Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).

Note: The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).

(4) Part V of this Act has extra territorial operation so far as that Part relates to complaints and investigation concerning acts and practices to which this Act extends because of subsection (1) or (1A).

access seeker has the meaning given by subsection 6L(1).

advice related functions has the meaning given by subsection 28B(1).

amount of credit has the meaning given by subsection 6M(2).

annual turnover of a business has the meaning given by section 6DA.

APP code has the meaning given by section 26C.

at risk from an eligible data breach has the meaning given by section 26WE.

Australian link has the meaning given by subsections 5B(2) and (3).

Australian Privacy Principle has the meaning given by section 14.

authorised agent of a reporting entity means a person authorised to act on behalf of the reporting entity as mentioned in section 37 of the Anti Money Laundering and Counter Terrorism Financing Act 2006.

ban period has the meaning given by subsection 20K(3).

Board of the ACC means the Board of the Australian Crime Commission established under section 7B of the Australian Crime Commission Act 2002.

class member, in relation to a representative complaint, means any of the persons on whose behalf the complaint was lodged, but does not include a person who has withdrawn under section 38B.

Codes Register has the meaning given by subsection 26U(1).

Note: See also subsection (9) about provision of services to an agency.

CR code has the meaning given by section 26N.

credit has the meaning given by subsections 6M(1) and (3).

credit information has the meaning given by section 6N.

credit provider has the meaning given by sections 6G to 6K, and, for the purposes of sections 7 and 8 and Parts III, IIIB, IV and V, is taken to include a mortgage insurer and a trade insurer.

credit reporting business has the meaning given by section 6P.

default information has the meaning given by section 6Q.

Defence Department means the Department of State that deals with defence and that is administered by the Minister administering section 1 of the Defence Act 1903.

guidance related functions has the meaning given by subsection 28(1).

Note: For ancillary offences, see section 11.6 of the Criminal Code.

health information has the meaning given by section 6FA.

health service has the meaning given by section 6FB.

Note: See section 10 for when an agency is taken to hold a record.

information request has the meaning given by section 6R.

interested party has the meaning given by subsections 20T(3) and 21V(3).

interference with the privacy of an individual has the meaning given by sections 13 to 13F.

monitoring related functions has the meaning given by subsections 28A(1) and (2).

new arrangement information has the meaning given by section 6S.

offence against this Act includes an offence against section 6 of the Crimes Act 1914, or section 11.1, 11.2, 11.2A, 11.4 or 11.5 of the Criminal Code, that relates to an offence against this Act.

organisation has the meaning given by section 6C.

payment information has the meaning given by section 6T.

penalty unit has the meaning given by section 4AA of the Crimes Act 1914.

permitted CP disclosure has the meaning given by sections 21J to 21N.

permitted CP use has the meaning given by section 21H.

permitted CRB disclosure has the meaning given by section 20F.

permitted general situation has the meaning given by section 16A.

permitted health situation has the meaning given by section 16B.

Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5 1A of that Act.

personal insolvency information has the meaning given by section 6U.

principal executive, of an agency, has a meaning affected by section 37.

recognised external dispute resolution scheme means an external dispute resolution scheme recognised under section 35A.

Note: For document, see section 2B of the Acts Interpretation Act 1901.

registered APP code has the meaning given by section 26B.

registered CR code has the meaning given by section 26M.

repayment history information has the meaning given by subsection 6V(1).

residential property has the meaning given by section 204 of the National Credit Code (within the meaning of the National Consumer Credit Protection Act 2009).

respondent for a complaint made under section 23A means the credit reporting body or credit provider to which the complaint is made.

responsible person has the meaning given by section 6AA.

retention period has the meaning given by sections 20W and 20X.

small business has the meaning given by section 6D.

small business operator has the meaning given by section 6D.

staff of the Ombudsman means the persons appointed or employed for the purposes of section 31 of the Ombudsman Act 1976.

Note: See also subsection (9) about provision of services to a State or Territory authority.

State or Territory authority has the meaning given by section 6C.

temporary public interest determination means a determination made under section 80A.

(3) For the purposes of this Act, an act or practice breaches a rule issued under section 17 if, and only if, it is contrary to, or inconsistent with, the rule.

(4) The definition of individual in subsection (1) shall not be taken to imply that references to persons do not include persons other than natural persons.

(10) For the purposes of this Act, a reference to family in the definition of consumer credit in subsection 6(1), and in sections 6D and 16, in relation to any individual is taken to include the following (without limitation):

(11) In this section:

child: without limiting who is a child of a person for the purposes of subsection (10), someone is the child of a person if he or she is a child of the person within the meaning of the Family Law Act 1975.

(2) In this section:

child: without limiting who is a child of an individual for the purposes of subsection (1), each of the following is a child of an individual:

parent: without limiting who is a parent of an individual for the purposes of subsection (1), someone is a parent of an individual if the individual is his or her child because of the definition of child in this subsection.

Effect despite subsection (1)

(5) Subsections (2), (3) and (4) have effect despite subsection (1).

Effect despite subsection (1)

(5) Subsections (2), (3) and (4) have effect despite subsection (1).

Note 1: Under section 187LA of the Telecommunications (Interception and Access) Act 1979, service providers are, in relation to their activities relating to retained data, treated as organisations for the purposes of this Act.

Note: 2: Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 13(3) of the Legislation Act 2003.

(4) Before the Governor General makes regulations prescribing an instrumentality of a State or Territory for the purposes of the definition of organisation in subsection (1), the Minister must:

(5) In this section:

State does not include the Australian Capital Territory or the Northern Territory (despite subsection 6(1)).

(5) Subsection (4) does not prevent an individual from being a small business operator merely because he or she does something described in paragraph (4)(b), (c) or (d):

(6) Subsection (4) does not prevent a body corporate, partnership, unincorporated association or trust from being a small business operator merely because it does something described in paragraph (4)(b), (c) or (d) otherwise than in the course of a business it carries on.

(9) Despite subsection (3), a body corporate is not a small business operator if it is related to a body corporate that carries on a business that is not a small business.

Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

(1) This Act applies, with the prescribed modifications (if any), in relation to a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.

Note 1: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2: Regulations may prescribe a small business operator by reference to one or more classes of small business operator. See subsection 13(3) of the Legislation Act 2003.

(2) This Act also applies, with the prescribed modifications (if any), in relation to the prescribed acts or practices of a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.

Note 1: The regulations may prescribe different modifications of the Act for different acts, practices or small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2: Regulations may prescribe an act, practice or small business operator by reference to one or more classes of acts, practices or small business operators. See subsection 13(3) of the Legislation Act 2003.

(3) In this section:

(4) Before the Governor General makes regulations prescribing a small business operator, act or practice for the purposes of subsection (1) or (2), the Minister must:

(1) This Act applies in relation to a small business operator as if the operator were an organisation while a choice by the operator to be treated as an organisation is registered under this section.

Note: A small business operator may revoke such a choice by writing given to the Commissioner. See subsection 33(3) of the Acts Interpretation Act 1901.

(6) The Commissioner must make the register available to the public in the way that the Commissioner determines. However, the Commissioner must not make available to the public in the register information other than that described in subsection (3).

(1) This Act applies, with the prescribed modifications (if any), in relation to a prescribed State or Territory authority or a prescribed instrumentality of a State or Territory (except an instrumentality that is an organisation because of section 6C) as if the authority or instrumentality were an organisation.

Note 1: The regulations may prescribe different modifications of the Act for different authorities or instrumentalities. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2: Regulations may prescribe an authority or instrumentality by reference to one or more classes of authority or instrumentality. See subsection 13(3) of the Legislation Act 2003.

(3) Before the Governor General makes regulations prescribing a State or Territory authority or instrumentality of a State or Territory for the purposes of subsection (1), the Minister must:

(4) The regulations may prescribe an activity that, despite subsections (1) and (2) is not to be treated as a health service for the purposes of this Act.

(4) An organisation or small business operator is a credit provider if subsection 6H(1), 6J(1) or 6K(1) provides that the organisation or operator is a credit provider.

(5) Despite subsections (1) to (4) of this section, an organisation or small business operator acting in the capacity of:

(6) Despite subsections (1) to (4) of this section, an organisation or small business operator is not a credit provider if it is included in a class of organisations or operators prescribed by the regulations.

(2) Subsection (1) does not apply if the principal is an organisation or small business operator that is a credit provider because of a previous application of that subsection.

(3) If subsection (1) applies in relation to credit that has been provided by the principal, the credit is taken, for the purposes of this Act, to have been provided by both the principal and the agent.

(4) If subsection (1) applies in relation to credit for which an application has been made to the principal, the application is taken, for the purposes of this Act, to have been made to both the principal and the agent.

(2) Subsection (1) does not apply if the original credit provider is an organisation or small business operator that is a credit provider because of a previous application of that subsection.

(3) If subsection (1) applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by both the original credit provider and the securitisation entity.

(4) If subsection (1) applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to both the original credit provider and the securitisation entity.

(2) If subsection (1) of this section applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by the acquirer.

(3) If subsection (1) of this section applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to the acquirer.

(3) Without limiting subsection (1), credit includes:

(2) Subsection (1) applies whether or not the information about the credit worthiness of an individual is:

(4) Despite subsection (1), a business or undertaking is not a credit reporting business if the business or undertaking is included in a class of businesses or undertakings prescribed by the regulations.

(1) Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice is a reference to:

(1A) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to:

(1B) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice by an agency with an intelligence role or function (within the meaning of the Office of National Intelligence Act 2018) so far as it involves the disclosure of personal information to the Office of National Intelligence.

(2) Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice includes, in the application of this Act otherwise than in respect of the Australian Privacy Principles, a registered APP code and the performance of the Commissioner’s functions in relation to the principles and such a code, a reference to an act done, or a practice engaged in, as the case may be, by an agency specified in Part I of Schedule 2 to the Freedom of Information Act 1982 or in Division 1 of Part II of that Schedule other than:

(4) For the purposes of section 28, of paragraphs 28A(2)(a) to (e), of subsection 31(2) and of Part VI, this section has effect as if a reference in subsection (1) of this section to an act done, or to a practice engaged in, included a reference to an act that is proposed to be done, or to a practice that is proposed to be engaged in, as the case may be.

(1) This Act applies, with the prescribed modifications (if any), in relation to an act or practice described in subsection (2) or (3) as if:

(2) Subsection (1) applies to acts done, and practices engaged in, by a prescribed agency. Regulations for this purpose may prescribe an agency only if it is specified in Part I of Schedule 2 to the Freedom of Information Act 1982.

(3) Subsection (1) also applies to acts and practices that:

(4) This section has effect despite subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2).

Note: See also section 16 which provides that the Australian Privacy Principles do not apply for the purposes of, or in connection with, an individual’s personal, family or household affairs.

Subcontractors for organisations covered by subsection (1) etc.

Effect of subsection (4) on other operation of Act

(5) Subsection (4) does not otherwise affect the operation of the Act in relation to agents or principals.

(6) In this section:

Note: To avoid doubt, this section does not make exempt for the purposes of paragraph 7(1)(ee) an act or practice of the political representative, contractor, subcontractor or volunteer for a registered political party involving the use or disclosure (by way of sale or otherwise) of personal information in a way not covered by subsection (1), (2), (3) or (4) (as appropriate). The rest of this Act operates normally in relation to that act or practice.

(2) Subject to subsection (3), where a record that contains tax file number information is in the possession or under the control of a person:

Where, but for this section, a provision of this Act:

(1) Without limiting its effect apart from this section, this Act has effect in relation to the following (the regulated entities) as provided by this section:

Note: Subsection 27(4) applies in relation to an investigation of an act or practice referred to in subsection 29(1) of the Healthcare Identifiers Act 2010.

(3) This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices covered by section 5B (which deals with acts and practices outside Australia and the external Territories).

Note: See subsections 6A(2) and 6B(2) for when an act or practice does not breach an Australian Privacy Principle or a registered APP code.

(4A) If an entity (within the meaning of Part IIIC) contravenes subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), the contravention is taken to be an act that is an interference with the privacy of an individual.

(1) Despite subsection 13(1), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual:

Note: Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, there is an interference with privacy if:

Note: The effect of subsection (1A) is that a body corporate’s failure to comply with the Australian Privacy Principles, or a registered APP code that binds the body, in collecting personal information about an individual from a related body corporate covered by that subsection is an interference with the privacy of the individual.

Relationship with subsection 13(3)

(2) Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(3).

Note: Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, the new partnership’s use of personal information collected from the old partnership may constitute an interference with privacy if it breaches Australian Privacy Principle 6.

Effect of subsection (1)

(2) Subsection (1) has effect despite subsections 13(1) and (3).

Effect of subsection (1)

(2) Subsection (1) has effect despite subsections 13(1) and (3).

Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(2), (4) or (5).

An act or practice that is not covered by section 13 is not an interference with the privacy of an individual.

An entity contravenes this subsection if:

(2) The Commissioner may, by legislative instrument, make rules relating to the collection, use or disclosure of personal information that apply for the purposes of item 3 of the table in subsection (1).

(1) This section applies if:

A file number recipient shall not do an act, or engage in a practice, that breaches a rule issued under section 17.

(1) The object of this section is to ensure that credit reporting bodies manage credit reporting information in an open and transparent way.

(4) Without limiting subsection (3), the policy of the credit reporting body must contain the following information:

(2) Subsection (1) does not apply if the collection of the credit information is required or authorised by or under an Australian law or a court/tribunal order.

(3) Subsection (1) does not apply if:

(4) Subsection (1) does not apply if:

(8) This section applies to the collection of credit information that is solicited by a credit reporting body.

the body must, within a reasonable period after receiving the information, determine whether or not the body could have collected the information under section 20C if the body had solicited the information.

(2) The credit reporting body may use or disclose the credit information for the purposes of making the determination under subsection (1).

(3) If the credit reporting body determines that it could have collected the credit information, sections 20E to 20ZA apply in relation to the information as if the body had collected the information under section 20C.

(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.

(2) Subsection (1) does not apply to the use of credit reporting information about the individual if:

(3) Subsection (1) does not apply to the disclosure of credit reporting information about the individual if:

(5) If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.

(6) This section does not apply to the use or disclosure of credit reporting information for the purposes of direct marketing.

Note: Section 20G deals with the use or disclosure of credit reporting information for the purposes of direct marketing.

(2) The consent of the individual under paragraph (b) of item 2 of the table in subsection (1) must be given in writing unless:

(2) Subsection (1) does not apply to the use by the credit reporting body of credit information about the individual for the purposes of direct marketing by, or on behalf of, a credit provider if:

(5) An individual may request a credit reporting body that holds credit information about the individual not to use the information under subsection (2).

(6) If the individual makes a request under subsection (5), the credit reporting body must not charge the individual for the making of the request or to give effect to the request.

(7) If a credit reporting body uses credit information under subsection (2), the body must make a written note of that use.

(2) Subsection (1) does not apply if:

(3) If the credit reporting body discloses the pre screening assessment under subsection (2), the body must make a written note of that disclosure.

(4) If the credit reporting body discloses the pre screening assessment under subsection (2), the recipient must not use or disclose the assessment.

(5) Subsection (4) does not apply if the recipient uses the pre screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider.

(6) If the recipient uses the pre screening assessment under subsection (5), the recipient must make a written note of that use.

(2) Subsection (1) does not apply if:

(5) A ban period for credit reporting information may be extended more than once under subsection (4).

(2) Subsection (1) does not apply if the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order.

(2) Subsection (1) does not apply to the use or disclosure of the de identified information if:

(4) Without limiting subsection (3), the rules may relate to the following matters:

(3) Without limiting subsections (1) and (2), a credit reporting body must:

(2) A credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D(2) and 20T(4)) if the information is false or misleading in a material particular.

(2) Without limiting subsection (1), a credit reporting body must:

(2) Despite subsection (1), the credit reporting body is not required to give the access seeker access to the credit reporting information to the extent that:

(5) If a request under subsection (1) in relation to the individual has not been made to the credit reporting body in the previous 12 months, the body must not charge the access seeker for the making of the request or for giving access to the information.

(6) If subsection (5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.

(7) If the credit reporting body refuses to give access to the information because of subsection (2), the body must give the access seeker a written notice that:

(3) Subsection (2) does not apply if:

(3) If the credit reporting body considers that the body cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):

(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.

(1) This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T(1).

(2) If the credit reporting body corrects the personal information under subsection 20T(2), the body must, within a reasonable period:

(3) If the credit reporting body does not correct the personal information under subsection 20T(2), the body must, within a reasonable period, give the individual written notice that:

(5) Subsection (2) or (3) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.

(1) This section applies if:

(3) Despite subsection (2), the credit reporting body must neither destroy the credit information nor ensure that the information is de identified, if immediately before the retention period ends:

(4) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.

(6) Despite subsection (5), the credit reporting body must neither destroy the CRB derived information nor ensure that the information is de identified, if immediately before the retention period ends:

(7) Subsection (5) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the CRB derived information.

(3) If personal insolvency information relates to a direction given, or an order made, under section 50 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the control of the property to which the direction or order relates ends.

Note: See subsection 50(1B) of the Bankruptcy Act for when the control of the property ends.

(4) If the personal insolvency information relates to an authority signed under section 188 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the property to which the authority relates is no longer subject to control under Division 2 of Part X of that Act.

(5) An expression used in this section that is also used in the Bankruptcy Act has the same meaning in this section as it has in that Act.

(1) This section applies if:

(3) Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit reporting information.

(5) Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notification.

(1) This section applies if a credit reporting body holds credit reporting information about an individual and either:

(2) The credit reporting body must, as soon as practicable, notify in writing the Commissioner of the matter referred to in paragraph (1)(a) or (b) of this section.

(4) However, the credit reporting body may use or disclose the information under this subsection if:

(5) If the credit reporting body uses or discloses the information under subsection (4), the body must make a written note of the use or disclosure.

(7) If the Commissioner gives a direction under subsection (6) to the credit reporting body, the body must comply with the direction.

(8) To avoid doubt, section 20M applies in relation to credit reporting information that is de identified as a result of the credit reporting body complying with the direction.

(1) This section applies if a credit reporting body is not required:

(3) However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.

(4) If the credit reporting body uses or discloses the information under subsection (3), the body must make a written note of the use or disclosure.

(5) Subdivision E of this Division (other than section 20Q) does not apply in relation to the use or disclosure of the information.

Note: Section 20Q deals with the security of credit reporting information.

(2) If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection (1) in addition to, or instead of, the Australian Privacy Principles.

(1) The object of this section is to ensure that credit providers manage credit information and credit eligibility information in an open and transparent way.

(4) Without limiting subsection (3), the policy of the credit provider must contain the following information:

(2) If a credit provider is an APP entity, subsection (1) applies to the provider in relation to personal information in addition to Australian Privacy Principle 5.

(2) Subsection (1) does not apply to the disclosure of credit information about the individual if:

Note: Section 21F limits the disclosure of credit information if there is a ban period for the information.

(3) Credit information about an individual meets the requirements of this subsection if:

(6) If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.

the provider must, within a reasonable period after the amount is paid, disclose payment information about the amount to the body under that section.

(1) This section applies if:

(2) If the credit provider holds credit information about the individual that relates to the consumer credit, the provider must not, despite sections 21D and 21E, disclose the information to a credit reporting body.

(3) Subsection (2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual.

(2) Subsection (1) does not apply to the use of credit eligibility information about the individual if:

(3) Subsection (1) does not apply to the disclosure of credit eligibility information about the individual if:

Note: See section 21NA for additional rules about the disclosure of credit eligibility information under paragraph (3)(b) or (c).

(4) However, if the credit eligibility information about the individual is, or was derived from, repayment history information about the individual, the credit provider must not disclose the information under subsection (3).

(5) Subsection (4) does not apply if:

(6) If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.

Note: See section 21NA for additional rules about the disclosure of credit eligibility information under this subsection.

(3) This subsection applies to the credit eligibility information if the recipient proposes to use the information:

(3) Before a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the person or body does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.

(1) This section applies if:

(3) A credit provider must not disclose credit information under section 21D if the information is false or misleading in a material particular.

(2) Despite subsection (1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that:

(7) If the provider refuses to give access to the information because of subsection (2), the provider must give the access seeker a written notice that:

(3) Subsection (2) does not apply if:

Note: Identification information may be corrected under this section or Australian Privacy Principle 13.

(3) If the credit provider considers that the provider cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party):

(4) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.

Note: Identification information may be corrected under this section or Australian Privacy Principle 13.

(1) This section applies if an individual requests a credit provider to correct personal information under subsection 21V(1).

(2) If the credit provider corrects personal information about the individual under subsection 21V(2), the provider must, within a reasonable period:

(3) If the credit provider does not correct the personal information under subsection 21V(2), the provider must, within a reasonable period, give the individual written notice that:

(5) Subsection (2) or (3) does not apply if the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.

(1) The object of this section is to ensure that an affected information recipient manages the regulated information of the recipient in an open and transparent way.

(4) Without limiting subsection (3), the policy of the affected information recipient must contain the following information:

(2) Subsection (1) does not apply to the use of the information if:

(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.

(2) Subsection (1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.

(3) In determining whether the body corporate would be permitted to use or disclose the information under section 21G, assume that the body is whichever of the following is applicable:

(2) Subsection (1) does not apply to the use of the information if:

(3) Subsection (1) does not apply to the disclosure of the information if:

(2) Subsection (1) does not apply to the use of the information if:

(3) Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.

Note: A complaint about a breach of section 20R or 20T, or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.

Note: A complaint about a breach of section 21T or 21V, or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.

(1) If an individual makes a complaint under section 23A, the respondent for the complaint:

(3) The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.

(4) After investigating the complaint, the respondent must, within the period referred to in subsection (5), make a decision about the complaint and give the individual a written notice that:

(5) The period for the purposes of subsection (4) is:

(1) This section applies if an individual makes a complaint under section 23A about an act or practice that may breach section 20S or 21U (which deal with the correction of personal information by credit reporting bodies and credit providers).

(6) Subsection (2), (3), (4) or (5) does not apply if:

(1) This section applies if:

(3) Without limiting subsection (2), examples of orders the court may make include:

(3) Subsection 12(2) (retrospective application of legislative instruments) of the Legislation Act 2003 does not apply to a registered APP code.

If a registered APP code covers an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3), this Act applies in relation to the code as if that act or practice were not exempt.

(6) Despite paragraph (5)(a), the Commissioner must not require an APP code to cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). However, the APP code that is developed by the APP code developer may cover such an act or practice.

(1) This section applies if the Commissioner made a request under subsection 26E(2) and either:

(2) The Commissioner may develop an APP code if the Commissioner is satisfied that it is in public interest to develop the code. However, despite subsection 26C(3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).

(3) Before registering the APP code under section 26H, the Commissioner must:

(3) If the Commissioner varies a registered APP code on his or her own initiative, then, despite subsection 26C(3)(b), the variation must not deal with an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).

(5) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.

Note: The APP code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26B.

(4) In deciding whether to remove the registered APP code, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.

Note: There must always be one, and only one, registered CR code at all times after this Part commences: see subsection 26S(4).

(3) Subsection 12(2) (retrospective application of legislative instruments) of the Legislation Act 2003 does not apply to the registered CR code.

(1) The Commissioner may develop a CR code if the Commissioner made a request under section 26P and either:

(2) Before registering the CR code under section 26S, the Commissioner must:

(4) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.

Note: The CR code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26M.

(2) Despite subsection (1), the Commissioner is not required to include on the Codes Register:

Note: See section 21NA.

has been, or is required to be, notified under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss.

(1) This section applies if:

(3) Subsection (2) has effect subject to section 26WF.

(1) This section applies if:

Note: Section 26WK applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.

that section does not apply in relation to those eligible data breaches of those other entities.

(1) This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.

(1) This section applies if:

Note: See also subsections 26WF(2) and (5), which deal with remedial action.

(3) The entity must comply with subsection (2) as soon as practicable after the completion of the preparation of the statement.

(4) If the entity normally communicates with a particular individual using a particular method, the notification to the individual under paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).

those sections do not apply in relation to those eligible data breaches of those other entities.

paragraph 26WK(3)(d) and section 26WL do not apply in relation to:

(1) For the purposes of this section, secrecy provision means a provision that:

(2) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), subsection 26WK(2) does not apply to the entity, in relation to the statement, to the extent of the inconsistency.

(3) If compliance by an entity with section 26WL in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), section 26WL does not apply to the entity, in relation to the statement, to the extent of the inconsistency.

(4) For the purposes of this section, prescribed secrecy provision means a secrecy provision that is specified in the regulations.

(6) If compliance by an entity with subparagraph 26WK(2)(a)(ii) in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, subsection 26WK(2) does not apply to the entity in relation to the statement.

(7) If compliance by an entity with section 26WL in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, section 26WL does not apply to the entity in relation to the statement.

as if that subsection required compliance with subsection 26WL(2) before the end of a period specified in the declaration.

(2) The Commissioner’s power in paragraph (1)(d) may only be used to extend the time for compliance with subsection 26WL(2) to the end of a period that the Commissioner is satisfied is reasonable in the circumstances.

(3) The Commissioner must not make a declaration under subsection (1) unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the following:

(5) The Commissioner may give a notice of a declaration to an entity under subsection (1):

(9) If an entity applies to the Commissioner under paragraph (5)(b) for a declaration that, to any extent, relates to an eligible data breach of the entity, sections 26WK and 26WL do not apply in relation to:

Note: See also subsections 26WF(2) and (5), which deal with remedial action.

(3) Before giving a direction to an entity under subsection (1), the Commissioner must invite the entity to make a submission to the Commissioner in relation to the direction within the period specified in the invitation.

(5) A direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out specified information that relates to the eligible data breach that the Commissioner has reasonable grounds to believe has happened.

(6) In deciding whether to give a direction to an entity under subsection (1), the Commissioner must have regard to the following:

(8) If the Commissioner is aware that there are reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, a direction under subsection (1) may also require the statement referred to in paragraph (1)(a) to set out the identity and contact details of those other entities.

(9) If an entity normally communicates with a particular individual using a particular method, the notification to the individual mentioned in paragraph (2)(a) or (b) may use that method. This subsection does not limit paragraph (2)(a) or (b).

(10) An entity must comply with a direction under subsection (1) as soon as practicable after the direction is given.

An entity is not required to comply with a direction under subsection 26WR(1) if:

(1) For the purposes of this section, secrecy provision means a provision that:

(2) If compliance by an entity with paragraph 26WR(1)(b) or subsection 26WR(2) in relation to a statement would, to any extent, be inconsistent with a secrecy provision (other than a prescribed secrecy provision), paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be, does not apply to the entity, in relation to the statement, to the extent of the inconsistency.

(3) For the purposes of this section, prescribed secrecy provision means a secrecy provision that is specified in the regulations.

(5) If compliance by an entity with paragraph 26WR(1)(b) or subsection 26WR(2) in relation to a statement would, to any extent, be inconsistent with a prescribed secrecy provision, paragraph 26WR(1)(b) or subsection 26WR(2), as the case may be, does not apply to the entity in relation to the statement.

(3) Without limiting subsection (2), the Commissioner may establish a panel of persons with expertise in relation to a particular matter to assist the Commissioner in performing any of the Commissioner’s functions.

(4) Section 38 of the Healthcare Identifiers Act 2010, rather than section 12B of this Act, applies in relation to an investigation of an act or practice referred to in subsection 29(1) of that Act in the same way as it applies to Parts 3 and 4 of that Act.

Note: Section 38 of the Healthcare Identifiers Act 2010 deals with the additional effect of Parts 3 and 4 of that Act.

Note: The objects of this Act are set out in section 2A.

(1) Where the Commissioner has investigated an act or practice without a complaint having been made under section 36, the Commissioner may report to the Minister about the act or practice, and shall do so:

(2) Where the Commissioner reports under subsection (1) about an act done in accordance with a practice, the Commissioner shall also report to the Minister about the practice.

(3) Where, after an investigation of an act or practice of an agency, file number recipient, credit reporting body or credit provider that is an interference with the privacy of an individual under subsection 13(1), (2) or (4), the Commissioner is required by virtue of paragraph (1)(b) of this section to report to the Minister about the act or practice, the Commissioner:

(4) Where, at the end of 60 days after a copy of a report about an act or practice of an agency, file number recipient, credit reporting body or credit provider was served under subsection (3), the Commissioner:

(5) The Minister shall cause a copy of a report given to the Minister under subsection (4) to be laid before each House of the Parliament within 15 sitting days of that House after the report is received by the Minister.

(1) Where the Commissioner has examined a proposed enactment under paragraph 28A(2)(a), subsections (2) and (3) of this section have effect.

(5) The Minister shall cause a copy of a report given under subsection (4) to be laid before each House of the Parliament as soon as practicable, and no later than 15 sitting days of that House, after the report is received by the Minister.

(3) The Minister shall cause a copy of a report given under subsection (2) to be laid before each House of the Parliament as soon as practicable, and no later than 15 sitting days of that House, after the report is received by the Minister.

(1) In setting out findings, opinions and reasons in a report to be given under section 30, 31 or 32, the Commissioner may exclude a matter if the Commissioner considers it desirable to do so having regard to the obligations of the Commissioner under subsections (2) and (3).

(2) In deciding under subsection (1) whether or not to exclude matter from a report, the Commissioner shall have regard to the need to prevent:

(3) The Commissioner shall try to achieve an appropriate balance between meeting the need referred to in subsection (2) and the desirability of ensuring that interested persons are sufficiently informed of the results of the Commissioner’s investigation, examination or monitoring.

(5) In this section:

(2) A direction under subsection (1) is not a legislative instrument.

(4) Subsection (3) does not limit the matters that the privacy impact assessment may deal with.

(6) If an agency does not comply with a direction under subsection (1), the Commissioner must advise both of the following of the failure:

(7) Before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.

(3) An expression used in this section and in the Freedom of Information Act 1982 has the same meaning in this section as in that Act.

(2) An agency shall comply with a direction given in accordance with subsection (1).

(3) In subsection (1), amend, in relation to a document, means amend by making a correction, deletion or addition.

(4) An expression used in this section and in the Freedom of Information Act 1982 has the same meaning in this section as in that Act.

(4) A notice under subsection (1) is not a legislative instrument.

(2) In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any one of those individuals may make a complaint under subsection (1) on behalf of all of the individuals.

(2A) In the case of a representative complaint, this section has effect subject to section 38.

Note: Sections 98A to 98C contain further rules about how this Part operates in relation to respondent organisations that are not legal persons.

(8) The respondent to a complaint about an act or practice described in subsection 13(2), (4) or (5), other than an act or practice of an agency or organisation, is the person or entity who engaged in the act or practice.

(1) A representative complaint may be lodged under section 36 only if:

(2) A representative complaint made under section 36 must:

Note: If a class member withdraws from a representative complaint that relates to a matter, the former member may make a complaint under section 36 that relates to the matter.

(1) Subject to subsection (1A), the Commissioner shall investigate an act or practice if:

(1A) The Commissioner must not investigate a complaint if the complainant did not complain to the respondent before making the complaint to the Commissioner under section 36. However, the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.

(1B) Subsection (1A) does not apply if the complaint is about an act or practice that may breach:

(3) This section has effect subject to section 41.

(2) Subsection (1) does not apply if the Commissioner has decided under section 41 or 50 not to investigate, or not to investigate further, the act or practice.

(4) If a notification is given under subsection (3), the Commissioner may decide not to investigate, or not to investigate further, the act or practice.

(1) The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that:

(1A) The Commissioner must not investigate, or investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that the complainant has withdrawn the complaint.

(2) The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that the complainant has complained to the respondent about the act or practice and either:

(3) The Commissioner may defer the investigation or further investigation of an act or practice about which a complaint has been made under section 36 if:

(2) The Commissioner may make inquiries of any person for the purpose of determining whether to investigate an act or practice under subsection 40(2).

(1AA) Before commencing an investigation of an act or practice of a person or entity under subsection 40(2), the Commissioner must inform the person or entity that the act or practice is to be investigated.

Note: See subsection 6(9) about provision of services to an agency.

(4) The Commissioner may make a determination under section 52 in relation to an investigation under this Division without holding a hearing, if:

(7) Where, in connection with an investigation of a matter under this Division, the Commissioner proposes to hold a hearing, or proposes to make a requirement of a person under section 44, the Commissioner shall, if he or she has not previously informed the responsible Minister (if any) that the matter is being investigated, inform that Minister accordingly.

(8A) Subsection (8) does not allow the Commissioner to discuss a matter relevant to an investigation of a breach of the Australian Privacy Principles or a registered APP code with a Minister, unless the investigation is of an act done, or practice engaged in:

(1) An interested party in relation to an investigation under this Division may, in writing, request that the Commissioner hold a hearing before the Commissioner makes a determination under section 52 in relation to the investigation.

(2) If an interested party makes request under subsection (1), the Commissioner must:

(3) In this section:

(2) A notice given by the Commissioner under subsection (1) shall state:

(2A) If documents are produced to the Commissioner in accordance with a requirement under subsection (1), the Commissioner:

(4) This section is subject to section 70 but it has effect regardless of any other enactment.

(1) The Commissioner may administer an oath or affirmation to a person required under section 44 to attend before the Commissioner and may examine such a person on oath or affirmation.

(2) The oath or affirmation to be taken or made by a person for the purposes of this section is an oath or affirmation that the answers the person will give will be true.

(2A) Subsection (2) does not apply if the person has a reasonable excuse.

Note: A defendant bears an evidential burden in relation to the matter in subsection (2A) (see subsection 13.3(3) of the Criminal Code).

(3) A person who has been directed under subsection (1) to attend a conference is entitled to be paid by the Commonwealth a reasonable sum for the person’s attendance at the conference.

(4) The Commissioner may, in a notice given to a person under subsection (1), require the person to produce such documents at the conference as are specified in the notice.

(3) A body of persons, whether corporate or unincorporate, that is directed under section 46 to attend a conference shall be deemed to attend if a member, officer or employee of that body attends on behalf of that body.

Note: See subsection 6(9) about provision of services to an agency.

(1) Where, in the course of an investigation under section 40, the Commissioner forms the opinion that a tax file number offence, a healthcare identifier offence, an AML/CTF verification offence or a credit reporting offence may have been committed, the Commissioner shall:

(4) In subsection (1):

AML/CTF verification offence (short for anti money laundering and counter terrorism financing offence) means an offence against section 35H, 35J or 35K of the Anti Money Laundering and Counter Terrorism Financing Act 2006.

(1) If, in the course of an investigation under section 40, the Commissioner forms the opinion that subsection 172(3) of the Personal Property Securities Act 2009 (civil penalty for searching otherwise than for authorised purposes) may have been contravened, the Commissioner must:

(3) Upon receiving a notice under subsection (2), the Commissioner may continue an investigation discontinued under paragraph (1)(c).

(1) In this section:

(3) A complaint transferred under subsection (2) shall be taken to be:

(1) This section lets the Commissioner substitute an agency for an organisation as respondent to a complaint if:

Note 2: The Commissioner may determine under section 53B that the determination applies in relation to an agency if the organisation has not complied with the determination.

(4) If the Commissioner amends the complaint after starting to investigate it, the Commissioner is taken to have satisfied subsection 43(1A) in relation to the agency.

(1A) After investigating an act or practice of a person or entity under subsection 40(2), the Commissioner may make a determination that includes one or more of the following:

(1AB) The loss or damage referred to in paragraph (1)(b) or subsection (1A) includes:

(1B) A determination of the Commissioner under subsection (1) or (1A) is not binding or conclusive between any of the parties to the determination.

(3A) A determination under paragraph (1)(b) or subsection (1A) may include any order that the Commissioner considers necessary or appropriate.

(6) In this section:

A determination under section 52 on a representative complaint must describe or otherwise identify those of the class members who are to be affected by the determination.

(1) This section applies if:

(2) The Commissioner may determine in writing that the determination under section 52 instead applies in relation to a specified agency to which services were or were to be provided under the contract. The determination has effect according to its terms for the purposes of section 60.

(1) This Division applies to a determination made under section 52 after the commencement of this Division, except where the determination applies in relation to an agency or the principal executive of an agency.

(2) In this section:

(6) Despite subsection (5), the court may receive any of the following as evidence in proceedings about a determination made by the Commissioner under section 52:

(7A) In conducting a hearing and making an order under this section, the court is to have due regard to the objects of this Act.

(8) In this section:

(3) In any proceedings under section 55A, a certificate under subsection (1) of this section is prima facie evidence of the facts found by the Commissioner and set out in the certificate. However, the certificate is not prima facie evidence of a finding that:

(4) A document purporting to be a certificate under subsection (1) must, unless the contrary is established, be taken to be a certificate and to have been properly given.

(1) This Division applies to a determination that is made under section 52 and that applies in relation to an agency or the principal executive of an agency.

(2) In this section:

(1) If a determination to which this Division applies includes a declaration of the kind referred to in subparagraph 52(1)(b)(iii), paragraph 52(1A)(d) or subsection 52(3), the complainant or individual is entitled to be paid the amount specified in the declaration.

(2B) If a determination relates to a Norfolk Island agency, the reference in subsection (2) to the Commonwealth is to be read as a reference to Norfolk Island.

(3) In this section:

(1) If an agency fails to comply with section 58, an application may be made to the Federal Court or the Federal Circuit Court for an order directing the agency to comply.

(2) If the principal executive of an agency fails to comply with section 59, an application may be made to the Federal Court or the Federal Circuit Court for an order directing the principal executive to comply.

(4) On an application under this section, the court may make such other orders as it thinks fit with a view to securing compliance by the agency or principal executive.

(5) An application may not be made under this section in relation to a determination under section 52 until:

(6) In this section:

the respondent may apply to the Attorney General for assistance under this section.

may apply to the Attorney General for the provision of assistance under this section in respect of the proceedings.

(2A) Subsection (2) does not permit an application relating to proceedings under section 55A to enforce a determination relating to a code complaint or an APP complaint.

(3) If the Attorney General is satisfied that in all the circumstances it is reasonable to grant an application made under this section, he or she may authorise the provision by the Commonwealth to the applicant of:

(4) An authorisation under subsection (3) may be made subject to such conditions (if any) as the Attorney General determines.

(5) In considering an application made under this section, the Attorney General must have regard to any hardship to the applicant that refusal of the application would involve.

(2) Subsection (1) does not apply if the person has a reasonable excuse.

Note: A defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).

Penalty for a contravention of this subsection: Imprisonment for 12 months or 20 penalty units, or both.

(1A) For the purposes of subsection (1B), a journalist has a reasonable excuse if giving the information, answering the question or producing the document or record would tend to reveal the identity of a person who gave information or a document or record to the journalist in confidence.

(1B) Subsection (1) does not apply if the person has a reasonable excuse.

Note: A defendant bears an evidential burden in relation to the matter in subsection (1B) (see subsection 13.3(3) of the Criminal Code).

(2) For the purposes of subsections (3) to (11) (inclusive):

(3) Subject to subsections (4), (7) and (10), it is a reasonable excuse for the purposes of subsection (1B) for an individual:

(4) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of the Commonwealth or of a Territory, if the Director of Public Prosecutions has given the individual a written undertaking under subsection (5).

(6) The Commissioner may recommend to the Director of Public Prosecutions that an individual who has been, or is to be, required under this Act to give information or produce a document be given an undertaking under subsection (5).

(7) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of a State, if the Attorney General of the State, or a person authorised by that Attorney General (being the person holding the office of Director of Public Prosecutions, or a similar office, of the State) has given the individual a written undertaking under subsection (8).

(9) The Commissioner may recommend to the Attorney General of a State that an individual who has been, or is to be, required under this Act to give information or produce a document be given an undertaking under subsection (8).

(10) For the purposes of subsection (1B):

(11) Subsections (4), (7) and (10) do not apply where proceedings, in respect of which giving information or producing a document might tend to incriminate an individual or make an individual liable to forfeiture or a penalty, have been commenced against the individual and have not been finally dealt with by a court or otherwise disposed of.

(1) Subject to subsection (3), for the purposes of the performance by the Commissioner of his or her functions under this Act, a person authorised by the Commissioner in writing for the purposes of this section may, at any reasonable time of the day, enter premises occupied by an agency, an organisation, a file number recipient, a credit reporting body or a credit provider and inspect any documents that are kept at those premises and that are relevant to the performance of those functions, other than documents in respect of which the Attorney General has furnished a certificate under subsection 70(1) or (2).

(2) The occupier or person in charge of the premises shall provide the authorised person with all reasonable facilities and assistance for the effective exercise of the authorised person’s powers under subsection (1).

(3) A person shall not enter under subsection (1) premises other than premises that are occupied by an agency unless:

(4) If, on an application made by a person authorised by the Commissioner under subsection (1), a Magistrate is satisfied, by information on oath, that it is reasonably necessary, for the purposes of the performance by the Commissioner of his or her functions under this Act, that the person be empowered to enter the premises, the Magistrate may issue a warrant authorising the person, with such assistance as the person thinks necessary, to enter the premises, if necessary by force, for the purpose of exercising those powers.

(5) A warrant issued under subsection (4) shall state:

(6) Nothing in subsection (1) restricts the operation of any other provision of this Part.

(1) The Commissioner must issue to a person authorised for the purposes of section 68 an identity card in the form approved by the Commissioner. The identity card must contain a recent photograph of the authorised person.

(3) A person must not contravene subsection (2).

(2) Without limiting the operation of subsection (1), where the Attorney General furnishes to the Commissioner a certificate certifying that the giving to the Commissioner of information as to the existence or non existence of information concerning a specified matter (including the giving of information in answer to a question) or as to the existence or non existence of any document or other record required to be produced to the Commissioner would be contrary to the public interest:

Example 2: A small business operator chooses under section 6EA to be treated as an organisation, but later revokes the choice. A complaint about an act or practice the operator engaged in while the choice was registered under that section may be made and investigated under this Part as if the operator were an organisation.

For the purposes of this Part, a person is interested in an application made under section 73 if, and only if, the Commissioner is of the opinion that the person has a real and substantial interest in the application.

Effect of determination under subsection (2)

(3) The APP entity is taken not to contravene section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force under subsection (2).

Giving a determination under subsection (2) general effect

(4) The Commissioner may, by legislative instrument, make a determination that no APP entity is taken to contravene section 15 or 26A if, while that determination is in force, an APP entity does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that entity or any other APP entity.

Effect of determination under subsection (4)

(5) A determination under subsection (4) has effect according to its terms.

(1) An APP entity may apply in accordance with the regulations for a determination under section 72 about an act or practice of the entity.

(2) The CEO of the National Health and Medical Research Council may make an application under subsection (1) on behalf of other agencies concerned with medical research or the provision of health services.

(3) Where an application is made by virtue of subsection (2), a reference in the succeeding provisions of this Part to the agency is a reference to the CEO of the National Health and Medical Research Council.

(4) Where the Commissioner makes a determination under section 72 on an application made by virtue of subsection (2), that section has effect, in relation to each of the agencies on whose behalf the application was made as if the determination had been made on an application by that agency.

(1) Subject to subsection (2), the Commissioner shall publish, in such manner as he or she thinks fit, notice of:

(1) The Commissioner shall prepare a draft of his or her proposed determination in relation to the application unless the Commissioner dismisses the application under subsection 73(1A).

(3) An invitation under subsection (2) or subsection (2A) shall specify a period that begins on the day on which the invitation is sent and is not shorter than the prescribed period.

(1) This section applies if the Commissioner is satisfied that:

(2) The Commissioner may, by legislative instrument, make a determination that he or she is satisfied of the matters set out in subsection (1). The Commissioner may do so:

(3) The Commissioner must specify in the determination a period of up to 12 months during which the determination is in force (subject to subsection 80D(2)).

(1) If an act or practice of an APP entity is the subject of a temporary public interest determination, the entity is taken not to breach section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force.

(3) The Commissioner may, by legislative instrument, make a determination that no APP entity is taken to contravene section 15 or 26A if, while that determination is in force, an APP entity does an act, or engages in a practice, that is the subject of a temporary public interest determination in relation to that entity or another APP entity.

Effect of determination under subsection (3)

(4) A determination under subsection (3) has effect according to its terms.

(1) The fact that the Commissioner has made a determination under this Division about an act or practice does not prevent the Commissioner from dealing under Division 1 with an application made under section 73 in relation to that act or practice.

emergency declaration means a declaration under section 80J or 80K.

(2) For the purposes of this Part, a reference in the definition of personal information in subsection 6(1) to an individual is taken to include a reference to an individual who is not living.

(2) Without limiting subsection (1), any of the following is a permitted purpose in relation to an emergency or disaster:

The Prime Minister or the Minister may make a declaration under this section if the Prime Minister or the Minister (as the case may be) is satisfied that:

Note: A declaration under this section is merely a trigger for the operation of this Part and is not directly related to any other legislative or non legislative scheme about emergencies.

(1) The Prime Minister or the Minister may make a declaration under this section if the Prime Minister or the Minister (as the case may be) is satisfied that:

(2) The Minister must consult the Minister administering the Diplomatic Privileges and Immunities Act 1967 before the Minister makes a declaration under this section.

Note: A declaration under this section is merely a trigger for the operation of this Part and is not directly related to any other legislative or non legislative scheme about emergencies.

(2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1), unless the secrecy provision is a designated secrecy provision (see subsection (7)).

(3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1).

(4) An entity does not breach an Australian Privacy Principle, or a registered APP code that binds the entity, in respect of a collection, use or disclosure of personal information authorised by subsection (1).

(6) A collection, use or disclose of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by subsection (1) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information.

(7) In this section:

(2) Subsection (1) does not apply to the following disclosures:

Note: A defendant bears an evidential burden in relation to a matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).

(3) If a disclosure of personal information is covered by subsection (2), the disclosure is authorised by this section.

(1) The operation of this Part is not limited by a secrecy provision of any other law of the Commonwealth (whether made before or after the commencement of this Act) except to the extent that the secrecy provision expressly excludes the operation of this section.

Note: Section 3 provides for the concurrent operation of State and Territory laws.

(1A) The operation of this Part is not limited by a secrecy provision of a Norfolk Island enactment (whether made before or after the commencement of this subsection) except to the extent that the secrecy provision expressly excludes the operation of this subsection.

(1) Without limiting its effect apart from each of the following subsections of this section, this Part has effect in relation to a collection, use or disclosure as provided by that subsection.

(3) In this section:

(2) For the purposes of Part 6 of the Regulatory Powers Act, the Commissioner is an authorised person in relation to the provisions mentioned in subsection (1).

(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1):

(5) Part 6 of the Regulatory Powers Act, as it applies in relation to the provisions mentioned in subsection (1), extends to every external Territory.

(2) For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions mentioned in subsection (1):

(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1):

(4) Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions mentioned in subsection (1), extends to every external Territory.

Advisory Committee means the Privacy Advisory Committee established by subsection 82(1).

(6) The Governor General shall so exercise the power of appointment conferred by subsection (3) that a majority of the appointed members are persons who are neither officers nor employees, nor members of the staff of an authority or instrumentality, of the Commonwealth.

(2) A disclosure under subsection (1) at a meeting of the Advisory Committee shall be recorded in the minutes of the meeting.

(2) Subsection (1) does not limit or restrict any other right that the confider has to relief in respect of the breach.

(2) Subsection (1) does not deprive a court of a State or of another Territory of any jurisdiction that it has.

(1) This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the CEO of the National Health and Medical Research Council or a prescribed authority.

(3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(3)).

(5) The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the Australian Privacy Principles (disregarding subsection 16B(2)).

(6) The Commissioner may, by notice in the Gazette, revoke an approval of guidelines under this section if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines.

(1) This section allows the Commissioner to approve for the purposes of the Australian Privacy Principles guidelines that are issued by the National Health and Medical Research Council.

(1) This section requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Australian Privacy Principle if done or engaged in by the agency.

(4) For the purposes of subsection (3), a subcontract is a contract under which a contracted service provider for the Commonwealth contract is engaged to provide services to:

(5) This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency’s own right.

(2D) For the purposes of subsections (2A), (2B) and (2C), entity has the same meaning as in Part IIIC.

(1) If, apart from this subsection, this Act would impose an obligation on a partnership, the obligation is imposed instead on each partner but may be discharged by any of the partners.

(2) If, apart from this subsection, an offence against this Act would be committed by a partnership, the offence is taken to have been committed by each partner.

(3) If, apart from this subsection, a partnership would contravene a civil penalty provision, the contravention is taken to have been committed by each partner.

(4) A partner does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the partner:

Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code).

(1) If, apart from this subsection, this Act would impose an obligation on an unincorporated association, the obligation is imposed instead on each member of the association’s committee of management but may be discharged by any of the members.

(2) If, apart from this subsection, an offence against this Act would be committed by an unincorporated association, the offence is taken to have been committed by each member of the association’s committee of management.

(3) If, apart from this subsection, an unincorporated association would contravene a civil penalty provision, the contravention is taken to have been committed by each member of the association’s committee of management.

(4) A member of an unincorporated association’s committee of management does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the member:

Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code).

(1) If, apart from this subsection, this Act would impose an obligation on a trust, the obligation is imposed instead on each trustee of the trust but may be discharged by any of the trustees.

(2) If, apart from this subsection, an offence against this Act would be committed by a trust, the offence is taken to have been committed by each trustee of the trust.

(3) If, apart from this subsection, a trust would contravene a civil penalty provision, the contravention is taken to have been committed by each trustee of the trust.

(4) A trustee of a trust does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the trustee:

Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code).

(6) A reference in subsection (1) or (3) to the state of mind of a person includes a reference to:

(7) A reference in this section to a director of a body corporate includes a reference to a constituent member of a body corporate incorporated for a public purpose by a law of the Commonwealth, of a State or of a Territory.

(8) A reference in this section to engaging in conduct includes a reference to failing or refusing to engage in conduct.

(3) Subsection (2) does not apply to the making of regulations for the purposes of Australian Privacy Principle 9.3 that relate to the use or disclosure of a government related identifier by an organisation, or a class of organisations, in particular circumstances if:

Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.

Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.

Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Note: In certain circumstances, an act done, or a practice engaged in, by the overseas recipient is taken, under section 16C, to have been done, or engaged in, by the APP entity and to be a breach of the Australian Privacy Principles.

Note: For permitted general situation, see section 16A.

Note: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Note 1: An act or practice of an agency may be treated as an act or practice of an organisation, see section 7A.

Note 2: For permitted general situation, see section 16A.

Note: There are prerequisites that must be satisfied before the matters mentioned in this subclause are prescribed, see subsections 100(2) and (3).