this section in relation to a determination under section 52 until:
(a) the time has expired for making an application under section 96 for review of the determination; or
(6) In this section:
the respondent may apply to the Attorney General for assistance under this section.
(a) has commenced or proposes to commence proceedings in the Federal Court or the Federal Circuit Court under section 55; or
(b) has engaged in conduct or is alleged to have engaged in conduct in respect of which proceedings have been commenced in the Federal Court or the Federal Circuit Court under section 55;
may apply to the Attorney General for the provision of assistance under this section in respect of the proceedings.
(2A) Subsection (2) does not permit an application relating to proceedings under section 55A to enforce a determination relating to a code complaint or an APP complaint.
(3) If the Attorney General is satisfied that in all the circumstances it is reasonable to grant an application made under this section, he or she may authorise the provision by the Commonwealth to the applicant of:
(a) in the case of an application under subsection (1)—such financial assistance in connection with the investigation of the complaint as the Attorney General determines; or
(b) in the case of an application under subsection (2)—such legal or financial assistance in respect of the proceeding as the Attorney General determines.
(4) An authorisation under subsection (3) may be made subject to such conditions (if any) as the Attorney General determines.
(5) In considering an application made under this section, the Attorney General must have regard to any hardship to the applicant that refusal of the application would involve.
(2) Subsection (1) does not apply if the person has a reasonable excuse.
Note: A defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).
Penalty for a contravention of this subsection: Imprisonment for 12 months or 20 penalty units, or both.
(1A) For the purposes of subsection (1B), a journalist has a reasonable excuse if giving the information, answering the question or producing the document or record would tend to reveal the identity of a person who gave information or a document or record to the journalist in confidence.
(1B) Subsection (1) does not apply if the person has a reasonable excuse.
Note: A defendant bears an evidential burden in relation to the matter in subsection (1B) (see subsection 13.3(3) of the Criminal Code).
(2) For the purposes of subsections (3) to (11) (inclusive):
(3) Subject to subsections (4), (7) and (10), it is a reasonable excuse for the purposes of subsection (1B) for an individual:
(4) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of the Commonwealth or of a Territory, if the Director of Public Prosecutions has given the individual a written undertaking under subsection (5).
(6) The Commissioner may recommend to the Director of Public Prosecutions that an individual who has been, or is to be, required under this Act to give information or produce a document be given an undertaking under subsection (5).
(7) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of a State, if the Attorney General of the State, or a person authorised by that Attorney General (being the person holding the office of Director of Public Prosecutions, or a similar office, of the State) has given the individual a written undertaking under subsection (8).
(9) The Commissioner may recommend to the Attorney General of a State that an individual who has been, or is to be, required under this Act to give information or produce a document be given an undertaking under subsection (8).
(10) For the purposes of subsection (1B):
(11) Subsections (4), (7) and (10) do not apply where proceedings, in respect of which giving information or producing a document might tend to incriminate an individual or make an individual liable to forfeiture or a penalty, have been commenced against the individual and have not been finally dealt with by a court or otherwise disposed of.
(b) the making of a statement to, or the giving of a document or information to, the Commissioner, whether or not pursuant to a requirement under section 44.
(1) Subject to subsection (3), for the purposes of the performance by the Commissioner of his or her functions under this Act, a person authorised by the Commissioner in writing for the purposes of this section may, at any reasonable time of the day, enter premises occupied by an agency, an organisation, a file number recipient, a credit reporting body or a credit provider and inspect any documents that are kept at those premises and that are relevant to the performance of those functions, other than documents in respect of which the Attorney General has furnished a certificate under subsection 70(1) or (2).
(2) The occupier or person in charge of the premises shall provide the authorised person with all reasonable facilities and assistance for the effective exercise of the authorised person’s powers under subsection (1).
(3) A person shall not enter under subsection (1) premises other than premises that are occupied by an agency unless:
(b) the person is authorised, pursuant to a warrant issued under subsection (4), to enter the premises.
(4) If, on an application made by a person authorised by the Commissioner under subsection (1), a Magistrate is satisfied, by information on oath, that it is reasonably necessary, for the purposes of the performance by the Commissioner of his or her functions under this Act, that the person be empowered to enter the premises, the Magistrate may issue a warrant authorising the person, with such assistance as the person thinks necessary, to enter the premises, if necessary by force, for the purpose of exercising those powers.
(5) A warrant issued under subsection (4) shall state:
(6) Nothing in subsection (1) restricts the operation of any other provision of this Part.
(1) The Commissioner must issue to a person authorised for the purposes of section 68 an identity card in the form approved by the Commissioner. The identity card must contain a recent photograph of the authorised person.
(3) A person must not contravene subsection (2).
(2) Without limiting the operation of subsection (1), where the Attorney General furnishes to the Commissioner a certificate certifying that the giving to the Commissioner of information as to the existence or non existence of information concerning a specified matter (including the giving of information in answer to a question) or as to the existence or non existence of any document or other record required to be produced to the Commissioner would be contrary to the public interest:
Example 2: A small business operator chooses under section 6EA to be treated as an organisation, but later revokes the choice. A complaint about an act or practice the operator engaged in while the choice was registered under that section may be made and investigated under this Part as if the operator were an organisation.
For the purposes of this Part, a person is interested in an application made under section 73 if, and only if, the Commissioner is of the opinion that the person has a real and substantial interest in the application.
Effect of determination under subsection (2)
(3) The APP entity is taken not to contravene section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force under subsection (2).
Giving a determination under subsection (2) general effect
(4) The Commissioner may, by legislative instrument, make a determination that no APP entity is taken to contravene section 15 or 26A if, while that determination is in force, an APP entity does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that entity or any other APP entity.
Effect of determination under subsection (4)
(5) A determination under subsection (4) has effect according to its terms.
(1) An APP entity may apply in accordance with the regulations for a determination under section 72 about an act or practice of the entity.
(a) an application is made under subsection (1); and
(2) The CEO of the National Health and Medical Research Council may make an application under subsection (1) on behalf of other agencies concerned with medical research or the provision of health services.
(3) Where an application is made by virtue of subsection (2), a reference in the succeeding provisions of this Part to the agency is a reference to the CEO of the National Health and Medical Research Council.
(4) Where the Commissioner makes a determination under section 72 on an application made by virtue of subsection (2), that section has effect, in relation to each of the agencies on whose behalf the application was made as if the determination had been made on an application by that agency.
(1) Subject to subsection (2), the Commissioner shall publish, in such manner as he or she thinks fit, notice of:
(b) if the Commissioner dismisses an application under subsection 73(1A)—the dismissal of the application.
(1) The Commissioner shall prepare a draft of his or her proposed determination in relation to the application unless the Commissioner dismisses the application under subsection 73(1A).
(3) An invitation under subsection (2) or subsection (2A) shall specify a period that begins on the day on which the invitation is sent and is not shorter than the prescribed period.
(a) such determination under section 72 as he or she considers appropriate; or
(1) This section applies if the Commissioner is satisfied that:
(a) the act or practice of an APP entity that is the subject of an application under section 73 for a determination under section 72 breaches, or may breach:
(2) The Commissioner may, by legislative instrument, make a determination that he or she is satisfied of the matters set out in subsection (1). The Commissioner may do so:
(3) The Commissioner must specify in the determination a period of up to 12 months during which the determination is in force (subject to subsection 80D(2)).
(1) If an act or practice of an APP entity is the subject of a temporary public interest determination, the entity is taken not to breach section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force.
(3) The Commissioner may, by legislative instrument, make a determination that no APP entity is taken to contravene section 15 or 26A if, while that determination is in force, an APP entity does an act, or engages in a practice, that is the subject of a temporary public interest determination in relation to that entity or another APP entity.
Effect of determination under subsection (3)
(4) A determination under subsection (3) has effect according to its terms.
(1) The fact that the Commissioner has made a determination under this Division about an act or practice does not prevent the Commissioner from dealing under Division 1 with an application made under section 73 in relation to that act or practice.
(a) a determination made under subsection 72(2) about the act or practice comes into effect; or
emergency declaration means a declaration under section 80J or 80K.
(2) For the purposes of this Part, a reference in the definition of personal information in subsection 6(1) to an individual is taken to include a reference to an individual who is not living.
(2) Without limiting subsection (1), any of the following is a permitted purpose in relation to an emergency or disaster:
The Prime Minister or the Minister may make a declaration under this section if the Prime Minister or the Minister (as the case may be) is satisfied that:
Note: A declaration under this section is merely a trigger for the operation of this Part and is not directly related to any other legislative or non legislative scheme about emergencies.
(1) The Prime Minister or the Minister may make a declaration under this section if the Prime Minister or the Minister (as the case may be) is satisfied that:
(2) The Minister must consult the Minister administering the Diplomatic Privileges and Immunities Act 1967 before the Minister makes a declaration under this section.
Note: A declaration under this section is merely a trigger for the operation of this Part and is not directly related to any other legislative or non legislative scheme about emergencies.
(2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1), unless the secrecy provision is a designated secrecy provision (see subsection (7)).
(3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1).
(4) An entity does not breach an Australian Privacy Principle, or a registered APP code that binds the entity, in respect of a collection, use or disclosure of personal information authorised by subsection (1).
(6) A collection, use or disclose of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by subsection (1) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information.
(7) In this section:
(a) sections 18, 18A, 18B and 92 of the Australian Security Intelligence Organisation Act 1979;
(b) section 34 of the Inspector General of Intelligence and Security Act 1986;
(c) sections 39, 39A, 40, 40B to 40H, 40L, 40M and 41 of the Intelligence Services Act 2001;
(ca) sections 42 to 44 of the Office of National Intelligence Act 2018;
(2) Subsection (1) does not apply to the following disclosures:
(c) a disclosure permitted under section 80P;
Note: A defendant bears an evidential burden in relation to a matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).
(3) If a disclosure of personal information is covered by subsection (2), the disclosure is authorised by this section.
(1) The operation of this Part is not limited by a secrecy provision of any other law of the Commonwealth (whether made before or after the commencement of this Act) except to the extent that the secrecy provision expressly excludes the operation of this section.
Note: Section 3 provides for the concurrent operation of State and Territory laws.
(1A) The operation of this Part is not limited by a secrecy provision of a Norfolk Island enactment (whether made before or after the commencement of this subsection) except to the extent that the secrecy provision expressly excludes the operation of this subsection.
(1) Without limiting its effect apart from each of the following subsections of this section, this Part has effect in relation to a collection, use or disclosure as provided by that subsection.
(3) In this section:
(2) For the purposes of Part 6 of the Regulatory Powers Act, the Commissioner is an authorised person in relation to the provisions mentioned in subsection (1).
(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1):
(5) Part 6 of the Regulatory Powers Act, as it applies in relation to the provisions mentioned in subsection (1), extends to every external Territory.
(2) For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions mentioned in subsection (1):
(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1):
(4) Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions mentioned in subsection (1), extends to every external Territory.
Advisory Committee means the Privacy Advisory Committee established by subsection 82(1).
(6) The Governor General shall so exercise the power of appointment conferred by subsection (3) that a majority of the appointed members are persons who are neither officers nor employees, nor members of the staff of an authority or instrumentality, of the Commonwealth.
(b) fails, without reasonable excuse, to comply with the member’s obligations under section 86; or
(2) A disclosure under subsection (1) at a meeting of the Advisory Committee shall be recorded in the minutes of the meeting.
(2) Subsection (1) does not limit or restrict any other right that the confider has to relief in respect of the breach.
(2) Subsection (1) does not deprive a court of a State or of another Territory of any jurisdiction that it has.
(a) but for this subsection, an act done by an agency would breach an Australian Privacy Principle; and
(b) the act is done in the course of medical research and in accordance with guidelines under subsection (1);
(1) This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the CEO of the National Health and Medical Research Council or a prescribed authority.
(3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(3)).
(5) The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(2)).
(6) The Commissioner may, by notice in the Gazette, revoke an approval of guidelines under this section if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines.
(1) This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the National Health and Medical Research Council.
(1) This section requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Australian Privacy Principle if done or engaged in by the agency.
(4) For the purposes of subsection (3), a subcontract is a contract under which a contracted service provider for the Commonwealth contract is engaged to provide services to:
(5) This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency’s own right.
(a) a decision under subsection 26H(1) not to register an APP code developed by an APP code developer;
(b) a decision under subsection 26S(1) not to register a CR code developed by a CR code developer;
(ba) a decision under subsection 26WQ(7) to refuse an application for a declaration;
(bc) a decision under subsection 26WR(1) to give a direction;
(c) a decision under subsection 52(1) or (1A) to make a determination;
(d) a decision under subsection 73(1A) to dismiss an application;
(e) a decision under section 95 to refuse to approve the issue of guidelines;
(f) a decision under subsection 95A(2) or (4) or 95AA(2) to refuse to approve guidelines;
(g) a decision under subsection 95A(6) to revoke an approval of guidelines.
(b) if another entity’s compliance with subsection 26WL(2) is affected by the decision to refuse the application for a declaration—that other entity.
(b) if another entity’s compliance with subsection 26WL(2) is affected by the declaration—that other entity.
(2D) For the purposes of subsections (2A), (2B) and (2C), entity has the same meaning as in Part IIIC.
(1) If, apart from this subsection, this Act would impose an obligation on a partnership, the obligation is imposed instead on each partner but may be discharged by any of the partners.
(2) If, apart from this subsection, an offence against this Act would be committed by a partnership, the offence is taken to have been committed by each partner.
(3) If, apart from this subsection, a partnership would contravene a civil penalty provision, the contravention is taken to have been committed by each partner.
(4) A partner does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the partner:
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code).
(1) If, apart from this subsection, this Act would impose an obligation on an unincorporated association, the obligation is imposed instead on each member of the association’s committee of management but may be discharged by any of the members.
(2) If, apart from this subsection, an offence against this Act would be committed by an unincorporated association, the offence is taken to have been committed by each member of the association’s committee of management.
(3) If, apart from this subsection, an unincorporated association would contravene a civil penalty provision, the contravention is taken to have been committed by each member of the association’s committee of management.
(4) A member of an unincorporated association’s committee of management does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the member:
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code).
(1) If, apart from this subsection, this Act would impose an obligation on a trust, the obligation is imposed instead on each trustee of the trust but may be discharged by any of the trustees.
(2) If, apart from this subsection, an offence against this Act would be committed by a trust, the offence is taken to have been committed by each trustee of the trust.
(3) If, apart from this subsection, a trust would contravene a civil penalty provision, the contravention is taken to have been committed by each trustee of the trust.
(4) A trustee of a trust does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the trustee:
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code).
(b) the person would not have been convicted of the offence if subsections (3) and (4) had not been enacted;
(6) A reference in subsection (1) or (3) to the state of mind of a person includes a reference to:
(7) A reference in this section to a director of a body corporate includes a reference to a constituent member of a body corporate incorporated for a public purpose by a law of the Commonwealth, of a State or of a Territory.
(8) A reference in this section to engaging in conduct includes a reference to failing or refusing to engage in conduct.
(3) Subsection (2) does not apply to the making of regulations for the purposes of Australian Privacy Principle 9.3 that relate to the use or disclosure of a government related identifier by an organisation, or a class of organisations, in particular circumstances if:
Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.
Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.
(b) subsection 16B(2) applied in relation to the collection of the personal information by the entity;
Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.
Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; or
Note: For permitted general situation, see section 16A.
Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.
(d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the use or disclosure of the identifier; or
Note 1: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.
Note 2: For permitted general situation, see section 16A.
Note: There are prerequisites that must be satisfied before the matters mentioned in this subclause are prescribed, see subsections 100(2) and (3).