Commonwealth of Australia Bills

[Index] [Search] [Download] [Related Items] [Help]


This is a Bill, not an Act. For current law, see the Acts databases.


PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

2010-2011-2012
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
Presented and read a first time
Privacy Amendment (Enhancing Privacy
Protection) Bill 2012
No. , 2012
(Attorney-General)
A Bill for an Act to amend the law relating to
privacy, and for other purposes
i Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Contents
1 Short
title
...........................................................................................
1
2 Commencement
.................................................................................
1
3 Schedule(s)
........................................................................................
4
Schedule 1--Australian Privacy Principles
5
Privacy Act 1988
5
Schedule 2--Credit reporting
46
Privacy Act 1988
46
Schedule 3--Privacy codes
136
Privacy Act 1988
136
Schedule 4--Other amendments of the Privacy Act 1988
154
Schedule 5--Amendment of other Acts
200
Part 1--Amendments relating to the Australian Privacy
Principles
200
Acts Interpretation Act 1901
200
Aged Care Act 1997
200
A New Tax System (Family Assistance) (Administration) Act 1999
200
Anti-Money Laundering and Counter-Terrorism Financing Act 2006
201
AusCheck Act 2007
201
Australian Citizenship Act 2007
201
Australian Curriculum, Assessment and Reporting Authority Act 2008
202
Australian Passports Act 2005
202
Australian Prudential Regulation Authority Act 1998
203
Commonwealth Electoral Act 1918
203
Crimes Act 1914
203
Dairy Produce Act 1986
203
Defence Act 1903
204
Defence Force (Home Loans Assistance) Act 1990
204
Defence Home Ownership Assistance Scheme Act 2008
204
Defence Service Homes Act 1918
204
Education Services for Overseas Students Act 2000
204
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 ii
Extradition Act 1988
205
Fair Work (Building Industry) Act 2012
205
Freedom of Information Act 1982
205
Healthcare Identifiers Act 2010
205
Higher Education Support Act 2003
206
Horse Disease Response Levy Collection Act 2011
206
Inspector of Transport Security Act 2006
207
Migration Act 1958
207
Military Rehabilitation and Compensation Act 2004
208
Mutual Assistance in Criminal Matters Act 1987
208
National Health Act 1953
208
National Health Reform Act 2011
209
National Health Security Act 2007
209
National Vocational Education and Training Regulator Act 2011
209
Olympic Insignia Protection Act 1987
210
Ombudsman Act 1976
210
Paid Parental Leave Act 2010
210
Personally Controlled Electronic Health Records Act 2012
210
Private Health Insurance Act 2007
210
Product Stewardship Act 2011
211
Quarantine Act 1908
211
Retirement Savings Accounts Act 1997
211
Social Security (Administration) Act 1999
211
Stronger Futures in the Northern Territory Act 2012
212
Superannuation Industry (Supervision) Act 1993
212
Supported Accommodation Assistance Act 1994
212
Telecommunications Act 1997
212
Telecommunications (Consumer Protection and Service Standards)
Act 1999
214
Therapeutic Goods Act 1989
214
Trade Marks Act 1995
214
Veterans' Entitlements Act 1986
214
Part 2--Amendments relating to credit reporting
215
iii Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Anti-Money Laundering and Counter-Terrorism Financing Act 2006
215
Australian Crime Commission Act 2002
218
Law Enforcement Integrity Commissioner Act 2006
218
National Consumer Credit Protection Act 2009
218
Taxation Administration Act 1953
219
Part 3--Amendments relating to codes
220
Australian Information Commissioner Act 2010
220
Telecommunications Act 1997
220
Telecommunications (Consumer Protection and Service Standards)
Act 1999
221
Part 4--Other amendments
222
Australian Human Rights Commission Act 1986
222
Australian Information Commissioner Act 2010
222
Crimes Act 1914
223
Data-matching Program (Assistance and Tax) Act 1990
223
Healthcare Identifiers Act 2010
224
National Health Act 1953
224
Retirement Savings Accounts Act 1997
225
Superannuation Industry (Supervision) Act 1993
225
Schedule 6--Application, transitional and savings provisions
227
Part 1--Definitions
227
Part 2--Provisions relating to Schedule 1 to this Act
228
Part 3--Provisions relating to Schedule 2 to this Act
229
Part 4--Provisions relating to Schedule 3 to this Act
230
Part 5--Provisions relating to Schedule 4 to this Act
231
Part 6--Provisions relating to Schedule 5 to this Act
234
Part 7--Provisions relating to other matters
235
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 1
A Bill for an Act to amend the law relating to
1
privacy, and for other purposes
2
The Parliament of Australia enacts:
3
1 Short title
4
This Act may be cited as the Privacy Amendment (Enhancing
5
Privacy Protection) Act 2012.
6
2 Commencement
7
(1) Each provision of this Act specified in column 1 of the table
8
commences, or is taken to have commenced, in accordance with
9
column 2 of the table. Any other statement in column 2 has effect
10
according to its terms.
11
12
2 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Commencement information
Column 1
Column 2
Column 3
Provision(s)
Commencement
Date/Details
1. Sections 1 to 3
and anything in
this Act not
elsewhere covered
by this table
The day this Act receives the Royal Assent.
2. Schedules 1 to
4
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
3. Schedule 5,
items 1 to 70
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
4. Schedule 5,
item 71
The later of:
(a) the start of the day after the end of the
period of 9 months beginning on the day
this Act receives the Royal Assent; and
(b) immediately after the commencement of
section 73 of the Personally Controlled
Electronic Health Records Act 2012.
However, the provision(s) do not commence
at all if the event mentioned in paragraph (b)
does not occur.
5. Schedule 5,
items 72 to 79
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
6. Schedule 5,
item 80
The later of:
(a) the start of the day after the end of the
period of 9 months beginning on the day
this Act receives the Royal Assent; and
(b) immediately after the commencement of
section 105 of the Stronger Futures in
the Northern Territory Act 2012.
However, the provision(s) do not commence
at all if the event mentioned in paragraph (b)
does not occur.
7. Schedule 5,
items 81 to 131
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 3
Commencement information
Column 1
Column 2
Column 3
Provision(s)
Commencement
Date/Details
8. Schedule 5
item 132
The later of:
(a) the start of the day after the end of the
period of 9 months beginning on the day
this Act receives the Royal Assent; and
(b) immediately after the commencement of
item 24 of Schedule 5 to the Consumer
Credit and Corporations Legislation
Amendment (Enhancements) Act 2012.
However, the provision(s) do not commence
at all if the event mentioned in paragraph (b)
does not occur.
9. Schedule 5,
items 133 to 155
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
10. Schedule 5,
item 156
The day this Act receives the Royal Assent.
11. Schedule 5,
items 157 to 161
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
12. Schedule 5,
item 162
The day this Act receives the Royal Assent.
13. Schedule 5,
items 163 to 171
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
14. Schedule 5,
item 172
The later of:
(a) the start of the day after the end of the
period of 9 months beginning on the day
this Act receives the Royal Assent; and
(b) immediately after the commencement of
item 32 of Schedule 1 to the Personally
Controlled Electronic Health Records
(Consequential Amendments) Act 2012.
However, the provision(s) do not commence
at all if the event mentioned in paragraph (b)
does not occur.
15. Schedule 5,
items 173 to 180
The day after the end of the period of 9
months beginning on the day this Act
4 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Commencement information
Column 1
Column 2
Column 3
Provision(s)
Commencement
Date/Details
receives the Royal Assent.
16. Schedule 6,
Part 1
The day this Act receives the Royal Assent.
17. Schedule 6,
Parts 2 and 3
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
18. Schedule 6,
Part 4
The day this Act receives the Royal Assent.
19. Schedule 6,
Parts 5 to 7
The day after the end of the period of 9
months beginning on the day this Act
receives the Royal Assent.
Note:
This table relates only to the provisions of this Act as originally
1
enacted. It will not be amended to deal with any later amendments of
2
this Act.
3
(2) Any information in column 3 of the table is not part of this Act.
4
Information may be inserted in this column, or information in it
5
may be edited, in any published version of this Act.
6
3 Schedule(s)
7
Each Act that is specified in a Schedule to this Act is amended or
8
repealed as set out in the applicable items in the Schedule
9
concerned, and any other item in a Schedule to this Act has effect
10
according to its terms.
11
12
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 5
Schedule 1--Australian Privacy Principles
1
2
Privacy Act 1988
3
1 Section 3
4
Omit ", disclosure or transfer", substitute "or disclosure".
5
2 Section 3 (note)
6
Omit "National", substitute "Australian".
7
3 Section 5
8
Repeal the section.
9
4 Subsection 6(1) (paragraph (i) of the definition of agency)
10
Repeal the paragraph.
11
5 Subsection 6(1)
12
Insert:
13
APP complaint means a complaint about an act or practice that, if
14
established, would be an interference with the privacy of an
15
individual because it breached an Australian Privacy Principle.
16
6 Subsection 6(1)
17
Insert:
18
APP entity means an agency or organisation.
19
7 Subsection 6(1)
20
Insert:
21
APP privacy policy has the meaning given by Australian Privacy
22
Principle 1.3.
23
8 Subsection 6(1)
24
Insert:
25
Australian law means:
26
(a) an Act of the Commonwealth or of a State or Territory; or
27
Schedule 1 Australian Privacy Principles
6 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) regulations, or any other instrument, made under such an Act;
1
or
2
(c) a Norfolk Island enactment; or
3
(d) a rule of common law or equity.
4
9 Subsection 6(1)
5
Insert:
6
Australian Privacy Principle has the meaning given by section 14.
7
10 Subsection 6(1)
8
Insert:
9
collects: an entity collects personal information only if the entity
10
collects the personal information for inclusion in a record or
11
generally available publication.
12
11 Subsection 6(1)
13
Insert:
14
Commonwealth record has the same meaning as in the Archives
15
Act 1983.
16
12 Subsection 6(1)
17
Insert:
18
court/tribunal order means an order, direction or other instrument
19
made by:
20
(a) a court; or
21
(b) a tribunal; or
22
(c) a judge (including a judge acting in a personal capacity) or a
23
person acting as a judge; or
24
(d) a magistrate (including a magistrate acting in a personal
25
capacity) or a person acting as a magistrate; or
26
(e) a member or an officer of a tribunal;
27
and includes an order, direction or other instrument that is of an
28
interim or interlocutory nature.
29
13 Subsection 6(1)
30
Insert:
31
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 7
de facto partner of an individual has the meaning given by the Acts
1
Interpretation Act 1901.
2
14 Subsection 6(1)
3
Insert:
4
de-identified: personal information is de-identified if the
5
information is no longer about an identifiable individual or an
6
individual who is reasonably identifiable.
7
15 Subsection 6(1) (definition of eligible case manager)
8
Repeal the definition.
9
16 Subsection 6(1) (after paragraph (b) of the definition of
10
enforcement body)
11
Insert:
12
(ba) the CrimTrac Agency; or
13
17 Subsection 6(1) (after paragraph (c) of the definition of
14
enforcement body)
15
Insert:
16
(ca) the Immigration Department; or
17
18 Subsection 6(1) (after paragraph (e) of the definition of
18
enforcement body)
19
Insert:
20
(ea) the Office of the Director of Public Prosecutions, or a similar
21
body established under a law of a State or Territory; or
22
19 Subsection 6(1) (after paragraph (l) of the definition of
23
enforcement body)
24
Insert:
25
(la) the Corruption and Crime Commission of Western Australia;
26
or
27
20 Subsection 6(1)
28
Insert:
29
enforcement related activity means:
30
Schedule 1 Australian Privacy Principles
8 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the prevention, detection, investigation, prosecution or
1
punishment of:
2
(i) criminal offences; or
3
(ii) breaches of a law imposing a penalty or sanction; or
4
(b) the conduct of surveillance activities, intelligence gathering
5
activities or monitoring activities; or
6
(c) the conduct of protective or custodial activities; or
7
(d) the enforcement of laws relating to the confiscation of the
8
proceeds of crime; or
9
(e) the protection of the public revenue; or
10
(f) the prevention, detection, investigation or remedying of
11
misconduct of a serious nature, or other conduct prescribed
12
by the regulations; or
13
(g) the preparation for, or conduct of, proceedings before any
14
court or tribunal, or the implementation of court/tribunal
15
orders.
16
21 Subsection 6(1)
17
Insert:
18
entity means:
19
(a) an agency; or
20
(b) an organisation; or
21
(c) a small business operator.
22
22 Subsection 6(1) (definition of generally available
23
publication)
24
Repeal the definition, substitute:
25
generally available publication means a magazine, book, article,
26
newspaper or other publication that is, or will be, generally
27
available to members of the public:
28
(a) whether or not it is published in print, electronically or in any
29
other form; and
30
(b) whether or not it is available on the payment of a fee.
31
23 Subsection 6(1)
32
Insert:
33
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 9
government related identifier of an individual means an identifier
1
of the individual that has been assigned by:
2
(a) an agency; or
3
(b) a State or Territory authority; or
4
(c) an agent of an agency, or a State or Territory authority, acting
5
in its capacity as agent; or
6
(d) a contracted service provider for a Commonwealth contract,
7
or a State contract, acting in its capacity as contracted service
8
provider for that contract.
9
24 Subsection 6(1)
10
Insert:
11
holds: an entity holds personal information if the entity has
12
possession or control of a record that contains the personal
13
information.
14
Note:
See section 10 for when an agency is taken to hold a record.
15
25 Subsection 6(1)
16
Insert:
17
identifier of an individual means a number, letter or symbol, or a
18
combination of any or all of those things, that is used to identify
19
the individual or to verify the identity of the individual, but does
20
not include:
21
(a) the individual's name; or
22
(b) the individual's ABN (within the meaning of the A New Tax
23
System (Australian Business Number) Act 1999); or
24
(c) anything else prescribed by the regulations.
25
26 Subsection 6(1)
26
Insert:
27
Immigration Department means the Department administered by
28
the Minister administering the Migration Act 1958.
29
27 Subsection 6(1) (definition of Information Privacy
30
Principle)
31
Repeal the definition.
32
Schedule 1 Australian Privacy Principles
10 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
28 Subsection 6(1) (definition of IPP complaint)
1
Repeal the definition.
2
29 Subsection 6(1)
3
Insert:
4
misconduct includes fraud, negligence, default, breach of trust,
5
breach of duty, breach of discipline or any other misconduct in the
6
course of duty.
7
30 Subsection 6(1) (definition of National Privacy Principle)
8
Repeal the definition.
9
31 Subsection 6(1)
10
Insert:
11
non-profit organisation means an organisation:
12
(a) that is a non-profit organisation; and
13
(b) that engages in activities for cultural, recreational, political,
14
religious, philosophical, professional, trade or trade union
15
purposes.
16
32 Subsection 6(1) (definition of NPP complaint)
17
Repeal the definition.
18
33 Subsection 6(1)
19
Insert:
20
overseas recipient, in relation to personal information, has the
21
meaning given by Australian Privacy Principle 8.1.
22
34 Subsection 6(1)
23
Insert:
24
permitted general situation has the meaning given by section 16A.
25
35 Subsection 6(1)
26
Insert:
27
permitted health situation has the meaning given by section 16B.
28
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 11
36 Subsection 6(1) (definition of personal information)
1
Repeal the definition, substitute:
2
personal information means information or an opinion about an
3
identified individual, or an individual who is reasonably
4
identifiable:
5
(a) whether the information or opinion is true or not; and
6
(b) whether the information or opinion is recorded in a material
7
form or not.
8
37 Subsection 6(1) (definition of record)
9
Omit "means", substitute "includes".
10
38 Subsection 6(1) (paragraphs (b) and (c) of the definition of
11
record)
12
Repeal the paragraphs, substitute:
13
(b) an electronic or other device;
14
39 Subsection 6(1) (at the end of the definition of record)
15
Add:
16
Note: For
document, see section 2B of the Acts Interpretation Act 1901.
17
40 Subsection 6(1)
18
Insert:
19
responsible person has the meaning given by section 6AA.
20
41 Subsection 6(1) (subparagraph (a)(viii) of the definition of
21
sensitive information)
22
Omit "preferences", substitute "orientation".
23
42 Subsection 6(1) (at the end of the definition of sensitive
24
information)
25
Add:
26
; or (d) biometric information that is to be used for the purpose of
27
automated biometric verification or biometric identification;
28
or
29
(e)
biometric
templates.
30
Schedule 1 Australian Privacy Principles
12 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
43 Subsection 6(1) (definition of solicit)
1
Repeal the definition.
2
44 Subsection 6(1)
3
Insert:
4
solicits: an entity solicits personal information if the entity requests
5
another entity to provide the personal information, or to provide a
6
kind of information in which that personal information is included.
7
45 Subsection 6(1) (definition of use)
8
Repeal the definition.
9
46 Subsection 6(2)
10
Repeal the subsection.
11
47 Paragraph 6(7)(a)
12
Omit "IPP", substitute "APP".
13
48 Paragraph 6(7)(d)
14
Repeal the paragraph.
15
49 Paragraph 6(7)(f)
16
Omit "NPP", substitute "APP".
17
50 Subsection 6(10)
18
Omit "and 16E", substitute "and 16".
19
51 Paragraph 6(10)(a)
20
Omit "(within the meaning of the Acts Interpretation Act 1901)".
21
52 After section 6
22
Insert:
23
6AA Meaning of responsible person
24
(1)
A
responsible person for an individual is:
25
(a) a parent of the individual; or
26
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 13
(b) a child or sibling of the individual if the child or sibling is at
1
least 18 years old; or
2
(c) a spouse or de facto partner of the individual; or
3
(d) a relative of the individual if the relative is:
4
(i) at least 18 years old; and
5
(ii) a member of the individual's household; or
6
(e) a guardian of the individual; or
7
(f) a person exercising an enduring power of attorney granted by
8
the individual that is exercisable in relation to decisions about
9
the individual's health; or
10
(g) a person who has an intimate personal relationship with the
11
individual; or
12
(h) a person nominated by the individual to be contacted in case
13
of emergency.
14
(2) In this section:
15
child: without limiting who is a child of an individual for the
16
purposes of subsection (1), each of the following is a child of an
17
individual:
18
(a) an adopted child, stepchild, exnuptial child or foster child of
19
the individual;
20
(b) someone who is a child of the individual within the meaning
21
of the Family Law Act 1975.
22
parent: without limiting who is a parent of an individual for the
23
purposes of subsection (1), someone is a parent of an individual if
24
the individual is his or her child because of the definition of child
25
in this subsection.
26
relative of an individual (the first individual) means a grandparent,
27
grandchild, uncle, aunt, nephew or niece of the first individual and
28
for this purpose, relationships to the first individual may also be
29
traced to or through another individual who is:
30
(a) a de facto partner of the first individual; or
31
(b) the child of the first individual because of the definition of
32
child in this subsection.
33
sibling of an individual includes:
34
Schedule 1 Australian Privacy Principles
14 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) a half-brother, half-sister, adoptive brother, adoptive sister,
1
step-brother, step-sister, foster-brother and foster-sister of the
2
individual; and
3
(b) another individual if a relationship referred to in
4
paragraph (a) can be traced through a parent of either or both
5
of the individuals.
6
stepchild: without limiting who is a stepchild of an individual,
7
someone is a stepchild of an individual if he or she would be the
8
individual's stepchild except that the individual is not legally
9
married to the individual's de facto partner.
10
53 Section 6A (heading)
11
Repeal the heading, substitute:
12
6A Breach of an Australian Privacy Principle
13
54 Subsection 6A(1) (heading)
14
Repeal the heading.
15
55 Subsection 6A(1)
16
Omit "a National", substitute "an Australian".
17
56 Subsection 6A(1)
18
Omit "that National Privacy Principle", substitute "that principle".
19
57 Subsection 6A(2)
20
Omit "a National", substitute "an Australian".
21
58 Paragraph 6A(2)(b)
22
Omit "the Principle", substitute "the principle".
23
59 Subsections 6A(3) and (4)
24
Omit "a National", substitute "an Australian".
25
60 Subparagraphs 6C(4)(b)(ii) and (iii)
26
Omit ", disclosure and transfer", substitute "and disclosure".
27
61 Subsection 6EA(1)
28
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 15
Omit "(except section 16D)".
1
62 Paragraph 6F(3)(b)
2
Omit ", disclosure and transfer", substitute "and disclosure".
3
63 Paragraph 7(1)(a)
4
Omit "an eligible case manager or".
5
64 Paragraph 7(1)(cb)
6
Repeal the paragraph.
7
65 Paragraphs 7(1)(d) and (e)
8
Omit ", an eligible hearing service provider or an eligible case
9
manager", substitute "or an eligible hearing service provider".
10
66 Paragraphs 7(1)(ea) and (eb)
11
Repeal the paragraphs.
12
67 Subsection 7(2)
13
Omit "Information Privacy Principles, the National", substitute
14
"Australian".
15
68 Subsection 7B(1) (note)
16
Omit "section 16E", substitute "section 16".
17
69 Subsections 7B(1) and (2) (notes)
18
Omit "National", substitute "Australian".
19
70 Paragraph 8(2)(b)
20
Omit "is not the record-keeper in relation to", substitute "does not
21
hold".
22
71 Subsection 8(2)
23
Omit "of the record-keeper in relation to", substitute "of the agency that
24
holds".
25
72 Section 9
26
Repeal the section.
27
Schedule 1 Australian Privacy Principles
16 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
73 Section 10 (heading)
1
Repeal the heading, substitute:
2
10 Agencies that are taken to hold a record
3
74 Subsections 10(1) to (3)
4
Repeal the subsections.
5
75 Subsections 10(4) and (5)
6
Omit "as the record-keeper in relation to", substitute "to be the agency
7
that holds".
8
76 Section 12
9
Repeal the section.
10
77 Subsection 13B(1) (note)
11
Omit "National" (wherever occurring), substitute "Australian".
12
78 Subsection 13B(1) (note)
13
Omit "Principle 2", substitute "Principle 6".
14
79 Subsection 13B(1A) (note)
15
Omit "National", substitute "Australian".
16
80 Subsection 13C(1) (note)
17
Omit "National" (wherever occurring), substitute "Australian".
18
81 Subsection 13C(1) (note)
19
Omit "Principle 2", substitute "Principle 6".
20
82 Divisions 2 and 3 of Part III
21
Repeal the Divisions, substitute:
22
Division 2--Australian Privacy Principles
23
14 Australian Privacy Principles
24
(1)
The
Australian Privacy Principles are set out in the clauses of
25
Schedule 1.
26
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 17
(2) A reference in any Act to an Australian Privacy Principle by a
1
number is a reference to the Australian Privacy Principle with that
2
number.
3
15 APP entities must comply with Australian Privacy Principles
4
An APP entity must not do an act, or engage in a practice, that
5
breaches an Australian Privacy Principle.
6
16 Personal, family or household affairs
7
Nothing in the Australian Privacy Principles applies to:
8
(a) the collection, holding, use or disclosure of personal
9
information by an individual; or
10
(b) personal information held by an individual;
11
only for the purposes of, or in connection with, his or her personal,
12
family or household affairs.
13
16A Permitted general situations in relation to the collection, use or
14
disclosure of personal information
15
(1)
A
permitted general situation exists in relation to the collection,
16
use or disclosure by an APP entity of personal information about
17
an individual, or of a government related identifier of an
18
individual, if:
19
(a) the entity is an entity of a kind specified in an item in column
20
1 of the table; and
21
(b) the item in column 2 of the table applies to the information or
22
identifier; and
23
(c) such conditions as are specified in the item in column 3 of
24
the table are satisfied.
25
26
Permitted general situations
Item Column
1
Kind of entity
Column 2
Item applies to
Column 3
Condition(s)
1 APP
entity (a) personal
information;
or
(b) a
government
(a) it is unreasonable or impracticable
to obtain the individual's consent to
the collection, use or disclosure;
and
(b) the entity reasonably believes that
Schedule 1 Australian Privacy Principles
18 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Permitted general situations
Item Column
1
Kind of entity
Column 2
Item applies to
Column 3
Condition(s)
related
identifier.
the collection, use or disclosure is
necessary to lessen or prevent a
serious threat to the life, health or
safety of any individual, or to
public health or safety.
2 APP
entity (a) personal
information;
or
(b) a
government
related
identifier.
(a) the entity has reason to suspect that
unlawful activity, or misconduct of
a serious nature, that relates to the
entity's functions or activities has
been, is being or may be engaged
in; and
(b) the entity reasonably believes that
the collection, use or disclosure is
necessary in order for the entity to
take appropriate action in relation to
the matter.
3 APP
entity Personal
information
(a) the entity reasonably believes that
the collection, use or disclosure is
reasonably necessary to assist any
APP entity, body or person to
locate a person who has been
reported as missing; and
(b) the collection, use or disclosure
complies with the rules made under
subsection (2).
4 APP
entity Personal
information
The collection, use or disclosure is
reasonably necessary for the
establishment, exercise or defence of a
legal or equitable claim.
5 APP
entity Personal
information
The collection, use or disclosure is
reasonably necessary for the purposes
of a confidential alternative dispute
resolution process.
6 Agency Personal
information
The entity reasonably believes that the
collection, use or disclosure is
necessary for the entity's diplomatic or
consular functions or activities.
7 Defence
Force
Personal
information
The entity reasonably believes that the
collection, use or disclosure is
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 19
Permitted general situations
Item Column
1
Kind of entity
Column 2
Item applies to
Column 3
Condition(s)
necessary for any of the following
occurring outside Australia and the
external Territories:
(a) war or warlike operations;
(b) peacekeeping or peace
enforcement;
(c) civil aid, humanitarian assistance,
medical or civil emergency or
disaster relief.
1
(2) The Commissioner may, by legislative instrument, make rules
2
relating to the collection, use or disclosure of personal information
3
that apply for the purposes of item 3 of the table in subsection (1).
4
16B Permitted health situations in relation to the collection, use or
5
disclosure of health information
6
Collection--provision of a health service
7
(1)
A
permitted health situation exists in relation to the collection by
8
an organisation of health information about an individual if:
9
(a) the information is necessary to provide a health service to the
10
individual; and
11
(b)
either:
12
(i) the collection is required or authorised by or under an
13
Australian law (other than this Act); or
14
(ii) the information is collected in accordance with rules
15
established by competent health or medical bodies that
16
deal with obligations of professional confidentiality
17
which bind the organisation.
18
Collection--research etc.
19
(2)
A
permitted health situation exists in relation to the collection by
20
an organisation of health information about an individual if:
21
(a) the collection is necessary for any of the following purposes:
22
Schedule 1 Australian Privacy Principles
20 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(i) research relevant to public health or public safety;
1
(ii) the compilation or analysis of statistics relevant to
2
public health or public safety;
3
(iii) the management, funding or monitoring of a health
4
service; and
5
(b) that purpose cannot be served by the collection of
6
information about the individual that is de-identified
7
information; and
8
(c) it is impracticable for the organisation to obtain the
9
individual's consent to the collection; and
10
(d) any of the following apply:
11
(i) the collection is required by or under an Australian law
12
(other than this Act);
13
(ii) the information is collected in accordance with rules
14
established by competent health or medical bodies that
15
deal with obligations of professional confidentiality
16
which bind the organisation;
17
(iii) the information is collected in accordance with
18
guidelines approved under section 95A for the purposes
19
of this subparagraph.
20
Use or disclosure--research etc.
21
(3)
A
permitted health situation exists in relation to the use or
22
disclosure by an organisation of health information about an
23
individual if:
24
(a) the use or disclosure is necessary for research, or the
25
compilation or analysis of statistics, relevant to public health
26
or public safety; and
27
(b) it is impracticable for the organisation to obtain the
28
individual's consent to the use or disclosure; and
29
(c) the use or disclosure is conducted in accordance with
30
guidelines approved under section 95A for the purposes of
31
this paragraph; and
32
(d) in the case of disclosure--the organisation reasonably
33
believes that the recipient of the information will not disclose
34
the information, or personal information derived from that
35
information.
36
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 21
Use or disclosure--genetic information
1
(4)
A
permitted health situation exists in relation to the use or
2
disclosure by an organisation of genetic information about an
3
individual (the first individual) if:
4
(a) the organisation has obtained the information in the course of
5
providing a health service to the first individual; and
6
(b) the organisation reasonably believes that the use or disclosure
7
is necessary to lessen or prevent a serious threat to the life,
8
health or safety of another individual who is a genetic
9
relative of the first individual; and
10
(c) the use or disclosure is conducted in accordance with
11
guidelines approved under section 95AA; and
12
(d) in the case of disclosure--the recipient of the information is a
13
genetic relative of the first individual.
14
Disclosure--responsible person for an individual
15
(5)
A
permitted health situation exists in relation to the disclosure by
16
an organisation of health information about an individual if:
17
(a) the organisation provides a health service to the individual;
18
and
19
(b) the recipient of the information is a responsible person for the
20
individual; and
21
(c)
the
individual:
22
(i) is physically or legally incapable of giving consent to
23
the disclosure; or
24
(ii) physically cannot communicate consent to the
25
disclosure; and
26
(d) another individual (the carer) providing the health service for
27
the organisation is satisfied that either:
28
(i) the disclosure is necessary to provide appropriate care
29
or treatment of the individual; or
30
(ii) the disclosure is made for compassionate reasons; and
31
(e) the disclosure is not contrary to any wish:
32
(i) expressed by the individual before the individual
33
became unable to give or communicate consent; and
34
(ii) of which the carer is aware, or of which the carer could
35
reasonably be expected to be aware; and
36
Schedule 1 Australian Privacy Principles
22 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(f) the disclosure is limited to the extent reasonable and
1
necessary for a purpose mentioned in paragraph (d).
2
16C Acts and practices of overseas recipients of personal
3
information
4
(1) This section applies if:
5
(a) an APP entity discloses personal information about an
6
individual to an overseas recipient; and
7
(b) Australian Privacy Principle 8.1 applies to the disclosure of
8
the information; and
9
(c) the Australian Privacy Principles do not apply, under this
10
Act, to an act done, or a practice engaged in, by the overseas
11
recipient in relation to the information; and
12
(d) the overseas recipient does an act, or engages in a practice, in
13
relation to the information that would be a breach of the
14
Australian Privacy Principles (other than Australian Privacy
15
Principle 1) if those Australian Privacy Principles so applied
16
to that act or practice.
17
(2) The act done, or the practice engaged in, by the overseas recipient
18
is taken, for the purposes of this Act:
19
(a) to have been done, or engaged in, by the APP entity; and
20
(b) to be a breach of those Australian Privacy Principles by the
21
APP entity.
22
83 Section 37 (table items 6 and 7)
23
Repeal the items.
24
84 Subsections 54(2) and 57(2) (definition of agency)
25
Omit ", an eligible hearing service provider or an eligible case
26
manager", substitute "or an eligible hearing service provider".
27
85 Paragraph 80H(2)(e)
28
Omit "people who are responsible (within the meaning of subclause 2.5
29
of Schedule 3)", substitute "responsible persons".
30
86 Subparagraph 80P(1)(c)(v)
31
Repeal the subparagraph, substitute:
32
(v) a responsible person for the individual; and
33
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 23
87 Paragraph 80Q(1)(c)
1
Omit "responsible for the individual (within the meaning of subclause
2
2.5 of Schedule 3)", substitute "a responsible person for the individual".
3
88 At the end of subsection 95(1)
4
Add "by agencies".
5
89 Subsections 95(2) and (4)
6
Omit "Information" (wherever occurring), substitute "Australian".
7
90 Section 95A (heading)
8
Repeal the heading, substitute:
9
95A Guidelines for Australian Privacy Principles about health
10
information
11
91 Subsection 95A(1)
12
Omit "National Privacy Principles (the NPPs)", substitute "Australian
13
Privacy Principles".
14
92 Subsection 95A(2)
15
Omit "subparagraph 2.1(d)(ii) of the NPPs", substitute "paragraph
16
16B(3)(c)".
17
93 Subsection 95A(3)
18
Omit "NPPs (other than paragraph 2.1(d))", substitute "Australian
19
Privacy Principles (disregarding subsection 16B(3))".
20
94 Subsection 95A(4)
21
Omit "subparagraph 10.3(d)(iii) of the NPPs", substitute "subparagraph
22
16B(2)(d)(iii)".
23
95 Subsection 95A(5)
24
Omit "NPPs (other than paragraph 10.3(d))", substitute "Australian
25
Privacy Principles (disregarding subsection 16B(2))".
26
96 Section 95AA (heading)
27
Repeal the heading, substitute:
28
Schedule 1 Australian Privacy Principles
24 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
95AA Guidelines for Australian Privacy Principles about genetic
1
information
2
97 Subsection 95AA(1)
3
Omit "National Privacy Principles (the NPPs)", substitute "Australian
4
Privacy Principles".
5
98 Subsection 95AA(2)
6
Omit "subparagraph 2.1(ea)(ii) of the NPPs", substitute "paragraph
7
16B(4)(c)".
8
99 Subsection 95AA(2)
9
Omit "(whether or not the threat is imminent)".
10
100 Subsection 95B(1)
11
Omit "Information", substitute "Australian".
12
101 Section 95C
13
Omit "a National", substitute "an Australian".
14
102 Subsections 100(2) to (4)
15
Repeal the subsections, substitute:
16
(2) Before the Governor-General makes regulations for the purposes of
17
Australian Privacy Principle 9.3 prescribing a government related
18
identifier, an organisation or a class of organisations, and
19
circumstances, the Minister must be satisfied that:
20
(a) the relevant agency or State or Territory authority or, if the
21
relevant agency or State or Territory authority has a principal
22
executive, the principal executive:
23
(i) has agreed that the adoption, use or disclosure of the
24
identifier by the organisation, or the class of
25
organisations, in the circumstances is appropriate; and
26
(ii) has consulted the Commissioner about that adoption,
27
use or disclosure; and
28
(b) the adoption, use or disclosure of the identifier by the
29
organisation, or the class of organisations, in the
30
circumstances can only be for the benefit of the individual to
31
whom the identifier relates.
32
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 25
(3) Subsection (2) does not apply to the making of regulations for the
1
purposes of Australian Privacy Principle 9.3 that relate to the use
2
or disclosure of a government related identifier by an organisation,
3
or a class of organisations, in particular circumstances if:
4
(a) the identifier is a kind commonly used in the processing of
5
pay, or deductions from pay, of Commonwealth officers, or a
6
class of Commonwealth officers; and
7
(b) the circumstances of the use or disclosure of the identifier
8
relate to the provision by:
9
(i) the organisation; or
10
(ii) the class of organisations;
11
of superannuation services (including the management,
12
processing, allocation and transfer of superannuation
13
contributions) for the benefit of Commonwealth officers or
14
the class of Commonwealth officers; and
15
(c) before the regulations are made, the Minister consults the
16
Commissioner about the proposed regulations.
17
103 Part X
18
Repeal the Part.
19
104 Schedules 1 and 3
20
Repeal the Schedules, substitute:
21
Schedule 1--Australian Privacy Principles
22
Note: See
section
14.
23
Overview of the Australian Privacy Principles
24
Overview
25
This Schedule sets out the Australian Privacy Principles.
26
Part 1 sets out principles that require APP entities to consider the
27
privacy of personal information, including ensuring that APP
28
entities manage personal information in an open and transparent
29
way.
30
Part 2 sets out principles that deal with the collection of personal
31
information including unsolicited personal information.
32
Schedule 1 Australian Privacy Principles
26 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Part 3 sets out principles about how APP entities deal with
1
personal information and government related identifiers. The Part
2
includes principles about the use and disclosure of personal
3
information and those identifiers.
4
Part 4 sets out principles about the integrity of personal
5
information. The Part includes principles about the quality and
6
security of personal information.
7
Part 5 sets out principles that deal with requests for access to, and
8
the correction of, personal information.
9
Australian Privacy Principles
10
The Australian Privacy Principles are:
11
Australian Privacy Principle 1--open and transparent
12
management of personal information
13
Australian Privacy Principle 2--anonymity and pseudonymity
14
Australian Privacy Principle 3--collection of solicited
15
personal information
16
Australian Privacy Principle 4--dealing with unsolicited
17
personal information
18
Australian Privacy Principle 5--notification of the collection
19
of personal information
20
Australian Privacy Principle 6--use or disclosure of personal
21
information
22
Australian Privacy Principle 7--direct marketing
23
Australian Privacy Principle 8--cross-border disclosure of
24
personal information
25
Australian Privacy Principle 9--adoption, use or disclosure of
26
government related identifiers
27
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 27
Australian Privacy Principle 10--quality of personal
1
information
2
Australian Privacy Principle 11--security of personal
3
information
4
Australian Privacy Principle 12--access to personal
5
information
6
Australian Privacy Principle 13--correction of personal
7
information
8
Part 1--Consideration of personal information
9
privacy
10
11
1 Australian Privacy Principle 1--open and transparent
12
management of personal information
13
1.1 The object of this principle is to ensure that APP entities manage
14
personal information in an open and transparent way.
15
Compliance with the Australian Privacy Principles etc.
16
1.2 An APP entity must take such steps as are reasonable in the
17
circumstances to implement practices, procedures and systems
18
relating to the entity's functions or activities that:
19
(a) will ensure that the entity complies with the Australian
20
Privacy Principles and a registered APP code (if any) that
21
binds the entity; and
22
(b) will enable the entity to deal with inquiries or complaints
23
from individuals about the entity's compliance with the
24
Australian Privacy Principles or such a code.
25
APP Privacy policy
26
1.3 An APP entity must have a clearly expressed and up-to-date policy
27
(the APP privacy policy) about the management of personal
28
information by the entity.
29
Schedule 1 Australian Privacy Principles
28 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
1.4 Without limiting subclause 1.3, the APP privacy policy of the APP
1
entity must contain the following information:
2
(a) the kinds of personal information that the entity collects and
3
holds;
4
(b) how the entity collects and holds personal information;
5
(c) the purposes for which the entity collects, holds, uses and
6
discloses personal information;
7
(d) how an individual may access personal information about the
8
individual that is held by the entity and seek the correction of
9
such information;
10
(e) how an individual may complain about a breach of the
11
Australian Privacy Principles, or a registered APP code (if
12
any) that binds the entity, and how the entity will deal with
13
such a complaint;
14
(f) whether the entity is likely to disclose personal information
15
to overseas recipients;
16
(g) if the entity is likely to disclose personal information to
17
overseas recipients--the countries in which such recipients
18
are likely to be located if it is practicable to specify those
19
countries in the policy.
20
Availability of APP privacy policy etc.
21
1.5 An APP entity must take such steps as are reasonable in the
22
circumstances to make its APP privacy policy available:
23
(a) free of charge; and
24
(b) in such form as is appropriate.
25
Note:
An APP entity will usually make its APP privacy policy available on
26
the entity's website.
27
1.6 If a person or body requests a copy of the APP privacy policy of an
28
APP entity in a particular form, the entity must take such steps as
29
are reasonable in the circumstances to give the person or body a
30
copy in that form.
31
2 Australian Privacy Principle 2--anonymity and pseudonymity
32
2.1 Individuals must have the option of not identifying themselves, or
33
of using a pseudonym, when dealing with an APP entity in relation
34
to a particular matter.
35
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 29
2.2 Subclause 2.1 does not apply if, in relation to that matter:
1
(a) the APP entity is required or authorised by or under an
2
Australian law, or a court/tribunal order, to deal with
3
individuals who have identified themselves; or
4
(b) it is impracticable for the APP entity to deal with individuals
5
who have not identified themselves.
6
Part 2--Collection of personal information
7
8
3 Australian Privacy Principle 3--collection of solicited personal
9
information
10
Personal information other than sensitive information
11
3.1 If an APP entity is an agency, the entity must not collect personal
12
information (other than sensitive information) unless the
13
information is reasonably necessary for, or directly related to, one
14
or more of the entity's functions or activities.
15
3.2 If an APP entity is an organisation, the entity must not collect
16
personal information (other than sensitive information) unless the
17
information is reasonably necessary for one or more of the entity's
18
functions or activities.
19
Sensitive information
20
3.3 An APP entity must not collect sensitive information about an
21
individual unless:
22
(a) the individual consents to the collection of the information
23
and:
24
(i) if the entity is an agency--the information is reasonably
25
necessary for, or directly related to, one or more of the
26
entity's functions or activities; or
27
(ii) if the entity is an organisation--the information is
28
reasonably necessary for one or more of the entity's
29
functions or activities; or
30
(b) subclause 3.4 applies in relation to the information.
31
3.4 This subclause applies in relation to sensitive information about an
32
individual if:
33
Schedule 1 Australian Privacy Principles
30 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the collection of the information is required or authorised by
1
or under an Australian law or a court/tribunal order; or
2
(b) a permitted general situation exists in relation to the
3
collection of the information by the APP entity; or
4
(c) the APP entity is an organisation and a permitted health
5
situation exists in relation to the collection of the information
6
by the entity; or
7
(d) the APP entity is an enforcement body and the entity
8
reasonably believes that:
9
(i) if the entity is the Immigration Department--the
10
collection of the information is reasonably necessary
11
for, or directly related to, one or more enforcement
12
related activities conducted by, or on behalf of, the
13
entity; or
14
(ii) otherwise--the collection of the information is
15
reasonably necessary for, or directly related to, one or
16
more of the entity's functions or activities; or
17
(e) the APP entity is a non-profit organisation and both of the
18
following apply:
19
(i) the information relates to the activities of the
20
organisation;
21
(ii) the information relates solely to the members of the
22
organisation, or to individuals who have regular contact
23
with the organisation in connection with its activities.
24
Means of collection
25
3.5 An APP entity must collect personal information only by lawful
26
and fair means.
27
3.6 An APP entity must collect personal information about an
28
individual only from the individual unless:
29
(a) if the entity is an agency:
30
(i) the individual consents to the collection of the
31
information from someone other than the individual; or
32
(ii) the entity is required or authorised by or under an
33
Australian law, or a court/tribunal order, to collect the
34
information from someone other than the individual; or
35
(b) it is unreasonable or impracticable to do so.
36
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 31
Solicited personal information
1
3.7 This principle applies to the collection of personal information that
2
is solicited by an APP entity.
3
4 Australian Privacy Principle 4--dealing with unsolicited personal
4
information
5
4.1
If:
6
(a) an APP entity receives personal information; and
7
(b) the entity did not solicit the information;
8
the entity must, within a reasonable period after receiving the
9
information, determine whether or not the entity could have
10
collected the information under Australian Privacy Principle 3 if
11
the entity had solicited the information.
12
4.2 The APP entity may use or disclose the personal information for
13
the purposes of making the determination under subclause 4.1.
14
4.3
If:
15
(a) the APP entity determines that the entity could not have
16
collected the personal information; and
17
(b) the information is not contained in a Commonwealth record;
18
the entity must, as soon as practicable but only if it is lawful and
19
reasonable to do so, destroy the information or ensure that the
20
information is de-identified.
21
4.4 If subclause 4.3 does not apply in relation to the personal
22
information, Australian Privacy Principles 5 to 13 apply in relation
23
to the information as if the entity had collected the information
24
under Australian Privacy Principle 3.
25
5 Australian Privacy Principle 5--notification of the collection of
26
personal information
27
5.1 At or before the time or, if that is not practicable, as soon as
28
practicable after, an APP entity collects personal information about
29
an individual, the entity must take such steps (if any) as are
30
reasonable in the circumstances:
31
(a) to notify the individual of such matters referred to in
32
subclause 5.2 as are reasonable in the circumstances; or
33
Schedule 1 Australian Privacy Principles
32 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) to otherwise ensure that the individual is aware of any such
1
matters.
2
5.2 The matters for the purposes of subclause 5.1 are as follows:
3
(a) the identity and contact details of the APP entity;
4
(b)
if:
5
(i) the APP entity collects the personal information from
6
someone other than the individual; or
7
(ii) the individual may not be aware that the APP entity has
8
collected the personal information;
9
the fact that the entity so collects, or has collected, the
10
information and the circumstances of that collection;
11
(c) if the collection of the personal information is required or
12
authorised by or under an Australian law or a court/tribunal
13
order--the fact that the collection is so required or authorised
14
(including the name of the Australian law, or details of the
15
court/tribunal order, that requires or authorises the
16
collection);
17
(d) the purposes for which the APP entity collects the personal
18
information;
19
(e) the main consequences (if any) for the individual if all or
20
some of the personal information is not collected by the APP
21
entity;
22
(f) any other APP entity, body or person, or the types of any
23
other APP entities, bodies or persons, to which the APP
24
entity usually discloses personal information of the kind
25
collected by the entity;
26
(g) that the APP privacy policy of the APP entity contains
27
information about how the individual may access the
28
personal information about the individual that is held by the
29
entity and seek the correction of such information;
30
(h) that the APP privacy policy of the APP entity contains
31
information about how the individual may complain about a
32
breach of the Australian Privacy Principles, or a registered
33
APP code (if any) that binds the entity, and how the entity
34
will deal with such a complaint;
35
(i) whether the APP entity is likely to disclose the personal
36
information to overseas recipients;
37
(j) if the APP entity is likely to disclose the personal information
38
to overseas recipients--the countries in which such recipients
39
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 33
are likely to be located if it is practicable to specify those
1
countries in the notification or to otherwise make the
2
individual aware of them.
3
Part 3--Dealing with personal information
4
5
6 Australian Privacy Principle 6--use or disclosure of personal
6
information
7
Use or disclosure
8
6.1 If an APP entity holds personal information about an individual
9
that was collected for a particular purpose (the primary purpose),
10
the entity must not use or disclose the information for another
11
purpose (the secondary purpose) unless:
12
(a) the individual has consented to the use or disclosure of the
13
information; or
14
(b) subclause 6.2 or 6.3 applies in relation to the use or
15
disclosure of the information.
16
Note:
Australian Privacy Principle 8 sets out requirements for the disclosure
17
of personal information to a person who is not in Australia or an
18
external Territory.
19
6.2 This subclause applies in relation to the use or disclosure of
20
personal information about an individual if:
21
(a) the individual would reasonably expect the APP entity to use
22
or disclose the information for the secondary purpose and the
23
secondary purpose is:
24
(i) if the information is sensitive information--directly
25
related to the primary purpose; or
26
(ii) if the information is not sensitive information--related
27
to the primary purpose; or
28
(b) the use or disclosure of the information is required or
29
authorised by or under an Australian law or a court/tribunal
30
order; or
31
(c) a permitted general situation exists in relation to the use or
32
disclosure of the information by the APP entity; or
33
(d) the APP entity is an organisation and a permitted health
34
situation exists in relation to the use or disclosure of the
35
information by the entity; or
36
Schedule 1 Australian Privacy Principles
34 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(e) the APP entity reasonably believes that the use or disclosure
1
of the information is reasonably necessary for one or more
2
enforcement related activities conducted by, or on behalf of,
3
an enforcement body.
4
6.3 This subclause applies in relation to the disclosure of personal
5
information about an individual by an APP entity that is an agency
6
if:
7
(a) the agency is not an enforcement body; and
8
(b) the information is biometric information or biometric
9
templates; and
10
(c) the recipient of the information is an enforcement body; and
11
(d) the disclosure is conducted in accordance with the guidelines
12
made by the Commissioner for the purposes of this
13
paragraph.
14
6.4
If:
15
(a) the APP entity is an organisation; and
16
(b) subsection 16B(2) applied in relation to the collection of the
17
personal information by the entity;
18
the entity must take such steps as are reasonable in the
19
circumstances to ensure that the information is de-identified before
20
the entity discloses it in accordance with subclause 6.1 or 6.2.
21
Written note of use or disclosure
22
6.5 If an APP entity uses or discloses personal information in
23
accordance with paragraph 6.2(e), the entity must make a written
24
note of the use or disclosure.
25
Related bodies corporate
26
6.6
If:
27
(a) an APP entity is a body corporate; and
28
(b) the entity collects personal information from a related body
29
corporate;
30
this principle applies as if the entity's primary purpose for the
31
collection of the information were the primary purpose for which
32
the related body corporate collected the information.
33
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 35
Exceptions
1
6.7 This principle does not apply to the use or disclosure by an
2
organisation of:
3
(a) personal information for the purpose of direct marketing; or
4
(b) government related identifiers.
5
7 Australian Privacy Principle 7--direct marketing
6
Prohibition on direct marketing
7
7.1 If an organisation holds personal information about an individual,
8
the organisation must not use or disclose the information for the
9
purpose of direct marketing.
10
Note:
An act or practice of an agency may be treated as an act or practice of
11
an organisation, see section 7A.
12
Exceptions--personal information other than sensitive information
13
7.2 Despite subclause 7.1, an organisation may use or disclose
14
personal information (other than sensitive information) about an
15
individual for the purpose of direct marketing if:
16
(a) the organisation collected the information from the
17
individual; and
18
(b) the individual would reasonably expect the organisation to
19
use or disclose the information for that purpose; and
20
(c) the organisation provides a simple means by which the
21
individual may easily request not to receive direct marketing
22
communications from the organisation; and
23
(d) the individual has not made such a request to the
24
organisation.
25
7.3 Despite subclause 7.1, an organisation may use or disclose
26
personal information (other than sensitive information) about an
27
individual for the purpose of direct marketing if:
28
(a) the organisation collected the information from:
29
(i) the individual and the individual would not reasonably
30
expect the organisation to use or disclose the
31
information for that purpose; or
32
(ii) someone other than the individual; and
33
(b)
either:
34
Schedule 1 Australian Privacy Principles
36 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(i) the individual has consented to the use or disclosure of
1
the information for that purpose; or
2
(ii) it is impracticable to obtain that consent; and
3
(c) the organisation provides a simple means by which the
4
individual may easily request not to receive direct marketing
5
communications from the organisation; and
6
(d) in each direct marketing communication with the individual:
7
(i) the organisation includes a prominent statement that the
8
individual may make such a request; or
9
(ii) the organisation otherwise draws the individual's
10
attention to the fact that the individual may make such a
11
request; and
12
(e) the individual has not made such a request to the
13
organisation.
14
Exception--sensitive information
15
7.4 Despite subclause 7.1, an organisation may use or disclose
16
sensitive information about an individual for the purpose of direct
17
marketing if the individual has consented to the use or disclosure
18
of the information for that purpose.
19
Exception--contracted service providers
20
7.5 Despite subclause 7.1, an organisation may use or disclose
21
personal information for the purpose of direct marketing if:
22
(a) the organisation is a contracted service provider for a
23
Commonwealth contract; and
24
(b) the organisation collected the information for the purpose of
25
meeting (directly or indirectly) an obligation under the
26
contract; and
27
(c) the use or disclosure is necessary to meet (directly or
28
indirectly) such an obligation.
29
Individual may request not to receive direct marketing
30
communications etc.
31
7.6 If an organisation (the first organisation) uses or discloses
32
personal information about an individual:
33
(a) for the purpose of direct marketing by the first organisation;
34
or
35
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 37
(b) for the purpose of facilitating direct marketing by other
1
organisations;
2
the individual may:
3
(c) if paragraph (a) applies--request not to receive direct
4
marketing communications from the first organisation; and
5
(d) if paragraph (b) applies--request the organisation not to use
6
or disclose the information for the purpose referred to in that
7
paragraph; and
8
(e) request the first organisation to provide its source of the
9
information.
10
7.7 If an individual makes a request under subclause 7.6, the first
11
organisation must not charge the individual for the making of, or to
12
give effect to, the request and:
13
(a) if the request is of a kind referred to in paragraph 7.6(c) or
14
(d)--the first organisation must give effect to the request
15
within a reasonable period after the request is made; and
16
(b) if the request is of a kind referred to in paragraph 7.6(e)--the
17
organisation must, within a reasonable period after the
18
request is made, notify the individual of its source unless it is
19
impracticable or unreasonable to do so.
20
Interaction with other legislation
21
7.8 This principle does not apply to the extent that any of the following
22
apply:
23
(a)
the
Do Not Call Register Act 2006;
24
(b)
the
Spam Act 2003;
25
(c) any other Act of the Commonwealth, or a Norfolk Island
26
enactment, prescribed by the regulations.
27
8 Australian Privacy Principle 8--cross-border disclosure of
28
personal information
29
8.1 Before an APP entity discloses personal information about an
30
individual to a person (the overseas recipient):
31
(a) who is not in Australia or an external Territory; and
32
(b) who is not the entity or the individual;
33
the entity must take such steps as are reasonable in the
34
circumstances to ensure that the overseas recipient does not breach
35
Schedule 1 Australian Privacy Principles
38 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
the Australian Privacy Principles (other than Australian Privacy
1
Principle 1) in relation to the information.
2
Note:
In certain circumstances, an act done, or a practice engaged in, by the
3
overseas recipient is taken, under section 16C, to have been done, or
4
engaged in, by the APP entity and to be a breach of the Australian
5
Privacy Principles.
6
8.2 Subclause 8.1 does not apply to the disclosure of personal
7
information about an individual by an APP entity to the overseas
8
recipient if:
9
(a) the entity reasonably believes that:
10
(i) the recipient of the information is subject to a law, or
11
binding scheme, that has the effect of protecting the
12
information in a way that, overall, is at least
13
substantially similar to the way in which the Australian
14
Privacy Principles protect the information; and
15
(ii) there are mechanisms that the individual can access to
16
take action to enforce that protection of the law or
17
binding scheme; or
18
(b) both of the following apply:
19
(i) the entity expressly informs the individual that if he or
20
she consents to the disclosure of the information,
21
subclause 8.1 will not apply to the disclosure;
22
(ii) after being so informed, the individual consents to the
23
disclosure; or
24
(c) the disclosure of the information is required or authorised by
25
or under an Australian law or a court/tribunal order; or
26
(d) a permitted general situation (other than the situation referred
27
to in item 4 or 5 of the table in subsection 16A(1)) exists in
28
relation to the disclosure of the information by the APP
29
entity; or
30
(e) the entity is an agency and the disclosure of the information
31
is required or authorised by or under an international
32
agreement relating to information sharing to which Australia
33
is a party; or
34
(f) the entity is an agency and both of the following apply:
35
(i) the entity reasonably believes that the disclosure of the
36
information is reasonably necessary for one or more
37
enforcement related activities conducted by, or on
38
behalf of, an enforcement body;
39
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 39
(ii) the recipient is a body that performs functions, or
1
exercises powers, that are similar to those performed or
2
exercised by an enforcement body.
3
9 Australian Privacy Principle 9--adoption, use or disclosure of
4
government related identifiers
5
Adoption of government related identifiers
6
9.1 An organisation must not adopt a government related identifier of
7
an individual as its own identifier of the individual unless:
8
(a) the adoption of the government related identifier is required
9
or authorised by or under an Australian law or a
10
court/tribunal order; or
11
(b) subclause 9.3 applies in relation to the adoption.
12
Note:
An act or practice of an agency may be treated as an act or practice of
13
an organisation, see section 7A.
14
Use or disclosure of government related identifiers
15
9.2 An organisation must not use or disclose a government related
16
identifier of an individual unless:
17
(a) the use or disclosure of the identifier is reasonably necessary
18
for the organisation to verify the identity of the individual for
19
the purposes of the organisation's activities or functions; or
20
(b) the use or disclosure of the identifier is reasonably necessary
21
for the organisation to fulfil its obligations to an agency or a
22
State or Territory authority; or
23
(c) the use or disclosure of the identifier is required or authorised
24
by or under an Australian law or a court/tribunal order; or
25
(d) a permitted general situation (other than the situation referred
26
to in item 4 or 5 of the table in subsection 16A(1)) exists in
27
relation to the use or disclosure of the identifier; or
28
(e) the organisation reasonably believes that the use or disclosure
29
of the identifier is reasonably necessary for one or more
30
enforcement related activities conducted by, or on behalf of,
31
an enforcement body; or
32
(f) subclause 9.3 applies in relation to the use or disclosure.
33
Note:
An act or practice of an agency may be treated as an act or practice of
34
an organisation, see section 7A.
35
Schedule 1 Australian Privacy Principles
40 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Regulations about adoption, use or disclosure
1
9.3 This subclause applies in relation to the adoption, use or disclosure
2
by an organisation of a government related identifier of an
3
individual if:
4
(a) the identifier is prescribed by the regulations; and
5
(b) the organisation is prescribed by the regulations, or is
6
included in a class of organisations prescribed by the
7
regulations; and
8
(c) the adoption, use or disclosure occurs in the circumstances
9
prescribed by the regulations.
10
Note:
There are prerequisites that must be satisfied before the matters
11
mentioned in this subclause are prescribed, see subsections 100(2) and
12
(3).
13
Part 4--Integrity of personal information
14
15
10 Australian Privacy Principle 10--quality of personal information
16
10.1 An APP entity must take such steps (if any) as are reasonable in
17
the circumstances to ensure that the personal information that the
18
entity collects is accurate, up-to-date and complete.
19
10.2 An APP entity must take such steps (if any) as are reasonable in
20
the circumstances to ensure that the personal information that the
21
entity uses or discloses is, having regard to the purpose of the use
22
or disclosure, accurate, up-to-date, complete and relevant.
23
11 Australian Privacy Principle 11--security of personal
24
information
25
11.1 If an APP entity holds personal information, the entity must take
26
such steps as are reasonable in the circumstances to protect the
27
information:
28
(a) from misuse, interference and loss; and
29
(b) from unauthorised access, modification or disclosure.
30
11.2
If:
31
(a) an APP entity holds personal information about an
32
individual; and
33
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 41
(b) the entity no longer needs the information for any purpose for
1
which the information may be used or disclosed by the entity
2
under this Schedule; and
3
(c) the information is not contained in a Commonwealth record;
4
and
5
(d) the entity is not required by or under an Australian law, or a
6
court/tribunal order, to retain the information;
7
the entity must take such steps as are reasonable in the
8
circumstances to destroy the information or to ensure that the
9
information is de-identified.
10
Part 5--Access to, and correction of, personal
11
information
12
13
12 Australian Privacy Principle 12--access to personal information
14
Access
15
12.1 If an APP entity holds personal information about an individual,
16
the entity must, on request by the individual, give the individual
17
access to the information.
18
Exception to access--agency
19
12.2
If:
20
(a) the APP entity is an agency; and
21
(b) the entity is required or authorised to refuse to give the
22
individual access to the personal information by or under:
23
(i) the Freedom of Information Act; or
24
(ii) any other Act of the Commonwealth, or a Norfolk
25
Island enactment, that provides for access by persons to
26
documents;
27
then, despite subclause 12.1, the entity is not required to give
28
access to the extent that the entity is required or authorised to
29
refuse to give access.
30
Schedule 1 Australian Privacy Principles
42 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Exception to access--organisation
1
12.3 If the APP entity is an organisation then, despite subclause 12.1,
2
the entity is not required to give the individual access to the
3
personal information to the extent that:
4
(a) the entity reasonably believes that giving access would pose a
5
serious threat to the life, health or safety of any individual, or
6
to public health or public safety; or
7
(b) giving access would have an unreasonable impact on the
8
privacy of other individuals; or
9
(c) the request for access is frivolous or vexatious; or
10
(d) the information relates to existing or anticipated legal
11
proceedings between the entity and the individual, and would
12
not be accessible by the process of discovery in those
13
proceedings; or
14
(e) giving access would reveal the intentions of the entity in
15
relation to negotiations with the individual in such a way as
16
to prejudice those negotiations; or
17
(f) giving access would be unlawful; or
18
(g) denying access is required or authorised by or under an
19
Australian law or a court/tribunal order; or
20
(h) both of the following apply:
21
(i) the entity has reason to suspect that unlawful activity, or
22
misconduct of a serious nature, that relates to the
23
entity's functions or activities has been, is being or may
24
be engaged in;
25
(ii) giving access would be likely to prejudice the taking of
26
appropriate action in relation to the matter; or
27
(i) giving access would be likely to prejudice one or more
28
enforcement related activities conducted by, or on behalf of,
29
an enforcement body; or
30
(j) giving access would reveal evaluative information generated
31
within the entity in connection with a commercially sensitive
32
decision-making process.
33
Dealing with requests for access
34
12.4 The APP entity must:
35
(a) respond to the request for access to the personal information:
36
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 43
(i) if the entity is an agency--within 30 days after the
1
request is made; or
2
(ii) if the entity is an organisation--within a reasonable
3
period after the request is made; and
4
(b) give access to the information in the manner requested by the
5
individual, if it is reasonable and practicable to do so.
6
Other means of access
7
12.5 If the APP entity refuses:
8
(a) to give access to the personal information because of
9
subclause 12.2 or 12.3; or
10
(b) to give access in the manner requested by the individual;
11
the entity must take such steps (if any) as are reasonable in the
12
circumstances to give access in a way that meets the needs of the
13
entity and the individual.
14
12.6 Without limiting subclause 12.5, access may be given through the
15
use of a mutually agreed intermediary.
16
Access charges
17
12.7 If the APP entity is an agency, the entity must not charge the
18
individual for the making of the request or for giving access to the
19
personal information.
20
12.8
If:
21
(a) the APP entity is an organisation; and
22
(b) the entity charges the individual for giving access to the
23
personal information;
24
the charge must not be excessive and must not apply to the making
25
of the request.
26
Refusal to give access
27
12.9 If the APP entity refuses to give access to the personal information
28
because of subclause 12.2 or 12.3, or to give access in the manner
29
requested by the individual, the entity must give the individual a
30
written notice that sets out:
31
(a) the reasons for the refusal except to the extent that, having
32
regard to the grounds for the refusal, it would be
33
unreasonable to do so; and
34
Schedule 1 Australian Privacy Principles
44 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) the mechanisms available to complain about the refusal; and
1
(c) any other matter prescribed by the regulations.
2
12.10 If the APP entity refuses to give access to the personal information
3
because of paragraph 12.3(j), the reasons for the refusal may
4
include an explanation for the commercially sensitive decision.
5
13 Australian Privacy Principle 13--correction of personal
6
information
7
Correction
8
13.1
If:
9
(a) an APP entity holds personal information about an
10
individual; and
11
(b)
either:
12
(i) the entity is satisfied that, having regard to a purpose for
13
which the information is held, the information is
14
inaccurate, out-of-date, incomplete, irrelevant or
15
misleading; or
16
(ii) the individual requests the entity to correct the
17
information;
18
the entity must take such steps (if any) as are reasonable in the
19
circumstances to correct that information to ensure that, having
20
regard to the purpose for which it is held, the information is
21
accurate, up-to-date, complete, relevant and not misleading.
22
Notification of correction to third parties
23
13.2
If:
24
(a) the APP entity corrects personal information about an
25
individual that the entity previously disclosed to another APP
26
entity; and
27
(b) the individual requests the entity to notify the other APP
28
entity of the correction;
29
the entity must take such steps (if any) as are reasonable in the
30
circumstances to give that notification unless it is impracticable or
31
unlawful to do so.
32
Australian Privacy Principles Schedule 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 45
Refusal to correct information
1
13.3 If the APP entity refuses to correct the personal information as
2
requested by the individual, the entity must give the individual a
3
written notice that sets out:
4
(a) the reasons for the refusal except to the extent that it would
5
be unreasonable to do so; and
6
(b) the mechanisms available to complain about the refusal; and
7
(c) any other matter prescribed by the regulations.
8
Request to associate a statement
9
13.4
If:
10
(a) the APP entity refuses to correct the personal information as
11
requested by the individual; and
12
(b) the individual requests the entity to associate with the
13
information a statement that the information is inaccurate,
14
out-of-date, incomplete, irrelevant or misleading;
15
the entity must take such steps as are reasonable in the
16
circumstances to associate the statement in such a way that will
17
make the statement apparent to users of the information.
18
Dealing with requests
19
13.5 If a request is made under subclause 13.1 or 13.4, the APP entity:
20
(a) must respond to the request:
21
(i) if the entity is an agency--within 30 days after the
22
request is made; or
23
(ii) if the entity is an organisation--within a reasonable
24
period after the request is made; and
25
(b) must not charge the individual for the making of the request,
26
for correcting the personal information or for associating the
27
statement with the personal information (as the case may be).
28
29
Schedule 2 Credit reporting
46 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Schedule 2--Credit reporting
1
2
Privacy Act 1988
3
1 Before section 6
4
Insert:
5
Division 1--General definitions
6
2 Subsection 6(1)
7
Insert:
8
access seeker has the meaning given by subsection 6L(1).
9
3 Subsection 6(1)
10
Insert:
11
affected information recipient means:
12
(a) a mortgage insurer; or
13
(b) a trade insurer; or
14
(c) a body corporate referred to in paragraph 21G(3)(b); or
15
(d) a person referred to in paragraph 21G(3)(c); or
16
(e) an entity or adviser referred to in paragraph 21N(2)(a).
17
4 Subsection 6(1)
18
Insert:
19
amount of credit has the meaning given by subsection 6M(2).
20
5 Subsection 6(1)
21
Insert:
22
Bankruptcy Act means the Bankruptcy Act 1966.
23
6 Subsection 6(1)
24
Insert:
25
ban period has the meaning given by subsection 20K(3).
26
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 47
7 Subsection 6(1) (definition of commercial credit)
1
Repeal the definition, substitute:
2
commercial credit means credit (other than consumer credit) that is
3
applied for by, or provided to, a person.
4
8 Subsection 6(1)
5
Insert:
6
commercial credit related purpose of a credit provider in relation
7
to a person means the purpose of:
8
(a) assessing an application for commercial credit made by the
9
person to the provider; or
10
(b) collecting payments that are overdue in relation to
11
commercial credit provided by the provider to the person.
12
9 Subsection 6(1)
13
Insert:
14
consumer credit means credit:
15
(a) for which an application has been made by an individual to a
16
credit provider, or that has been provided to an individual by
17
a credit provider, in the course of the provider carrying on a
18
business or undertaking as a credit provider; and
19
(b) that is intended to be used wholly or primarily:
20
(i) for personal, family or household purposes; or
21
(ii) to acquire, maintain, renovate or improve residential
22
property for investment purposes; or
23
(iii) to refinance consumer credit that has been provided
24
wholly or primarily to acquire, maintain, renovate or
25
improve residential property for investment purposes.
26
10 Subsection 6(1)
27
Insert:
28
consumer credit liability information: if a credit provider provides
29
consumer credit to an individual, the following information about
30
the consumer credit is consumer credit liability information about
31
the individual:
32
(a) the name of the provider;
33
Schedule 2 Credit reporting
48 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) whether the provider is a licensee;
1
(c) the type of consumer credit;
2
(d) the day on which the consumer credit is entered into;
3
(e) the terms or conditions of the consumer credit:
4
(i) that relate to the repayment of the amount of credit; and
5
(ii) that are prescribed by the regulations;
6
(f) the maximum amount of credit available under the consumer
7
credit;
8
(g) the day on which the consumer credit is terminated or
9
otherwise ceases to be in force.
10
11 Subsection 6(1)
11
Insert:
12
consumer credit related purpose of a credit provider in relation to
13
an individual means the purpose of:
14
(a) assessing an application for consumer credit made by the
15
individual to the provider; or
16
(b) collecting payments that are overdue in relation to consumer
17
credit provided by the provider to the individual.
18
12 Subsection 6(1)
19
Insert:
20
court proceedings information about an individual means
21
information about a judgement of an Australian court:
22
(a) that is made, or given, against the individual in proceedings
23
(other than criminal proceedings); and
24
(b) that relates to any credit that has been provided to, or applied
25
for by, the individual.
26
13 Subsection 6(1)
27
Insert:
28
CP derived information about an individual means any personal
29
information (other than sensitive information) about the individual:
30
(a) that is derived from credit reporting information about the
31
individual that was disclosed to a credit provider by a credit
32
reporting body under Division 2 of Part IIIA; and
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 49
(b) that has any bearing on the individual's credit worthiness;
1
and
2
(c) that is used, has been used or could be used in establishing
3
the individual's eligibility for consumer credit.
4
14 Subsection 6(1)
5
Insert:
6
CRB derived information about an individual means any personal
7
information (other than sensitive information) about the individual:
8
(a) that is derived by a credit reporting body from credit
9
information about the individual that is held by the body; and
10
(b) that has any bearing on the individual's credit worthiness;
11
and
12
(c) that is used, has been used or could be used in establishing
13
the individual's eligibility for consumer credit.
14
15 Subsection 6(1) (definition of credit)
15
Repeal the definition, substitute:
16
credit has the meaning given by subsections 6M(1) and (3).
17
16 Subsection 6(1) (definition of credit card)
18
Omit "loans" (wherever occurring), substitute "credit".
19
17 Subsection 6(1)
20
Insert:
21
credit eligibility information about an individual means:
22
(a) credit reporting information about the individual that was
23
disclosed to a credit provider by a credit reporting body
24
under Division 2 of Part IIIA; or
25
(b) CP derived information about the individual.
26
18 Subsection 6(1) (definition of credit enhancement)
27
Omit "a loan", substitute "credit".
28
19 Subsection 6(1) (paragraphs (a) and (b) of the definition of
29
credit enhancement)
30
Omit "the loan", substitute "the credit".
31
Schedule 2 Credit reporting
50 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
20 Subsection 6(1)
1
Insert:
2
credit guarantee purpose of a credit provider in relation to an
3
individual means the purpose of assessing whether to accept the
4
individual as a guarantor in relation to:
5
(a) credit provided by the provider to a person other than the
6
individual; or
7
(b) credit for which an application has been made to the provider
8
by a person other than the individual.
9
21 Subsection 6(1)
10
Insert:
11
credit information has the meaning given by section 6N.
12
22 Subsection 6(1) (definition of credit information file)
13
Repeal the definition.
14
23 Subsection 6(1) (definition of credit provider)
15
Omit "section 11B", substitute "sections 6G to 6K".
16
24 Subsection 6(1) (definition of credit report)
17
Repeal the definition.
18
25 Subsection 6(1) (definition of credit reporting agency)
19
Repeal the definition.
20
26 Subsection 6(1)
21
Insert:
22
credit reporting body means:
23
(a) an organisation; or
24
(b) an agency prescribed by the regulations;
25
that carries on a credit reporting business.
26
27 Subsection 6(1) (definition of credit reporting business)
27
Repeal the definition, substitute:
28
credit reporting business has the meaning given by section 6P.
29
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 51
28 Subsection 6(1)
1
Insert:
2
credit reporting information about an individual means credit
3
information, or CRB derived information, about the individual.
4
29 Subsection 6(1)
5
Insert:
6
credit worthiness of an individual means the individual's:
7
(a) eligibility to be provided with consumer credit; or
8
(b) history in relation to consumer credit; or
9
(c) capacity to repay an amount of credit that relates to consumer
10
credit.
11
30 Subsection 6(1) (definition of current credit provider)
12
Repeal the definition.
13
31 Subsection 6(1)
14
Insert:
15
default information has the meaning given by section 6Q.
16
32 Subsection 6(1) (definition of eligible communications
17
service)
18
Repeal the definition.
19
33 Subsection 6(1) (definition of guarantee)
20
Repeal the definition, substitute:
21
guarantee includes an indemnity given against the default of a
22
person in making a payment in relation to credit that has been
23
applied for by, or provided to, the person.
24
34 Subsection 6(1)
25
Insert:
26
identification information about an individual means:
27
(a) the individual's full name; or
28
(b) an alias or previous name of the individual; or
29
Schedule 2 Credit reporting
52 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(c) the individual's date of birth; or
1
(d) the individual's sex; or
2
(e) the individual's current or last known address, and 2 previous
3
addresses (if any); or
4
(f) the name of the individual's current or last known employer;
5
or
6
(g) if the individual holds a driver's licence--the individual's
7
driver's licence number.
8
35 Subsection 6(1)
9
Insert:
10
information request has the meaning given by section 6R.
11
36 Subsection 6(1)
12
Insert:
13
interested party has the meaning given by subsections 20T(3) and
14
21V(3).
15
37 Subsection 6(1)
16
Insert:
17
licensee has the meaning given by the National Consumer Credit
18
Protection Act 2009.
19
38 Subsection 6(1) (definition of loan)
20
Repeal the definition.
21
39 Subsection 6(1)
22
Insert:
23
managing credit does not include an act relating to the collection
24
of overdue payments in relation to credit.
25
40 Subsection 6(1) (definition of mortgage credit)
26
Repeal the definition, substitute:
27
mortgage credit means consumer credit:
28
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 53
(a) that is provided in connection with the acquisition,
1
maintenance, renovation or improvement of real property;
2
and
3
(b) in relation to which the real property is security.
4
41 Subsection 6(1)
5
Insert:
6
mortgage insurance purpose of a mortgage insurer in relation to
7
an individual is the purpose of assessing:
8
(a) whether to provide insurance to, or the risk of providing
9
insurance to, a credit provider in relation to mortgage credit:
10
(i) provided by the provider to the individual; or
11
(ii) for which an application to the provider has been made
12
by the individual; or
13
(b) the risk of the individual defaulting on mortgage credit in
14
relation to which the insurer has provided insurance to a
15
credit provider; or
16
(c) the risk of the individual being unable to meet a liability that
17
might arise under a guarantee provided, or proposed to be
18
provided, in relation to mortgage credit provided by a credit
19
provider to another person.
20
42 Subsection 6(1) (definition of mortgage insurer)
21
Repeal the definition, substitute:
22
mortgage insurer means an organisation, or small business
23
operator, that carries on a business or undertaking that involves
24
providing insurance to credit providers in relation to mortgage
25
credit provided by providers to other persons.
26
43 Subsection 6(1)
27
Insert:
28
National Personal Insolvency Index has the meaning given by the
29
Bankruptcy Act.
30
44 Subsection 6(1)
31
Insert:
32
Schedule 2 Credit reporting
54 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
new arrangement information has the meaning given by
1
section 6S.
2
45 Subsection 6(1)
3
Insert:
4
payment information has the meaning given by section 6T.
5
46 Subsection 6(1)
6
Insert:
7
penalty unit has the meaning given by section 4AA of the Crimes
8
Act 1914.
9
47 Subsection 6(1)
10
Insert:
11
pending correction request in relation to credit information or
12
CRB derived information means:
13
(a) a request made under subsection 20T(1) in relation to the
14
information if a notice has not been given under subsection
15
20U(2) or (3) in relation to the request; or
16
(b) a request made under subsection 21V(1) in relation to the
17
information if:
18
(i) the credit reporting body referred to in subsection
19
20V(3) has been consulted about the request under
20
subsection 21V(3); and
21
(ii) a notice has not been given under subsection 21W(2) or
22
(3) in relation to the request.
23
48 Subsection 6(1)
24
Insert:
25
pending dispute in relation to credit information or CRB derived
26
information means:
27
(a) a complaint made under section 23A that relates to the
28
information if a decision about the complaint has not been
29
made under subsection 23B(4); or
30
(b) a matter that relates to the information and that is still being
31
dealt with by a recognised external dispute resolution
32
scheme; or
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 55
(c) a complaint made to the Commissioner under Part V that
1
relates to the information and that is still being dealt with.
2
49 Subsection 6(1)
3
Insert:
4
permitted CP disclosure has the meaning given by sections 21J to
5
21N.
6
50 Subsection 6(1)
7
Insert:
8
permitted CP use has the meaning given by section 21H.
9
51 Subsection 6(1)
10
Insert:
11
permitted CRB disclosure has the meaning given by section 20F.
12
52 Subsection 6(1)
13
Insert:
14
personal insolvency information has the meaning given by
15
section 6U.
16
53 Subsection 6(1)
17
Insert:
18
pre-screening assessment means an assessment made under
19
paragraph 20G(2)(d).
20
54 Subsection 6(1)
21
Insert:
22
purchase, in relation to credit, includes the purchase of rights to
23
receive payments relating to the credit.
24
55 Subsection 6(1)
25
Insert:
26
regulated information of an affected information recipient means:
27
Schedule 2 Credit reporting
56 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) if the recipient is a mortgage insurer or trade insurer--
1
personal information disclosed to the recipient under
2
Division 2 or 3 of Part IIIA; or
3
(b) if the recipient is a body corporate referred to in paragraph
4
21G(3)(b)--credit eligibility information disclosed to the
5
recipient under that paragraph; or
6
(c) if the recipient is a person referred to in paragraph
7
21G(3)(c)--credit eligibility information disclosed to the
8
recipient under that paragraph; or
9
(d) if the recipient is an entity or adviser referred to in paragraph
10
21N(2)(a)--credit eligibility information disclosed to the
11
recipient under subsection 21N(2).
12
56 Subsection 6(1)
13
Insert:
14
repayment history information has the meaning given by
15
subsection 6V(1).
16
57 Subsection 6(1)
17
Insert:
18
residential property has the meaning given by section 204 of the
19
National Credit Code (within the meaning of the National
20
Consumer Credit Protection Act 2009).
21
58 Subsection 6(1)
22
Insert:
23
respondent for a complaint made under section 23A means the
24
credit reporting body or credit provider to which the complaint is
25
made.
26
59 Subsection 6(1)
27
Insert:
28
retention period has the meaning given by sections 20W and 20X.
29
60 Subsection 6(1) (subparagraphs (a)(i) and (ii) of the
30
definition of securitisation arrangement)
31
Repeal the subparagraphs, substitute:
32
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 57
(i) credit that has been, or is to be, provided by a credit
1
provider; or
2
(ii) the purchase of credit by a credit provider;
3
61 Subsection 6(1) (paragraph (b) of the definition of
4
securitisation arrangement)
5
Omit "loans", substitute "credit".
6
62 Subsection 6(1)
7
Insert:
8
securitisation related purpose of a credit provider in relation to an
9
individual is the purpose of:
10
(a) assessing the risk in purchasing, by means of a securitisation
11
arrangement, credit that has been provided to, or applied for
12
by:
13
(i) the individual; or
14
(ii) a person for whom the individual is, or is proposing to
15
be, a guarantor; or
16
(b) assessing the risk in undertaking credit enhancement in
17
relation to credit:
18
(i) that is, or is proposed to be, purchased or funded by
19
means of a securitisation arrangement; and
20
(ii) that has been provided to, or applied for by, the
21
individual or a person for whom the individual is, or is
22
proposing to be, a guarantor.
23
63 Subsection 6(1) (definition of serious credit infringement)
24
Repeal the definition, substitute:
25
serious credit infringement means:
26
(a) an act done by an individual that involves fraudulently
27
obtaining consumer credit, or attempting fraudulently to
28
obtain consumer credit; or
29
(b) an act done by an individual that involves fraudulently
30
evading the individual's obligations in relation to consumer
31
credit, or attempting fraudulently to evade those obligations;
32
or
33
(c) an act done by an individual if:
34
Schedule 2 Credit reporting
58 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(i) a reasonable person would consider that the act
1
indicates an intention, on the part of the individual, to
2
no longer comply with the individual's obligations in
3
relation to consumer credit provided by a credit
4
provider; and
5
(ii) the provider has, after taking such steps as are
6
reasonable in the circumstances, been unable to contact
7
the individual about the act; and
8
(iii) at least 6 months have passed since the provider last had
9
contact with the individual.
10
64 Subsection 6(1)
11
Insert:
12
trade insurance purpose of a trade insurer in relation to an
13
individual is the purpose of assessing:
14
(a) whether to provide insurance to, or the risk of providing
15
insurance to, a credit provider in relation to commercial
16
credit provided by the provider to the individual or another
17
person; or
18
(b) the risk of a person defaulting on commercial credit in
19
relation to which the insurer has provided insurance to a
20
credit provider.
21
65 Subsection 6(1) (definition of trade insurer)
22
Repeal the definition, substitute:
23
trade insurer means an organisation, or small business operator,
24
that carries on a business or undertaking that involves providing
25
insurance to credit providers in relation to commercial credit
26
provided by providers to other persons.
27
66 Subsections 6(5A) to (5D)
28
Repeal the subsections.
29
67 Subsection 6(10)
30
Omit "credit", substitute "consumer credit".
31
68 At the end of subsection 6D(4)
32
Add:
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 59
; or (f) is a credit reporting body.
1
69 After section 6F
2
Insert:
3
Division 2--Key definitions relating to credit reporting
4
Subdivision A--Credit provider
5
6G Meaning of credit provider
6
General
7
(1) Each of the following is a credit provider:
8
(a)
a
bank;
9
(b) an organisation or small business operator if:
10
(i) the organisation or operator carries on a business or
11
undertaking; and
12
(ii) a substantial part of the business or undertaking is the
13
provision of credit;
14
(c) an organisation or small business operator:
15
(i) that carries on a retail business; and
16
(ii) that, in the course of the business, issues credit cards to
17
individuals in connection with the sale of goods, or the
18
supply of services, by the organisation or operator (as
19
the case may be);
20
(d) an agency, organisation or small business operator:
21
(i) that carries on a business or undertaking that involves
22
providing credit; and
23
(ii) that is prescribed by the regulations.
24
Other credit providers
25
(2)
If:
26
(a) an organisation or small business operator (the supplier)
27
carries on a business or undertaking in the course of which
28
the supplier provides credit in connection with the sale of
29
goods, or the supply of services, by the supplier; and
30
(b) the repayment, in full or in part, of the amount of credit is
31
deferred for at least 7 days; and
32
Schedule 2 Credit reporting
60 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(c) the supplier is not a credit provider under subsection (1);
1
then the supplier is a credit provider but only in relation to the
2
credit.
3
(3)
If:
4
(a) an organisation or small business operator (the lessor) carries
5
on a business or undertaking in the course of which the lessor
6
provides credit in connection with the hiring, leasing or
7
renting of goods; and
8
(b) the credit is in force for at least 7 days; and
9
(c) no amount, or an amount less than the value of the goods, is
10
paid as a deposit for the return of the goods; and
11
(d) the lessor is not a credit provider under subsection (1);
12
then the lessor is a credit provider but only in relation to the credit.
13
(4) An organisation or small business operator is a credit provider if
14
subsection 6H(1), 6J(1) or 6K(1) provides that the organisation or
15
operator is a credit provider.
16
Exclusions
17
(5) Despite subsections (1) to (4) of this section, an organisation or
18
small business operator acting in the capacity of:
19
(a) a real estate agent; or
20
(b) a general insurer (within the meaning of the Insurance Act
21
1973); or
22
(c) an employer of an individual;
23
is not a credit provider while acting in that capacity.
24
(6) Despite subsections (1) to (4) of this section, an organisation or
25
small business operator is not a credit provider if it is included in a
26
class of organisations or operators prescribed by the regulations.
27
6H Agents of credit providers
28
(1) If an organisation or small business operator (the agent) is acting
29
as an agent of a credit provider (the principal) in performing, on
30
behalf of the principal, a task that is reasonably necessary:
31
(a) in processing an application for credit made to the principal;
32
or
33
(b) in managing credit provided by the principal;
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 61
then, while the agent is so acting, the agent is a credit provider.
1
(2) Subsection (1) does not apply if the principal is an organisation or
2
small business operator that is a credit provider because of a
3
previous application of that subsection.
4
(3) If subsection (1) applies in relation to credit that has been provided
5
by the principal, the credit is taken, for the purposes of this Act, to
6
have been provided by both the principal and the agent.
7
(4) If subsection (1) applies in relation to credit for which an
8
application has been made to the principal, the application is taken,
9
for the purposes of this Act, to have been made to both the
10
principal and the agent.
11
6J Securitisation arrangements etc.
12
(1)
If:
13
(a) an organisation or small business operator (the securitisation
14
entity) carries on a business that is involved in either or both
15
of the following:
16
(i) a securitisation arrangement;
17
(ii) managing credit that is the subject of a securitisation
18
arrangement; and
19
(b) the securitisation entity performs a task that is reasonably
20
necessary for:
21
(i) purchasing, funding or managing, or processing an
22
application for, credit by means of a securitisation
23
arrangement; or
24
(ii) undertaking credit enhancement in relation to credit; and
25
(c) the credit has been provided by, or is credit for which an
26
application has been made to, a credit provider (the original
27
credit provider);
28
then, while the securitisation entity performs such a task, the
29
securitisation entity is a credit provider.
30
(2) Subsection (1) does not apply if the original credit provider is an
31
organisation or small business operator that is a credit provider
32
because of a previous application of that subsection.
33
(3) If subsection (1) applies in relation to credit that has been provided
34
by the original credit provider, the credit is taken, for the purposes
35
Schedule 2 Credit reporting
62 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
of this Act, to have been provided by both the original credit
1
provider and the securitisation entity.
2
(4) If subsection (1) applies in relation to credit for which an
3
application has been made to the original credit provider, the
4
application is taken, for the purposes of this Act, to have been
5
made to both the original credit provider and the securitisation
6
entity.
7
6K Acquisition of the rights of a credit provider
8
(1)
If:
9
(a) an organisation or small business operator (the acquirer)
10
acquires, whether by assignment, subrogation or any other
11
means, the rights of a credit provider (the original credit
12
provider) in relation to the repayment of an amount of credit;
13
and
14
(b) the acquirer is not a credit provider under subsection 6G(1);
15
then the acquirer is a credit provider but only in relation to the
16
credit.
17
(2) If subsection (1) of this section applies in relation to credit that has
18
been provided by the original credit provider, the credit is taken,
19
for the purposes of this Act, to have been provided by the acquirer.
20
(3) If subsection (1) of this section applies in relation to credit for
21
which an application has been made to the original credit provider,
22
the application is taken, for the purposes of this Act, to have been
23
made to the acquirer.
24
Subdivision B--Other definitions
25
6L Meaning of access seeker
26
(1)
An
access seeker in relation to credit reporting information, or
27
credit eligibility information, about an individual is:
28
(a) the individual; or
29
(b)
a
person:
30
(i) who is assisting the individual to deal with a credit
31
reporting body or credit provider; and
32
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 63
(ii) who is authorised, in writing, by the individual to make
1
a request in relation to the information under subsection
2
20R(1) or 21T(1).
3
(2) An individual must not authorise a person under
4
subparagraph (1)(b)(ii) if the person is:
5
(a) a credit provider; or
6
(b) a mortgage insurer; or
7
(c) a trade insurer; or
8
(d) a person who is prevented from being a credit provider by
9
subsection 6G(5) or (6).
10
(3) Subparagraph (1)(b)(ii) does not apply to a person who provides
11
the National Relay Service.
12
6M Meaning of credit and amount of credit
13
(1)
Credit is a contract, arrangement or understanding under which:
14
(a) payment of a debt owed by one person to another person is
15
deferred; or
16
(b) one person incurs a debt to another person and defers the
17
payment of the debt.
18
(2)
The
amount of credit is the amount of the debt that is actually
19
deferred, or that may be deferred, but does not include any fees or
20
charges payable in connection with the deferral of the debt.
21
(3) Without limiting subsection (1), credit includes:
22
(a) a hire-purchase agreement; and
23
(b) a contract, arrangement or understanding of a kind referred to
24
in that subsection that is for the hire, lease or rental of goods,
25
or for the supply of services, other than a contract,
26
arrangement or understanding under which:
27
(i) full payment is made before, or at the same time as, the
28
goods or services are provided; and
29
(ii) in the case of goods--an amount greater than, or equal
30
to, the value of the goods is paid as a deposit for the
31
return of the goods.
32
Schedule 2 Credit reporting
64 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
6N Meaning of credit information
1
Credit information about an individual is personal information
2
(other than sensitive information) that is:
3
(a) identification information about the individual; or
4
(b) consumer credit liability information about the individual; or
5
(c) repayment history information about the individual; or
6
(d) a statement that an information request has been made in
7
relation to the individual by a credit provider, mortgage
8
insurer or trade insurer; or
9
(e) the type of consumer credit or commercial credit, and the
10
amount of credit, sought in an application:
11
(i) that has been made by the individual to a credit
12
provider; and
13
(ii) in connection with which the provider has made an
14
information request in relation to the individual; or
15
(f) default information about the individual; or
16
(g) payment information about the individual; or
17
(h) new arrangement information about the individual; or
18
(i) court proceedings information about the individual; or
19
(j) personal insolvency information about the individual; or
20
(k) publicly available information about the individual:
21
(i) that relates to the individual's activities in Australia or
22
the external Territories and the individual's credit
23
worthiness; and
24
(ii) that is not court proceedings information about the
25
individual or information about the individual that is
26
entered or recorded on the National Personal Insolvency
27
Index; or
28
(l) the opinion of a credit provider that the individual has
29
committed, in circumstances specified by the provider, a
30
serious credit infringement in relation to consumer credit
31
provided by the provider to the individual.
32
6P Meaning of credit reporting business
33
(1)
A
credit reporting business is a business or undertaking that
34
involves collecting, holding, using or disclosing personal
35
information about individuals for the purpose of, or for purposes
36
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 65
including the purpose of, providing an entity with information
1
about the credit worthiness of an individual.
2
(2) Subsection (1) applies whether or not the information about the
3
credit worthiness of an individual is:
4
(a) provided for profit or reward; or
5
(b) provided, or intended to be provided, for the purposes of
6
assessing an application for consumer credit.
7
(3) In determining whether a business or undertaking carried on by a
8
credit provider is a credit reporting business, disregard the
9
provision of information about the credit worthiness of an
10
individual to a related body corporate by the provider.
11
(4) Despite subsection (1), a business or undertaking is not a credit
12
reporting business if the business or undertaking is included in a
13
class of businesses or undertakings prescribed by the regulations.
14
6Q Meaning of default information
15
Consumer credit defaults
16
(1)
Default information about an individual is information about a
17
payment (including a payment that is wholly or partly a payment of
18
interest) that the individual is overdue in making in relation to
19
consumer credit that has been provided by a credit provider to the
20
individual if:
21
(a) the individual is at least 60 days overdue in making the
22
payment; and
23
(b) the provider has given a written notice to the individual
24
informing the individual of the overdue payment and
25
requesting that the individual pay the amount of the overdue
26
payment; and
27
(c) the provider is not prevented by a statute of limitations from
28
recovering the amount of the overdue payment; and
29
(d) the amount of the overdue payment is equal to or more than:
30
(i)
$100;
or
31
(ii) such higher amount as is prescribed by the regulations.
32
Schedule 2 Credit reporting
66 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Guarantor defaults
1
(2)
Default information about an individual is information about a
2
payment that the individual is overdue in making as a guarantor
3
under a guarantee given against any default by a person (the
4
borrower) in repaying all or any of the debt deferred under
5
consumer credit provided by a credit provider to the borrower if:
6
(a) the provider has given the individual written notice of the
7
borrower's default that gave rise to the individual's
8
obligation to make the overdue payment; and
9
(b) the notice requests that the individual pay the amount of the
10
overdue payment; and
11
(c) at least 60 days have passed since the day on which the
12
notice was given; and
13
(d) in addition to giving the notice, the provider has taken other
14
steps to recover the amount of the overdue payment from the
15
individual; and
16
(e) the provider is not prevented by a statute of limitations from
17
recovering the amount of the overdue payment.
18
6R Meaning of information request
19
Credit provider
20
(1) A credit provider has made an information request in relation to
21
an individual if the provider has sought information about the
22
individual from a credit reporting body:
23
(a) in connection with an application for consumer credit made
24
by the individual to the provider; or
25
(b) in connection with an application for commercial credit made
26
by a person to the provider; or
27
(c) for a credit guarantee purpose of the provider in relation to
28
the individual; or
29
(d) for a securitisation related purpose of the provider in relation
30
to the individual.
31
Mortgage insurer
32
(2) A mortgage insurer has made an information request in relation to
33
an individual if:
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 67
(a) the insurer has sought information about the individual from
1
a credit reporting body; and
2
(b) the information was sought in connection with the provision
3
of insurance to a credit provider in relation to mortgage credit
4
provided by the provider to:
5
(i) the individual; or
6
(ii) a person for whom the individual is, or is proposing to
7
be, a guarantor.
8
Trade insurer
9
(3) A trade insurer has made an information request in relation to an
10
individual if:
11
(a) the insurer has sought information about the individual from
12
a credit reporting body; and
13
(b) the information was sought in connection with the provision
14
of insurance to a credit provider in relation to commercial
15
credit provided by the provider to the individual or another
16
person.
17
6S Meaning of new arrangement information
18
Consumer credit defaults
19
(1)
If:
20
(a) a credit provider has disclosed default information about an
21
individual to a credit reporting body; and
22
(b) the default information relates to a payment that the
23
individual is overdue in making in relation to consumer credit
24
(the original consumer credit) that has been provided by the
25
provider to the individual; and
26
(c) because of the individual being so overdue:
27
(i) the terms or conditions of the original consumer credit
28
that relate to the repayment of the amount of credit are
29
varied; or
30
(ii) the individual is provided with other consumer credit
31
(the new consumer credit) by a credit provider that
32
relates, wholly or in part, to that amount of credit;
33
then new arrangement information about the individual is a
34
statement that those terms or conditions of the original consumer
35
Schedule 2 Credit reporting
68 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
credit have been varied, or that the individual has been provided
1
with the new consumer credit.
2
Serious credit infringements
3
(2)
If:
4
(a) a credit provider is of the opinion that an individual has
5
committed a serious credit infringement in relation to
6
consumer credit (the original consumer credit) provided by
7
the provider to the individual; and
8
(b) the provider has disclosed the opinion to a credit reporting
9
body; and
10
(c) because of the provider having that opinion:
11
(i) the terms or conditions of the original consumer credit
12
that relate to the repayment of the amount of credit are
13
varied; or
14
(ii) the individual is provided with other consumer credit
15
(the new consumer credit) by a credit provider that
16
relates, wholly or in part, to that amount of credit;
17
then new arrangement information about the individual is a
18
statement that those terms or conditions of the original consumer
19
credit have been varied, or that the individual has been provided
20
with the new consumer credit.
21
6T Meaning of payment information
22
If:
23
(a) a credit provider has disclosed default information about an
24
individual to a credit reporting body; and
25
(b) on a day after the default information was disclosed, the
26
amount of the overdue payment to which the information
27
relates is paid;
28
then payment information about the individual is a statement that
29
the amount of the overdue payment has been paid on that day.
30
6U Meaning of personal insolvency information
31
(1)
Personal insolvency information about an individual is
32
information:
33
(a) that is entered or recorded in the National Personal
34
Insolvency Index; and
35
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 69
(b) that relates to:
1
(i) a bankruptcy of the individual; or
2
(ii) a debt agreement proposal given by the individual; or
3
(iii) a debt agreement made by the individual; or
4
(iv) a personal insolvency agreement executed by the
5
individual; or
6
(v) a direction given, or an order made, under section 50 of
7
the Bankruptcy Act that relates to the property of the
8
individual; or
9
(vi) an authority signed under section 188 of that Act that
10
relates to the property of the individual.
11
(2) Despite subparagraph (1)(b)(i), personal insolvency information
12
about an individual must not relate to:
13
(a) the presentation of a creditor's petition against the individual;
14
or
15
(b) an administration under Part XI of the Bankruptcy Act of the
16
individual's estate.
17
(3) An expression used in paragraph (1)(b) or (2)(a) that is also used in
18
the Bankruptcy Act has the same meaning in that paragraph as it
19
has in that Act.
20
6V Meaning of repayment history information
21
(1) If a credit provider provides consumer credit to an individual, the
22
following information about the consumer credit is repayment
23
history information about the individual:
24
(a) whether or not the individual has met an obligation to make a
25
monthly payment that is due and payable in relation to the
26
consumer credit;
27
(b) the day on which the monthly payment is due and payable;
28
(c) if the individual makes the monthly payment after the day on
29
which the payment is due and payable--the day on which the
30
individual makes that payment.
31
(2) The regulations may make provision in relation to:
32
(a) whether or not an individual has met an obligation to make a
33
monthly payment that is due and payable in relation to
34
consumer credit; and
35
(b) whether or not a payment is a monthly payment.
36
Schedule 2 Credit reporting
70 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Division 3--Other matters
1
70 Paragraphs 7(1)(a) and 8(1)(a)
2
Omit "credit reporting agency" (wherever occurring), substitute "credit
3
reporting body".
4
71 Sections 11A and 11B
5
Repeal the sections.
6
72 Part IIIA
7
Repeal the Part, substitute:
8
Part IIIA--Credit reporting
9
Division 1--Introduction
10
19 Guide to this Part
11
In general, this Part deals with the privacy of information relating
12
to credit reporting.
13
Divisions 2 and 3 contain rules that apply to credit reporting bodies
14
and credit providers in relation to their handling of information
15
relating to credit reporting.
16
Division 4 contains rules that apply to affected information
17
recipients in relation to their handling of their regulated
18
information.
19
Division 5 deals with complaints to credit reporting bodies or
20
credit providers about acts or practices that may be a breach of
21
certain provisions of this Part or the registered CR code.
22
Division 6 deals with entities that obtain credit reporting
23
information or credit eligibility information by false pretence, or
24
when they are not authorised to do so under this Part.
25
Division 7 provides for compensation orders, and other orders, to
26
be made by the Federal Court or Federal Magistrates Court.
27
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 71
Division 2--Credit reporting bodies
1
Subdivision A--Introduction and application of this Division
2
etc.
3
20 Guide to this Division
4
This Division sets out rules that apply to credit reporting bodies in
5
relation to their handling of the following:
6
(a)
credit reporting information;
7
(b)
CP derived information;
8
(c)
credit reporting information that is de-identified;
9
(d)
a pre-screening assessment.
10
The rules apply in relation to that kind of information or
11
assessment instead of the Australian Privacy Principles.
12
20A Application of this Division and the Australian Privacy
13
Principles to credit reporting bodies
14
(1) This Division applies to a credit reporting body in relation to the
15
following:
16
(a) credit reporting information;
17
(b) CP derived information;
18
(c) credit reporting information that is de-identified;
19
(d) a pre-screening assessment.
20
(2) The Australian Privacy Principles do not apply to a credit reporting
21
body in relation to personal information that is:
22
(a) credit reporting information; or
23
(b) CP derived information; or
24
(c) a pre-screening assessment.
25
Note:
The Australian Privacy Principles apply to the credit reporting body in
26
relation to other kinds of personal information.
27
Schedule 2 Credit reporting
72 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Subdivision B--Consideration of information privacy
1
20B Open and transparent management of credit reporting
2
information
3
(1) The object of this section is to ensure that credit reporting bodies
4
manage credit reporting information in an open and transparent
5
way.
6
Compliance with this Division etc.
7
(2) A credit reporting body must take such steps as are reasonable in
8
the circumstances to implement practices, procedures and systems
9
relating to the credit reporting business of the body that:
10
(a) will ensure that the body complies with this Division and the
11
registered CR code; and
12
(b) will enable the body to deal with inquiries or complaints
13
from individuals about the body's compliance with this
14
Division or the registered CR code.
15
Policy about the management of credit reporting information
16
(3) A credit reporting body must have a clearly expressed and
17
up-to-date policy about the management of credit reporting
18
information by the body.
19
(4) Without limiting subsection (3), the policy of the credit reporting
20
body must contain the following information:
21
(a) the kinds of credit information that the body collects and how
22
the body collects that information;
23
(b) the kinds of credit reporting information that the body holds
24
and how the body holds that information;
25
(c) the kinds of personal information that the body usually
26
derives from credit information that the body holds;
27
(d) the purposes for which the body collects, holds, uses and
28
discloses credit reporting information;
29
(e) information about the effect of section 20G (which deals with
30
direct marketing) and how the individual may make a request
31
under subsection (5) of that section;
32
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 73
(f) how an individual may access credit reporting information
1
about the individual that is held by the body and seek the
2
correction of such information;
3
(g) information about the effect of section 20T (which deals with
4
individuals requesting the correction of credit information
5
etc.);
6
(h) how an individual may complain about a failure of the body
7
to comply with this Division or the registered CR code and
8
how the body will deal with such a complaint.
9
Availability of policy etc.
10
(5) A credit reporting body must take such steps as are reasonable in
11
the circumstances to make the policy available:
12
(a) free of charge; and
13
(b) in such form as is appropriate.
14
Note:
A credit reporting body will usually make the policy available on the
15
body's website.
16
(6) If a person or body requests a copy, in a particular form, of the
17
policy of a credit reporting body, the credit reporting body must
18
take such steps as are reasonable in the circumstances to give the
19
person or body a copy in that form.
20
Subdivision C--Collection of credit information
21
20C Collection of solicited credit information
22
Prohibition on collection
23
(1) A credit reporting body must not collect credit information about
24
an individual.
25
Civil penalty:
2,000 penalty units.
26
Exceptions
27
(2) Subsection (1) does not apply if the collection of the credit
28
information is required or authorised by or under an Australian law
29
or a court/tribunal order.
30
(3) Subsection (1) does not apply if:
31
Schedule 2 Credit reporting
74 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the credit reporting body collects the credit information about
1
the individual from a credit provider who is permitted under
2
section 21D to disclose the information to the body; and
3
(b) the body collects the information in the course of carrying on
4
a credit reporting business; and
5
(c) if the information is identification information about the
6
individual--the body also collects from the provider, or
7
already holds, credit information of another kind about the
8
individual.
9
(4) Subsection (1) does not apply if:
10
(a) the credit reporting body:
11
(i) collects the credit information about the individual from
12
an entity (other than a credit provider) in the course of
13
carrying on a credit reporting business; and
14
(ii) knows, or believes on reasonable grounds, that the
15
individual is at least 18 years old; and
16
(b) the information does not relate to an act, omission, matter or
17
thing that occurred or existed before the individual turned 18;
18
and
19
(c) if the information relates to consumer credit or commercial
20
credit--the credit is or has been provided, or applied for, in
21
Australia; and
22
(d) if the information is identification information about the
23
individual--the body also collects from the entity, or already
24
holds, credit information of another kind about the
25
individual; and
26
(e) if the information is repayment history information about the
27
individual--the body collects the information from another
28
credit reporting body that has an Australian link.
29
(5) Paragraph (4)(b) does not apply to identification information about
30
the individual.
31
(6) Despite paragraph (4)(b), consumer credit liability information
32
about the individual may relate to consumer credit that was entered
33
into on a day before the individual turned 18, so long as the
34
consumer credit was not terminated, or did not otherwise cease to
35
be in force, on a day before the individual turned 18.
36
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 75
Means of collection
1
(7) A credit reporting body must collect credit information only by
2
lawful and fair means.
3
Solicited credit information
4
(8) This section applies to the collection of credit information that is
5
solicited by a credit reporting body.
6
20D Dealing with unsolicited credit information
7
(1)
If:
8
(a) a credit reporting body receives credit information about an
9
individual; and
10
(b) the body did not solicit the information;
11
the body must, within a reasonable period after receiving the
12
information, determine whether or not the body could have
13
collected the information under section
14
20C if the body had solicited the information.
15
(2) The credit reporting body may use or disclose the credit
16
information for the purposes of making the determination under
17
subsection (1).
18
(3) If the credit reporting body determines that it could have collected
19
the credit information, sections 20E to 20ZA apply in relation to
20
the information as if the body had collected the information under
21
section
22
20C.
23
(4) If the credit reporting body determines that it could not have
24
collected the credit information, the body must, as soon as
25
practicable, destroy the information.
26
Civil penalty:
1,000 penalty units.
27
(5) Subsection (4) does not apply if the credit reporting body is
28
required by or under an Australian law, or a court/tribunal order, to
29
retain the credit information.
30
Schedule 2 Credit reporting
76 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Subdivision D--Dealing with credit reporting information etc.
1
20E Use or disclosure of credit reporting information
2
Prohibition on use or disclosure
3
(1) If a credit reporting body holds credit reporting information about
4
an individual, the body must not use or disclose the information.
5
Civil penalty:
2,000 penalty units.
6
Permitted uses
7
(2) Subsection (1) does not apply to the use of credit reporting
8
information about the individual if:
9
(a) the credit reporting body uses the information in the course
10
of carrying on the body's credit reporting business; or
11
(b) the use is required or authorised by or under an Australian
12
law or a court/tribunal order; or
13
(c) the use is a use prescribed by the regulations.
14
Permitted disclosures
15
(3) Subsection (1) does not apply to the disclosure of credit reporting
16
information about the individual if:
17
(a) the disclosure is a permitted CRB disclosure in relation to the
18
individual; or
19
(b) the disclosure is to another credit reporting body that has an
20
Australian link; or
21
(c) both of the following apply:
22
(i) the disclosure is for the purposes of a recognised
23
external dispute resolution scheme;
24
(ii) a credit reporting body or credit provider is a member of
25
the scheme; or
26
(d) both of the following apply:
27
(i) the disclosure is to an enforcement body;
28
(ii) the credit reporting body is satisfied that the body, or
29
another enforcement body, believes on reasonable
30
grounds that the individual has committed a serious
31
credit infringement; or
32
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 77
(e) the disclosure is required or authorised by or under an
1
Australian law or a court/tribunal order; or
2
(f) the disclosure is a disclosure prescribed by the regulations.
3
(4) However, if the credit reporting information is, or was derived
4
from, repayment history information about the individual, the
5
credit reporting body must not disclose the information under
6
paragraph (3)(a) or (f) unless the recipient of the information is a
7
credit provider who is a licensee.
8
Civil penalty:
2,000 penalty units.
9
(5) If a credit reporting body discloses credit reporting information
10
under this section, the body must make a written note of that
11
disclosure.
12
Civil penalty:
500 penalty units.
13
Note:
Other Acts may provide that the note must not be made (see for
14
example the Australian Crime Commission Act 2002 and the Law
15
Enforcement Integrity Commissioner Act 2006).
16
No use or disclosure for the purposes of direct marketing
17
(6) This section does not apply to the use or disclosure of credit
18
reporting information for the purposes of direct marketing.
19
Note:
Section 20G deals with the use or disclosure of credit reporting
20
information for the purposes of direct marketing.
21
20F Permitted CRB disclosures in relation to individuals
22
(1) A disclosure by a credit reporting body of credit reporting
23
information about an individual is a permitted CRB disclosure in
24
relation to the individual if:
25
(a) the disclosure is to an entity that is specified in an item of the
26
table and that has an Australian link; and
27
(b) such conditions as are specified for the item are satisfied.
28
29
Permitted CRB disclosures
Item
If the disclosure is to ...
the condition or conditions are ...
1
a credit provider
the provider requests the information for a
consumer credit related purpose of the provider
in relation to the individual.
Schedule 2 Credit reporting
78 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Permitted CRB disclosures
Item
If the disclosure is to ...
the condition or conditions are ...
2
a credit provider
(a) the provider requests the information for a
commercial credit related purpose of the
provider in relation to a person; and
(b) the individual expressly consents to the
disclosure of the information to the provider
for that purpose.
3
a credit provider
(a) the provider requests the information for a
credit guarantee purpose of the provider in
relation to the individual; and
(b) the individual expressly consents, in writing,
to the disclosure of the information to the
provider for that purpose.
4
a credit provider
the credit reporting body is satisfied that the
provider, or another credit provider, believes on
reasonable grounds that the individual has
committed a serious credit infringement.
5
a credit provider
(a) the credit reporting body holds consumer
credit liability information that relates to
consumer credit provided by the provider to
the individual; and
(b) the consumer credit has not been terminated,
or has not otherwise ceased to be in force.
6
a credit provider under
subsection 6J(1)
the provider requests the information for a
securitisation related purpose of the provider in
relation to the individual.
7
a mortgage insurer
the insurer requests the information for a
mortgage insurance purpose of the insurer in
relation to the individual.
8
a trade insurer
(a) the insurer requests the information for a
trade insurance purpose of the insurer in
relation to the individual; and
(b) the individual expressly consents, in writing,
to the disclosure of the information to the
insurer for that purpose.
1
(2) The consent of the individual under paragraph (b) of item 2 of the
2
table in subsection (1) must be given in writing unless:
3
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 79
(a) the credit provider referred to in that item requests the
1
information for the purpose of assessing an application for
2
commercial credit made by a person to the provider; and
3
(b) the application has not been made in writing.
4
20G Use or disclosure of credit reporting information for the
5
purposes of direct marketing
6
Prohibition on direct marketing
7
(1) If a credit reporting body holds credit reporting information about
8
an individual, the body must not use or disclose the information for
9
the purposes of direct marketing.
10
Civil penalty:
2,000 penalty units.
11
Permitted use for pre-screening
12
(2) Subsection (1) does not apply to the use by the credit reporting
13
body of credit information about the individual for the purposes of
14
direct marketing by, or on behalf of, a credit provider if:
15
(a) the provider has an Australian link and is a licensee; and
16
(b) the direct marketing is about consumer credit that the
17
provider provides in Australia; and
18
(c) the information is not consumer credit liability information,
19
or repayment history information, about the individual; and
20
(d) the body uses the information to assess whether or not the
21
individual is eligible to receive the direct marketing
22
communications of the credit provider; and
23
(e) the individual has not made a request under subsection (5);
24
and
25
(f) the body complies with any requirements that are set out in
26
the registered CR code.
27
(3) In assessing under paragraph (2)(d) whether or not the individual is
28
eligible to receive the direct marketing communications of the
29
credit provider, the credit reporting body must have regard to the
30
eligibility requirements nominated by the provider.
31
(4) An assessment under paragraph (2)(d) is not credit reporting
32
information about the individual.
33
Schedule 2 Credit reporting
80 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Request not to use information for pre-screening
1
(5) An individual may request a credit reporting body that holds credit
2
information about the individual not to use the information under
3
subsection (2).
4
(6) If the individual makes a request under subsection (5), the credit
5
reporting body must not charge the individual for the making of the
6
request or to give effect to the request.
7
Written note of use
8
(7) If a credit reporting body uses credit information under
9
subsection (2), the body must make a written note of that use.
10
Civil penalty:
500 penalty units.
11
20H Use or disclosure of pre-screening assessments
12
Use or disclosure by credit reporting bodies
13
(1) If a credit reporting body makes a pre-screening assessment in
14
relation to direct marketing by, or on behalf of, a credit provider,
15
the body must not use or disclose the assessment.
16
Civil penalty:
2,000 penalty units.
17
(2) Subsection (1) does not apply if:
18
(a) the credit reporting body discloses the pre-screening
19
assessment for the purposes of the direct marketing by, or on
20
behalf of, the credit provider; and
21
(b) the recipient of the assessment is an entity (other than the
22
provider) that has an Australian link.
23
(3) If the credit reporting body discloses the pre-screening assessment
24
under subsection (2), the body must make a written note of that
25
disclosure.
26
Civil penalty:
500 penalty units.
27
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 81
Use or disclosure by recipients
1
(4) If the credit reporting body discloses the pre-screening assessment
2
under subsection (2), the recipient must not use or disclose the
3
assessment.
4
Civil penalty:
1,000 penalty units.
5
(5) Subsection (4) does not apply if the recipient uses the
6
pre-screening assessment for the purposes of the direct marketing
7
by, or on behalf of, the credit provider.
8
(6) If the recipient uses the pre-screening assessment under
9
subsection (5), the recipient must make a written note of that use.
10
Civil penalty:
500 penalty units.
11
Interaction with the Australian Privacy Principles
12
(7) If the recipient is an APP entity, Australian Privacy Principles 6, 7
13
and 8 do not apply to the recipient in relation to a pre-screening
14
assessment.
15
20J Destruction of pre-screening assessment
16
(1) If an entity has possession or control of a pre-screening
17
assessment, the entity must destroy the assessment if:
18
(a) the entity no longer needs the assessment for any purpose for
19
which it may be used or disclosed under section 20H; and
20
(b) the entity is not required by or under an Australian law, or a
21
court/tribunal order, to retain the assessment.
22
Civil penalty:
1,000 penalty units.
23
(2) If the entity is an APP entity but not a credit reporting body,
24
Australian Privacy Principle 11.2 does not apply to the entity in
25
relation to the pre-screening assessment.
26
20K No use or disclosure of credit reporting information during a
27
ban period
28
(1)
If:
29
(a) a credit reporting body holds credit reporting information
30
about an individual; and
31
Schedule 2 Credit reporting
82 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) the individual believes on reasonable grounds that the
1
individual has been, or is likely to be, a victim of fraud
2
(including identity fraud); and
3
(c) the individual requests the body not to use or disclose the
4
information under this Division;
5
then, despite any other provision of this Division, the body must
6
not use or disclose the information during the ban period for the
7
information.
8
Civil penalty:
2,000 penalty units.
9
(2) Subsection (1) does not apply if:
10
(a) the individual expressly consents, in writing, to the use or
11
disclosure of the credit reporting information under this
12
Division; or
13
(b) the use or disclosure of the credit reporting information is
14
required by or under an Australian law or a court/tribunal
15
order.
16
Ban period
17
(3)
The
ban period for credit reporting information about an individual
18
is the period that:
19
(a) starts when the individual makes a request under
20
paragraph (1)(c); and
21
(b)
ends:
22
(i) 21 days after the day on which the request is made; or
23
(ii) if the period is extended under subsection (4)--on the
24
day after the extended period ends.
25
(4)
If:
26
(a) there is a ban period for credit reporting information about an
27
individual that is held by a credit reporting body; and
28
(b) before the ban period ends, the individual requests the body
29
to extend that period; and
30
(c) the body believes on reasonable grounds that the individual
31
has been, or is likely to be, a victim of fraud (including
32
identity fraud);
33
the body must:
34
(d) extend the ban period by such period as the body considers is
35
reasonable in the circumstances; and
36
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 83
(e) give the individual written notification of the extension.
1
Civil penalty:
1,000 penalty units.
2
(5) A ban period for credit reporting information may be extended
3
more than once under subsection (4).
4
No charge for request etc.
5
(6) If an individual makes a request under paragraph (1)(c) or (4)(b), a
6
credit reporting body must not charge the individual for the making
7
of the request or to give effect to the request.
8
20L Adoption of government related identifiers
9
(1)
If:
10
(a) a credit reporting body holds credit reporting information
11
about an individual; and
12
(b) the information is a government related identifier of the
13
individual;
14
the body must not adopt the government related identifier as its
15
own identifier of the individual.
16
Civil penalty:
2,000 penalty units.
17
(2) Subsection (1) does not apply if the adoption of the government
18
related identifier is required or authorised by or under an
19
Australian law or a court/tribunal order.
20
20M Use or disclosure of credit reporting information that is
21
de-identified
22
Use or disclosure
23
(1)
If:
24
(a) a credit reporting body holds credit reporting information;
25
and
26
(b) the information (the de-identified information) is
27
de-identified;
28
the body must not use or disclose the de-identified information.
29
(2) Subsection (1) does not apply to the use or disclosure of the
30
de-identified information if:
31
Schedule 2 Credit reporting
84 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the use or disclosure is for the purposes of conducting
1
research in relation to the assessment of the credit worthiness
2
of individuals; and
3
(b) the credit reporting body complies with the rules made under
4
subsection (3).
5
Commissioner may make rules
6
(3) The Commissioner may, by legislative instrument, make rules
7
relating to the use or disclosure by a credit reporting body of
8
de-identified information for the purposes of conducting research
9
in relation to the assessment of the credit worthiness of individuals.
10
(4) Without limiting subsection (3), the rules may relate to the
11
following matters:
12
(a) the kinds of de-identified information that may or may not be
13
used or disclosed for the purposes of conducting the research;
14
(b) whether or not the research is research in relation to the
15
assessment of the credit worthiness of individuals;
16
(c) the purposes of conducting the research;
17
(d) consultation about the research;
18
(e) how the research is conducted.
19
Subdivision E--Integrity of credit reporting information
20
20N Quality of credit reporting information
21
(1) A credit reporting body must take such steps as are reasonable in
22
the circumstances to ensure that the credit information the body
23
collects is accurate, up-to-date and complete.
24
(2) A credit reporting body must take such steps as are reasonable in
25
the circumstances to ensure that the credit reporting information
26
the body uses or discloses is, having regard to the purpose of the
27
use or disclosure, accurate, up-to-date, complete and relevant.
28
(3) Without limiting subsections (1) and (2), a credit reporting body
29
must:
30
(a) enter into agreements with credit providers that require the
31
providers to ensure that credit information that they disclose
32
to the body under section 21D is accurate, up-to-date and
33
complete; and
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 85
(b) ensure that regular audits are conducted by an independent
1
person to determine whether those agreements are being
2
complied with; and
3
(c) identify and deal with suspected breaches of those
4
agreements.
5
20P False or misleading credit reporting information
6
Offence
7
(1) A credit reporting body commits an offence if:
8
(a) the body uses or discloses credit reporting information under
9
this Division (other than subsections 20D(2) and 20T(4));
10
and
11
(b) the information is false or misleading in a material particular.
12
Penalty: 200 penalty units.
13
Civil penalty
14
(2) A credit reporting body must not use or disclose credit reporting
15
information under this Division (other than subsections 20D(2) and
16
20T(4)) if the information is false or misleading in a material
17
particular.
18
Civil penalty:
2,000 penalty units.
19
20Q Security of credit reporting information
20
(1) If a credit reporting body holds credit reporting information, the
21
body must take such steps as are reasonable in the circumstances to
22
protect the information:
23
(a) from misuse, interference and loss; and
24
(b) from unauthorised access, modification or disclosure.
25
(2) Without limiting subsection (1), a credit reporting body must:
26
(a) enter into agreements with credit providers that require the
27
providers to protect credit reporting information that is
28
disclosed to them under this Division:
29
(i) from misuse, interference and loss; and
30
(ii) from unauthorised access, modification or disclosure;
31
and
32
Schedule 2 Credit reporting
86 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) ensure that regular audits are conducted by an independent
1
person to determine whether those agreements are being
2
complied with; and
3
(c) identify and deal with suspected breaches of those
4
agreements.
5
Subdivision F--Access to, and correction of, information
6
20R Access to credit reporting information
7
Access
8
(1) If a credit reporting body holds credit reporting information about
9
an individual, the body must, on request by an access seeker in
10
relation to the information, give the access seeker access to the
11
information.
12
Exceptions to access
13
(2) Despite subsection (1), the credit reporting body is not required to
14
give the access seeker access to the credit reporting information to
15
the extent that:
16
(a) giving access would be unlawful; or
17
(b) denying access is required or authorised by or under an
18
Australian law or a court/tribunal order; or
19
(c) giving access would be likely to prejudice one or more
20
enforcement related activities conducted by, or on behalf of,
21
an enforcement body.
22
Dealing with requests for access
23
(3) The credit reporting body must respond to the request within a
24
reasonable period, but not longer than 10 days, after the request is
25
made.
26
Means of access
27
(4) If the credit reporting body gives access to the credit reporting
28
information, the access must be given in the manner set out in the
29
registered CR code.
30
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 87
Access charges
1
(5) If a request under subsection (1) in relation to the individual has
2
not been made to the credit reporting body in the previous 12
3
months, the body must not charge the access seeker for the making
4
of the request or for giving access to the information.
5
(6) If subsection (5) does not apply, any charge by the credit reporting
6
body for giving access to the information must not be excessive
7
and must not apply to the making of the request.
8
Refusal to give access
9
(7) If the credit reporting body refuses to give access to the
10
information because of subsection (2), the body must give the
11
access seeker a written notice that:
12
(a) sets out the reasons for the refusal except to the extent that,
13
having regard to the grounds for the refusal, it would be
14
unreasonable to do so; and
15
(b) states that, if the access seeker is not satisfied with the
16
response to the request, the access seeker may:
17
(i) access a recognised external dispute resolution scheme
18
of which the body is a member; or
19
(ii) make a complaint to the Commissioner under Part V.
20
20S Correction of credit reporting information
21
(1)
If:
22
(a) a credit reporting body holds credit reporting information
23
about an individual; and
24
(b) the body is satisfied that, having regard to a purpose for
25
which the information is held by the body, the information is
26
inaccurate, out-of-date, incomplete, irrelevant or misleading;
27
the body must take such steps (if any) as are reasonable in the
28
circumstances to correct the information to ensure that, having
29
regard to the purpose for which it is held, the information is
30
accurate, up-to-date, complete, relevant and not misleading.
31
(2)
If:
32
(a) the credit reporting body corrects credit reporting information
33
under subsection (1); and
34
Schedule 2 Credit reporting
88 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) the body has previously disclosed the information under this
1
Division (other than subsections 20D(2) and 20T(4));
2
the body must, within a reasonable period, give each recipient of
3
the information written notice of the correction.
4
(3) Subsection (2) does not apply if:
5
(a) it is impracticable for the credit reporting body to give the
6
notice under that subsection; or
7
(b) the credit reporting body is required by or under an
8
Australian law, or a court/tribunal order, not to give the
9
notice under that subsection.
10
20T Individual may request the correction of credit information etc.
11
Request
12
(1) An individual may request a credit reporting body to correct
13
personal information about the individual if:
14
(a) the personal information is:
15
(i) credit information about the individual; or
16
(ii) CRB derived information about the individual; or
17
(iii) CP derived information about the individual; and
18
(b) the body holds at least one kind of the personal information
19
referred to in paragraph (a).
20
Correction
21
(2) If the credit reporting body is satisfied that the personal
22
information is inaccurate, out-of-date, incomplete, irrelevant or
23
misleading, the body must take such steps (if any) as are
24
reasonable in the circumstances to correct the information within:
25
(a) the period of 30 days that starts on the day on which the
26
request is made; or
27
(b) such longer period as the individual has agreed to in writing.
28
Consultation
29
(3) If the credit reporting body considers that the body cannot be
30
satisfied of the matter referred to in subsection (2) in relation to the
31
personal information without consulting either or both of the
32
following (the interested party):
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 89
(a) another credit reporting body that holds or held the
1
information and that has an Australian link;
2
(b) a credit provider that holds or held the information and that
3
has an Australian link;
4
the body must consult that interested party, or those interested
5
parties, about the individual's request.
6
(4) The use or disclosure of personal information about the individual
7
for the purposes of the consultation is taken, for the purposes of
8
this Act, to be a use or disclosure that is authorised by this
9
subsection.
10
No charge
11
(5) The credit reporting body must not charge the individual for the
12
making of the request or for correcting the information.
13
20U Notice of correction etc. must be given
14
(1) This section applies if an individual requests a credit reporting
15
body to correct personal information under subsection 20T(1).
16
Notice of correction etc.
17
(2) If the credit reporting body corrects the personal information under
18
subsection 20T(2), the body must, within a reasonable period:
19
(a) give the individual written notice of the correction; and
20
(b) if the body consulted an interested party under subsection
21
20T(3) about the individual's request--give the party written
22
notice of the correction; and
23
(c) if the correction relates to information that the body has
24
previously disclosed under this Division (other than
25
subsections 20D(2) and 20T(4))--give each recipient of the
26
information written notice of the correction.
27
(3) If the credit reporting body does not correct the personal
28
information under subsection 20T(2), the body must, within a
29
reasonable period, give the individual written notice that:
30
(a) states that the correction has not been made; and
31
(b) sets out the body's reasons for not correcting the information
32
(including evidence substantiating the correctness of the
33
information); and
34
Schedule 2 Credit reporting
90 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(c) states that, if the individual is not satisfied with the response
1
to the request, the individual may:
2
(i) access a recognised external dispute resolution scheme
3
of which the body is a member; or
4
(ii) make a complaint to the Commissioner under Part V.
5
Exceptions
6
(4) Paragraph (2)(c) does not apply if it is impracticable for the credit
7
reporting body to give the notice under that paragraph.
8
(5) Subsection (2) or (3) does not apply if the credit reporting body is
9
required by or under an Australian law, or a court/tribunal order,
10
not to give the notice under that subsection.
11
Subdivision G--Dealing with credit reporting information after
12
the retention period ends etc.
13
20V Destruction etc. of credit reporting information after the
14
retention period ends
15
(1) This section applies if:
16
(a) a credit reporting body holds credit information about an
17
individual; and
18
(b) the retention period for the information ends.
19
Note:
There is no retention period for identification information or credit
20
information of a kind referred to in paragraph 6N(k).
21
Destruction etc. of credit information
22
(2) The credit reporting body must destroy the credit information, or
23
ensure that the information is de-identified, within 1 month after
24
the retention period for the information ends.
25
Civil penalty:
1,000 penalty units.
26
(3) Despite subsection (2), the credit reporting body must neither
27
destroy the credit information nor ensure that the information is
28
de-identified, if immediately before the retention period ends:
29
(a) there is a pending correction request in relation to the
30
information; or
31
(b) there is a pending dispute in relation to the information.
32
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 91
Civil penalty:
500 penalty units.
1
(4) Subsection (2) does not apply if the credit reporting body is
2
required by or under an Australian law, or a court/tribunal order, to
3
retain the credit information.
4
Destruction etc. of CRB derived information
5
(5) The credit reporting body must destroy any CRB derived
6
information about the individual that was derived from the credit
7
information, or ensure that the CRB derived information is
8
de-identified:
9
(a)
if:
10
(i) the CRB derived information was derived from 2 or
11
more kinds of credit information; and
12
(ii) the body is required to do a thing referred to in
13
subsection (2) to one of those kinds of credit
14
information;
15
at the same time that the body does that thing to that credit
16
information; or
17
(b) otherwise--at the same time that the body is required to do a
18
thing referred to in subsection (2) to the credit information
19
from which the CRB derived information was derived.
20
Civil penalty:
1,000 penalty units.
21
(6) Despite subsection (5), the credit reporting body must neither
22
destroy the CRB derived information nor ensure that the
23
information is de-identified, if immediately before the retention
24
period ends:
25
(a) there is a pending correction request in relation to the
26
information; or
27
(b) there is a pending dispute in relation to the information.
28
Civil penalty:
500 penalty units.
29
(7) Subsection (5) does not apply if the credit reporting body is
30
required by or under an Australian law, or a court/tribunal order, to
31
retain the CRB derived information.
32
Schedule 2 Credit reporting
92 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
20W Retention period for credit information--general
1
The following table sets out the retention period for credit
2
information:
3
(a) that is information of a kind referred to in an item of the
4
table; and
5
(b) that is held by a credit reporting body.
6
7
Retention period
Item
If the credit information is ...
the retention period for the information
is ...
1
consumer credit liability
information
the period of 2 years that starts on the
day on which the consumer credit to
which the information relates is
terminated or otherwise ceases to be in
force.
2
repayment history information
the period of 2 years that starts on the
day on which the monthly payment to
which the information relates is due and
payable.
3
information of a kind referred to
in paragraph 6N(d) or (e)
the period of 5 years that starts on the
day on which the information request to
which the information relates is made.
4
default information
the period of 5 years that starts on the
day on which the credit reporting body
collects the information.
5
payment information
the period of 5 years that starts on the
day on which the credit reporting body
collects the default information to which
the payment information relates.
6 new
arrangement
information
within the meaning of
subsection 6S(1)
the period of 2 years that starts on the
day on which the credit reporting body
collects the default information referred
to in that subsection.
7 new
arrangement
information
within the meaning of
subsection 6S(2)
the period of 2 years that starts on the
day on which the credit reporting body
collects the information about the
opinion referred to in that subsection.
8
court proceedings information
the period of 5 years that starts on the
day on which the judgement to which the
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 93
Retention period
Item
If the credit information is ...
the retention period for the information
is ...
information relates is made or given.
9
information of a kind referred to
in paragraph 6N(l)
the period of 7 years that starts on the
day on which the credit reporting body
collects the information.
1
20X Retention period for credit information--personal insolvency
2
information
3
(1) The following table has effect:
4
5
Item
If personal insolvency
information relates to ...
the retention period for the information
is whichever of the following periods
ends later ...
1
a bankruptcy of an individual
(a) the period of 5 years that starts on the
day on which the individual becomes
a bankrupt;
(b) the period of 2 years that starts on the
day the bankruptcy ends.
2
a personal insolvency
agreement to which item 3 of
this table does not apply
(a) the period of 5 years that starts on the
day on which the agreement is
executed;
(b) the period of 2 years that starts on the
day the agreement is terminated or set
aside under the Bankruptcy Act.
3
a personal insolvency
agreement in relation to which a
certificate has been signed
under section 232 of the
Bankruptcy Act
(a) the period of 5 years that starts on the
day on which the agreement is
executed;
(b) the period that ends on the day on
which the certificate is signed.
4
a debt agreement to which
item 5 of this table does not
apply
(a) the period of 5 years that starts on the
day on which the agreement is made;
(b) the period of 2 years that starts on the
day:
(i) the agreement is terminated
under the Bankruptcy Act; or
(ii) an order declaring that all the
Schedule 2 Credit reporting
94 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Item
If personal insolvency
information relates to ...
the retention period for the information
is whichever of the following periods
ends later ...
agreement is void is made
under that Act.
5
a debt agreement that ends
under section 185N of the
Bankruptcy Act
(a) the period of 5 years that starts on the
day on which the agreement is made;
(b) the period that ends on the day on
which the agreement ends.
1
Debt agreement proposals
2
(2) If personal insolvency information relates to a debt agreement
3
proposal, the retention period for the information is the period that
4
ends on the day on which:
5
(a) the proposal is withdrawn; or
6
(b) the proposal is not accepted under section 185EC of the
7
Bankruptcy Act; or
8
(c) the acceptance of the proposal for processing is cancelled
9
under section 185ED of that Act; or
10
(d) the proposal lapses under section 185G of that Act.
11
Control of property
12
(3) If personal insolvency information relates to a direction given, or
13
an order made, under section 50 of the Bankruptcy Act, the
14
retention period for the information is the period that ends on the
15
day on which the control of the property to which the direction or
16
order relates ends.
17
Note:
See subsection 50(1B) of the Bankruptcy Act for when the control of
18
the property ends.
19
(4) If the personal insolvency information relates to an authority
20
signed under section 188 of the Bankruptcy Act, the retention
21
period for the information is the period that ends on the day on
22
which the property to which the authority relates is no longer
23
subject to control under Division 2 of Part X of that Act.
24
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 95
Interpretation
1
(5) An expression used in this section that is also used in the
2
Bankruptcy Act has the same meaning in this section as it has in
3
that Act.
4
20Y Destruction of credit reporting information in cases of fraud
5
(1) This section applies if:
6
(a) a credit reporting body holds credit reporting information
7
about an individual; and
8
(b) the information relates to consumer credit that has been
9
provided by a credit provider to the individual, or a person
10
purporting to be the individual; and
11
(c) the body is satisfied that:
12
(i) the individual has been a victim of fraud (including
13
identity fraud); and
14
(ii) the consumer credit was provided as a result of that
15
fraud.
16
Destruction of credit reporting information
17
(2) The credit reporting body must:
18
(a) destroy the credit reporting information; and
19
(b) within a reasonable period after the information is destroyed:
20
(i) give the individual a written notice that states that the
21
information has been destroyed and sets out the effect of
22
subsection (4); and
23
(ii) give the credit provider a written notice that states that
24
the information has been destroyed.
25
Civil penalty:
1,000 penalty units.
26
(3) Subsection (2) does not apply if the credit reporting body is
27
required by or under an Australian law, or a court/tribunal order, to
28
retain the credit reporting information.
29
Notification of destruction to third parties
30
(4)
If:
31
(a) a credit reporting body destroys credit reporting information
32
about an individual under subsection (2); and
33
Schedule 2 Credit reporting
96 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) the body has previously disclosed the information to one or
1
more recipients under Subdivision D of this Division;
2
the body must, within a reasonable period after the destruction,
3
notify those recipients of the destruction and the matters referred to
4
in paragraph (1)(c).
5
Civil penalty:
500 penalty units.
6
(5) Subsection (4) does not apply if the credit reporting body is
7
required by or under an Australian law, or a court/tribunal order,
8
not to give the notification.
9
20Z Dealing with information if there is a pending correction
10
request etc.
11
(1) This section applies if a credit reporting body holds credit reporting
12
information about an individual and either:
13
(a) subsection 20V(3) applies in relation to the information; or
14
(b) subsection 20V(6) applies in relation to the information.
15
Notification of Commissioner
16
(2) The credit reporting body must, as soon as practicable, notify in
17
writing the Commissioner of the matter referred to in
18
paragraph (1)(a) or (b) of this section.
19
Civil penalty:
1,000 penalty units.
20
Use or disclosure
21
(3) The credit reporting body must not use or disclose the information
22
under Subdivision D of this Division.
23
Civil penalty:
2,000 penalty units.
24
(4) However, the credit reporting body may use or disclose the
25
information under this subsection if:
26
(a) the use or disclosure is for the purposes of the pending
27
correction request, or pending dispute, in relation to the
28
information; or
29
(b) the use or disclosure of the information is required by or
30
under an Australian law or a court/tribunal order.
31
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 97
(5) If the credit reporting body uses or discloses the information under
1
subsection (4), the body must make a written note of the use or
2
disclosure.
3
Civil penalty:
500 penalty units.
4
Direction to destroy information etc.
5
(6) The Commissioner may, by legislative instrument, direct the credit
6
reporting body to destroy the information, or ensure that the
7
information is de-identified, by a specified day.
8
(7) If the Commissioner gives a direction under subsection (6) to the
9
credit reporting body, the body must comply with the direction.
10
Civil penalty:
1,000 penalty units.
11
(8) To avoid doubt, section 20M applies in relation to credit reporting
12
information that is de-identified as a result of the credit reporting
13
body complying with the direction.
14
20ZA Dealing with information if an Australian law etc. requires it
15
to be retained
16
(1) This section applies if a credit reporting body is not required:
17
(a) to do a thing referred to in subsection 20V(2) to credit
18
information because of subsection 20V(4); or
19
(b) to do a thing referred to in subsection 20V(5) to CRB derived
20
information because of subsection 20V(7); or
21
(c) to destroy credit reporting information under subsection
22
20Y(2) because of subsection 20Y(3).
23
Use or disclosure
24
(2) The credit reporting body must not use or disclose the information
25
under Subdivision D of this Division.
26
Civil penalty:
2,000 penalty units.
27
(3) However, the credit reporting body may use or disclose the
28
information under this subsection if the use or disclosure of the
29
information is required by or under an Australian law or a
30
court/tribunal order.
31
Schedule 2 Credit reporting
98 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(4) If the credit reporting body uses or discloses the information under
1
subsection (3), the body must make a written note of the use or
2
disclosure.
3
Civil penalty:
500 penalty units.
4
Other requirements
5
(5) Subdivision E of this Division (other than section 20Q) does not
6
apply in relation to the use or disclosure of the information.
7
Note:
Section 20Q deals with the security of credit reporting information.
8
(6) Subdivision F of this Division does not apply in relation to the
9
information.
10
Division 3--Credit providers
11
Subdivision A--Introduction and application of this Division
12
21 Guide to this Division
13
This Division sets out rules that apply to credit providers in
14
relation to their handling of the following:
15
(a)
credit
information;
16
(b)
credit eligibility information;
17
(c)
CRB
derived
information.
18
If a credit provider is an APP entity, the rules apply in relation to
19
that information in addition to, or instead of, any relevant
20
Australian Privacy Principles.
21
21A Application of this Division to credit providers
22
(1) This Division applies to a credit provider in relation to the
23
following:
24
(a)
credit
information;
25
(b) credit eligibility information;
26
(c)
CRB
derived
information.
27
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 99
(2) If the credit provider is an APP entity, this Division may apply to
1
the provider in relation to information referred to in subsection (1)
2
in addition to, or instead of, the Australian Privacy Principles.
3
Subdivision B--Consideration of information privacy
4
21B Open and transparent management of credit information etc.
5
(1) The object of this section is to ensure that credit providers manage
6
credit information and credit eligibility information in an open and
7
transparent way.
8
Compliance with this Division etc.
9
(2) A credit provider must take such steps as are reasonable in the
10
circumstances to implement practices, procedures and systems
11
relating to the provider's functions or activities as a credit provider
12
that:
13
(a) will ensure that the provider complies with this Division and
14
the registered CR code if it binds the provider; and
15
(b) will enable the provider to deal with inquiries or complaints
16
from individuals about the provider's compliance with this
17
Division or the registered CR code if it binds the provider.
18
Policy about the management of credit information etc.
19
(3) A credit provider must have a clearly expressed and up-to-date
20
policy about the management of credit information and credit
21
eligibility information by the provider.
22
(4) Without limiting subsection (3), the policy of the credit provider
23
must contain the following information:
24
(a) the kinds of credit information that the provider collects and
25
holds, and how the provider collects and holds that
26
information;
27
(b) the kinds of credit eligibility information that the provider
28
holds and how the provider holds that information;
29
(c) the kinds of CP derived information that the provider usually
30
derives from credit reporting information disclosed to the
31
provider by a credit reporting body under Division 2 of this
32
Part;
33
Schedule 2 Credit reporting
100 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(d) the purposes for which the provider collects, holds, uses and
1
discloses credit information and credit eligibility information;
2
(e) how an individual may access credit eligibility information
3
about the individual that is held by the provider;
4
(f) how an individual may seek the correction of credit
5
information or credit eligibility information about the
6
individual that is held by the provider;
7
(g) how an individual may complain about a failure of the
8
provider to comply with this Division or the registered CR
9
code if it binds the provider;
10
(h) how the provider will deal with such a complaint.
11
Availability of policy etc.
12
(5) A credit provider must take such steps as are reasonable in the
13
circumstances to make the policy available:
14
(a) free of charge; and
15
(b) in such form as is appropriate.
16
Note:
A credit provider will usually make the policy available on the
17
provider's website.
18
(6) If a person or body requests a copy, in a particular form, of the
19
policy of a credit provider, the provider must take such steps as are
20
reasonable in the circumstances to give the person or body a copy
21
in that form.
22
Interaction with the Australian Privacy Principles
23
(7) If a credit provider is an APP entity, Australian Privacy Principles
24
1.3 and 1.4 do not apply to the provider in relation to credit
25
information or credit eligibility information.
26
Subdivision C--Dealing with credit information
27
21C Additional notification requirements for the collection of
28
personal information etc.
29
(1) At or before the time a credit provider collects personal
30
information about an individual that the provider is likely to
31
disclose to a credit reporting body, the provider must:
32
(a) notify the individual of the following matters:
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 101
(i) the name and contact details of the body;
1
(ii) any other matter specified in the registered CR code; or
2
(b) otherwise ensure that the individual is aware of those matters.
3
(2) If a credit provider is an APP entity, subsection (1) applies to the
4
provider in relation to personal information in addition to
5
Australian Privacy Principle 5.
6
(3) If a credit provider is an APP entity, then the matters for the
7
purposes of Australian Privacy Principle 5.1 include the following
8
matters to the extent that the personal information referred to in
9
that principle is credit information or credit eligibility information:
10
(a) that the policy (the credit reporting policy) of the provider
11
that is referred to in subsection 21B(3) contains information
12
about how an individual may access the credit eligibility
13
information about the individual that is held by the provider;
14
(b) that the credit reporting policy of the provider contains
15
information about how an individual may seek the correction
16
of credit information or credit eligibility information about
17
the individual that is held by the provider;
18
(c) that the credit reporting policy of the provider contains
19
information about how an individual may complain about a
20
failure of the provider to comply with this Division or the
21
registered CR code if it binds the provider;
22
(d) that the credit reporting policy of the provider contains
23
information about how the provider will deal with such a
24
complaint.
25
21D Disclosure of credit information to a credit reporting body
26
Prohibition on disclosure
27
(1) A credit provider must not disclose credit information about an
28
individual to a credit reporting body (whether or not the body's
29
credit reporting business is carried on in Australia).
30
Civil penalty:
2,000 penalty units.
31
Permitted disclosure
32
(2) Subsection (1) does not apply to the disclosure of credit
33
information about the individual if:
34
Schedule 2 Credit reporting
102 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the credit provider:
1
(i) is a member of a recognised external dispute resolution
2
scheme; and
3
(ii) knows, or believes on reasonable grounds, that the
4
individual is at least 18 years old; and
5
(b) the credit reporting body is:
6
(i) an agency; or
7
(ii) an organisation that has an Australian link; and
8
(c) the information meets the requirements of subsection (3).
9
Note:
Section 21F limits the disclosure of credit information if there is a ban
10
period for the information.
11
(3) Credit information about an individual meets the requirements of
12
this subsection if:
13
(a) the information does not relate to an act, omission, matter or
14
thing that occurred or existed before the individual turned 18;
15
and
16
(b) if the information relates to consumer credit or commercial
17
credit--the credit is or has been provided, or applied for, in
18
Australia; and
19
(c) if the information is repayment history information about the
20
individual:
21
(i) the credit provider is a licensee; and
22
(ii) the consumer credit to which the information relates is
23
consumer credit in relation to which the provider also
24
discloses, or a credit provider has previously disclosed,
25
consumer credit liability information about the
26
individual to the credit reporting body; and
27
(iii) the provider complies with any requirements relating to
28
the disclosure of the information that are prescribed by
29
the regulations; and
30
(d) if the information is default information about the individual:
31
(i) the credit provider has given the individual a notice in
32
writing stating that the provider intends to disclose the
33
information to the credit reporting body; and
34
(ii) a reasonable period has passed since the giving of the
35
notice.
36
(4) Paragraph (3)(a) does not apply to identification information about
37
the individual.
38
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 103
(5) Despite paragraph (3)(a), consumer credit liability information
1
about the individual may relate to consumer credit that was entered
2
into on a day before the individual turned 18, so long as the
3
consumer credit was not terminated, or did not otherwise cease to
4
be in force, on a day before the individual turned 18.
5
Written note of disclosure
6
(6) If a credit provider discloses credit information under this section,
7
the provider must make a written note of that disclosure.
8
Civil penalty:
500 penalty units.
9
Interaction with the Australian Privacy Principles
10
(7) If a credit provider is an APP entity, Australian Privacy Principles
11
6 and 8 do not apply to the disclosure by the provider of credit
12
information to a credit reporting body.
13
21E Payment information must be disclosed to a credit reporting
14
body
15
If:
16
(a) a credit provider has disclosed default information about an
17
individual to a credit reporting body under section 21D; and
18
(b) after the default information was disclosed, the amount of the
19
overdue payment to which the information relates is paid;
20
the provider must, within a reasonable period after the amount is
21
paid, disclose payment information about the amount to the body
22
under that section.
23
Civil penalty:
500 penalty units.
24
21F Limitation on the disclosure of credit information during a ban
25
period
26
(1) This section applies if:
27
(a) a credit reporting body holds credit reporting information
28
about an individual; and
29
(b) a credit provider requests the body to disclose the
30
information to the provider for the purpose of assessing an
31
Schedule 2 Credit reporting
104 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
application for consumer credit made to the provider by the
1
individual, or a person purporting to be the individual; and
2
(c) the body is not permitted to disclose the information because
3
there is a ban period for the information; and
4
(d) during the ban period, the provider provides the consumer
5
credit to which the application relates to the individual, or the
6
person purporting to be the individual.
7
(2) If the credit provider holds credit information about the individual
8
that relates to the consumer credit, the provider must not, despite
9
sections 21D and 21E, disclose the information to a credit
10
reporting body.
11
Civil penalty:
2,000 penalty units.
12
(3) Subsection (2) does not apply if the credit provider has taken such
13
steps as are reasonable in the circumstances to verify the identity of
14
the individual.
15
Subdivision D--Dealing with credit eligibility information etc.
16
21G Use or disclosure of credit eligibility information
17
Prohibition on use or disclosure
18
(1) If a credit provider holds credit eligibility information about an
19
individual, the provider must not use or disclose the information.
20
Civil penalty:
2,000 penalty units.
21
Permitted uses
22
(2) Subsection (1) does not apply to the use of credit eligibility
23
information about the individual if:
24
(a) the use is for a consumer credit related purpose of the credit
25
provider in relation to the individual; or
26
(b) the use is a permitted CP use in relation to the individual; or
27
(c) both of the following apply:
28
(i) the credit provider believes on reasonable grounds that
29
the individual has committed a serious credit
30
infringement;
31
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 105
(ii) the provider uses the information in connection with the
1
infringement; or
2
(d) the use is required or authorised by or under an Australian
3
law or a court/tribunal order; or
4
(e) the use is a use prescribed by the regulations.
5
Permitted disclosures
6
(3) Subsection (1) does not apply to the disclosure of credit eligibility
7
information about the individual if:
8
(a) the disclosure is a permitted CP disclosure in relation to the
9
individual; or
10
(b) the disclosure is to a related body corporate of the credit
11
provider and the body corporate has an Australian link; or
12
(c) the disclosure is to a person who manages credit provided by
13
the credit provider for use in managing that credit and the
14
person:
15
(i) is not acting as an agent of the provider; and
16
(ii) has an Australian link; or
17
(d) both of the following apply:
18
(i) the credit provider believes on reasonable grounds that
19
the individual has committed a serious credit
20
infringement;
21
(ii) the provider discloses the information to another credit
22
provider that has an Australian link, or to an
23
enforcement body; or
24
(e) both of the following apply:
25
(i) the disclosure is for the purposes of a recognised
26
external dispute resolution scheme;
27
(ii) a credit provider or credit reporting body is a member of
28
the scheme; or
29
(f) the disclosure is required or authorised by or under an
30
Australian law or a court/tribunal order; or
31
(g) the disclosure is a disclosure prescribed by the regulations.
32
(4) However, if the credit eligibility information about the individual
33
is, or was derived from, repayment history information about the
34
individual, the credit provider must not disclose the information
35
under subsection (3).
36
Schedule 2 Credit reporting
106 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Civil penalty:
2,000 penalty units.
1
(5) Subsection (4) does not apply if:
2
(a) the recipient of the credit eligibility information is another
3
credit provider who is a licensee; or
4
(b) the disclosure is a permitted CP disclosure within the
5
meaning of section 21L; or
6
(c) the credit provider discloses the credit eligibility information
7
under paragraph (3)(d) to an enforcement body; or
8
(d) the credit provider discloses the credit eligibility information
9
under paragraph (3)(e) or (f).
10
Written note of use or disclosure
11
(6) If a credit provider uses or discloses credit eligibility information
12
under this section, the provider must make a written note of that
13
use or disclosure.
14
Civil penalty:
500 penalty units.
15
Interaction with the Australian Privacy Principles
16
(7) If a credit provider is an APP entity, Australian Privacy Principles
17
6, 7 and 8 do not apply to the provider in relation to credit
18
eligibility information.
19
(8)
If:
20
(a) a credit provider is an APP entity; and
21
(b) the credit eligibility information is a government related
22
identifier of the individual;
23
Australian Privacy Principle 9.2 does not apply to the provider in
24
relation to the information.
25
21H Permitted CP uses in relation to individuals
26
A use by a credit provider of credit eligibility information about an
27
individual is a permitted CP use in relation to the individual if:
28
(a) the relevant credit reporting information was disclosed to the
29
provider under a provision specified in column 1 of the table
30
for the purpose (if any) specified in that column; and
31
(b) the provider uses the credit eligibility information for the
32
purpose specified in column 2 of the table.
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 107
1
Permitted CP uses
Column 1
Column 2
Item
The relevant credit reporting
information was disclosed to the
credit provider under ...
The credit provider uses the credit
eligibility information for ...
1
item 1 of the table in subsection
20F(1) for the purpose of
assessing an application for
consumer credit made by the
individual to the provider.
(a) a securitisation related purpose of
the provider in relation to the
individual; or
(b) the internal management purposes
of the provider that are directly
related to the provision or
management of consumer credit by
the provider.
2
item 2 of the table in subsection
20F(1) for a particular
commercial credit related purpose
of the provider in relation to the
individual.
that particular commercial credit
related purpose.
3
item 2 of the table in subsection
20F(1) for the purpose of
assessing an application for
commercial credit made by a
person to the provider.
the internal management purposes of
the provider that are directly related to
the provision or management of
commercial credit by the provider.
4
item 3 of the table in subsection
20F(1) for a credit guarantee
purpose of the provider in relation
to the individual.
(a) the credit guarantee purpose; or
(b) the internal management purposes
of the provider that are directly
related to the provision or
management of any credit by the
provider.
5
item 5 of the table in subsection
20F(1).
the purpose of assisting the individual
to avoid defaulting on his or her
obligations in relation to consumer
credit provided by the provider to the
individual.
6
item 6 of the table in subsection
20F(1) for a particular
securitisation related purpose of
the provider in relation to the
individual.
that particular securitisation related
purpose.
2
Schedule 2 Credit reporting
108 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
21J Permitted CP disclosures between credit providers
1
Consent
2
(1) A disclosure by a credit provider of credit eligibility information
3
about an individual is a permitted CP disclosure in relation to the
4
individual if:
5
(a) the disclosure is to another credit provider (the recipient) for
6
a particular purpose; and
7
(b) the recipient has an Australian link; and
8
(c) the individual expressly consents to the disclosure of the
9
information to the recipient for that purpose.
10
(2) The consent of the individual under paragraph (1)(c):
11
(a) must be given in writing unless:
12
(i) the disclosure of the information to the recipient is for
13
the purpose of assessing an application for consumer
14
credit or commercial credit made to the recipient; and
15
(ii) the application has not been made in writing; and
16
(b) must be given to the credit provider or recipient.
17
Agents of credit providers
18
(3) A disclosure by a credit provider of credit eligibility information
19
about an individual is a permitted CP disclosure in relation to the
20
individual if:
21
(a) the provider is acting as an agent of another credit provider
22
that has an Australian link; and
23
(b) while the provider is so acting, the provider is a credit
24
provider under subsection 6H(1); and
25
(c) the provider discloses the information to the other credit
26
provider in the provider's capacity as such an agent.
27
Securitisation arrangements etc.
28
(4) A disclosure by a credit provider of credit eligibility information
29
about an individual is a permitted CP disclosure in relation to the
30
individual if:
31
(a) the provider is a credit provider under subsection 6J(1) in
32
relation to credit; and
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 109
(b) the credit has been provided by, or is credit for which an
1
application has been made to, another credit provider (the
2
original credit provider) that has an Australian link; and
3
(c) the original credit provider is not a credit provider under that
4
subsection; and
5
(d) the information is disclosed to:
6
(i) the original credit provider; or
7
(ii) another credit provider that is a credit provider under
8
that subsection in relation to the credit and that has an
9
Australian link; and
10
(e) the disclosure of the information is reasonably necessary for:
11
(i) purchasing, funding or managing, or processing an
12
application for, the credit by means of a securitisation
13
arrangement; or
14
(ii) undertaking credit enhancement in relation to the credit.
15
Mortgage credit secured by the same real property
16
(5) A disclosure by a credit provider of credit eligibility information
17
about an individual is a permitted CP disclosure in relation to the
18
individual if:
19
(a) the disclosure is to another credit provider that has an
20
Australian link; and
21
(b) both credit providers have provided mortgage credit to the
22
individual in relation to which the same real property forms
23
all or part of the security; and
24
(c) the individual is at least 60 days overdue in making a
25
payment in relation to the mortgage credit provided by either
26
provider; and
27
(d) the information is disclosed for the purpose of either provider
28
deciding what action to take in relation to the overdue
29
payment.
30
21K Permitted CP disclosures relating to guarantees etc.
31
Offer to act as a guarantor etc.
32
(1) A disclosure by a credit provider of credit eligibility information
33
about an individual is a permitted CP disclosure in relation to the
34
individual if:
35
Schedule 2 Credit reporting
110 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a)
either:
1
(i) the provider has provided credit to the individual; or
2
(ii) the individual has applied to the provider for credit; and
3
(b) the disclosure is to a person for the purpose of that person
4
considering whether:
5
(i) to offer to act as a guarantor in relation to the credit; or
6
(ii) to offer property as security for the credit; and
7
(c) the person has an Australian link; and
8
(d) the individual expressly consents to the disclosure of the
9
information to the person for that purpose.
10
(2) The consent of the individual under paragraph (1)(d) must be given
11
in writing unless:
12
(a) if subparagraph (1)(a)(i) applies--the application for the
13
credit was not made in writing; or
14
(b) if subparagraph (1)(a)(ii) applies--the application for the
15
credit has not been made in writing.
16
Guarantors etc.
17
(3) A disclosure by a credit provider of credit eligibility information
18
about an individual is a permitted CP disclosure in relation to the
19
individual if:
20
(a) the disclosure is to a person who:
21
(i) is a guarantor in relation to credit provided by the
22
provider to the individual; or
23
(ii) has provided property as security for such credit; and
24
(b) the person has an Australian link; and
25
(c)
either:
26
(i) the individual expressly consents to the disclosure of the
27
information to the person; or
28
(ii) if subparagraph (a)(i) applies--the information is
29
disclosed to the person for a purpose related to the
30
enforcement, or proposed enforcement, of the guarantee.
31
(4) The consent of the individual under subparagraph (3)(c)(i) must be
32
given in writing unless the application for the credit was not made
33
in writing.
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 111
21L Permitted CP disclosures to mortgage insurers
1
A disclosure by a credit provider of credit eligibility information
2
about an individual is a permitted CP disclosure in relation to the
3
individual if the disclosure is to a mortgage insurer that has an
4
Australian link for:
5
(a) a mortgage insurance purpose of the insurer in relation to the
6
individual; or
7
(b) any purpose arising under a contract for mortgage insurance
8
that has been entered into between the provider and the
9
insurer.
10
21M Permitted CP disclosures to debt collectors
11
(1) A disclosure by a credit provider of credit eligibility information
12
about an individual is a permitted CP disclosure in relation to the
13
individual if:
14
(a) the disclosure is to a person or body that carries on a business
15
or undertaking that involves the collection of debts on behalf
16
of others; and
17
(b) the person or body has an Australian link; and
18
(c) the information is disclosed for the purpose of the collection
19
of payments that are overdue in relation to:
20
(i) consumer credit provided by the provider to the
21
individual; or
22
(ii) commercial credit provided by the provider to a person;
23
and
24
(d) the information is information of a kind referred to in
25
subsection (2).
26
(2) The information for the purposes of paragraph (1)(d) is:
27
(a) identification information about the individual; or
28
(b) court proceedings information about the individual; or
29
(c) personal insolvency information about the individual; or
30
(d) if subparagraph (1)(c)(i) applies--default information about
31
the individual if:
32
(i) the information relates to a payment that the individual
33
is overdue in making in relation to consumer credit that
34
has been provided by the credit provider to the
35
individual; and
36
Schedule 2 Credit reporting
112 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(ii) the provider does not hold, or has not held, payment
1
information about the individual that relates to that
2
overdue payment.
3
21N Permitted CP disclosures to other recipients
4
Mortgage credit assistance schemes
5
(1) A disclosure by a credit provider of credit eligibility information
6
about an individual is a permitted CP disclosure in relation to the
7
individual if:
8
(a) the disclosure is to a State or Territory authority; and
9
(b) the functions or responsibilities of the authority include:
10
(i) giving assistance (directly or indirectly) that facilitates
11
the provision of mortgage credit to individuals; or
12
(ii) the management or supervision of schemes or
13
arrangements under which such assistance is given; and
14
(c) the information is disclosed for the purpose of enabling the
15
authority:
16
(i) to determine the extent of the assistance (if any) to give
17
in relation to the provision of mortgage credit to the
18
individual; or
19
(ii) to manage or supervise such a scheme or arrangement.
20
Assignment of debts owed to credit providers etc.
21
(2) A disclosure by a credit provider of credit eligibility information
22
about an individual is a permitted CP disclosure in relation to the
23
individual if:
24
(a) the disclosure is to one or more of the following (the
25
recipient):
26
(i)
an
entity;
27
(ii) a professional legal adviser of the entity;
28
(iii) a professional financial adviser of the entity; and
29
(b) the recipient has an Australian link; and
30
(c) subsection (3) applies to the information.
31
(3) This subsection applies to the credit eligibility information if the
32
recipient proposes to use the information:
33
(a) in the process of the entity considering whether to:
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 113
(i) accept an assignment of a debt owed to the credit
1
provider; or
2
(ii) accept a debt owed to the provider as security for credit
3
provided to the provider; or
4
(iii) purchase an interest in the provider or a related body
5
corporate of the provider; or
6
(b) in connection with exercising rights arising from the
7
acceptance of such an assignment or debt, or the purchase of
8
such an interest.
9
21P Notification of a refusal of an application for consumer credit
10
(1) This section applies if:
11
(a) a credit provider refuses an application for consumer credit
12
made in Australia:
13
(i) by an individual; or
14
(ii) jointly by an individual and one or more other persons
15
(the other applicants); and
16
(b) the refusal is based wholly or partly on credit eligibility
17
information about one or more of the following:
18
(i)
the
individual;
19
(ii) a person who is proposing to act as a guarantor in
20
relation to the consumer credit;
21
(iii) if the application is an application of a kind referred to
22
in subparagraph (a)(ii)--one of the other applicants; and
23
(c) a credit reporting body disclosed the relevant credit reporting
24
information to the provider for the purposes of assessing the
25
application.
26
(2) The credit provider must, within a reasonable period after refusing
27
the application, give the individual a written notice that:
28
(a) states that the application has been refused; and
29
(b) states that the refusal is based wholly or partly on credit
30
eligibility information about one or more of the persons
31
referred to in paragraph (1)(b); and
32
(c) if that information is about the individual--sets out:
33
(i) the name and contact details of the credit reporting body
34
that disclosed the relevant credit reporting information
35
to the provider; and
36
(ii) any other matter specified in the registered CR code.
37
Schedule 2 Credit reporting
114 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Subdivision E--Integrity of credit information and credit
1
eligibility information
2
21Q Quality of credit eligibility information
3
(1) A credit provider must take such steps (if any) as are reasonable in
4
the circumstances to ensure that the credit eligibility information
5
the provider collects is accurate, up-to-date and complete.
6
(2) A credit provider must take such steps (if any) as are reasonable in
7
the circumstances to ensure that the credit eligibility information
8
the provider uses or discloses is, having regard to the purpose of
9
the use or disclosure, accurate, up-to-date, complete and relevant.
10
(3) If a credit provider is an APP entity, Australian Privacy Principle
11
10 does not apply to the provider in relation to credit eligibility
12
information.
13
21R False or misleading credit information or credit eligibility
14
information
15
Offences
16
(1) A credit provider commits an offence if:
17
(a) the provider discloses credit information under section 21D;
18
and
19
(b) the information is false or misleading in a material particular.
20
Penalty: 200 penalty units.
21
(2) A credit provider commits an offence if:
22
(a) the provider uses or discloses credit eligibility information
23
under this Division; and
24
(b) the information is false or misleading in a material particular.
25
Penalty: 200 penalty units.
26
Civil penalties
27
(3) A credit provider must not disclose credit information under
28
section 21D if the information is false or misleading in a material
29
particular.
30
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 115
Civil penalty:
2,000 penalty units.
1
(4) A credit provider must not use or disclose credit eligibility
2
information under this Division if the information is false or
3
misleading in a material particular.
4
Civil penalty:
2,000 penalty units.
5
21S Security of credit eligibility information
6
(1) If a credit provider holds credit eligibility information, the provider
7
must take such steps as are reasonable in the circumstances to
8
protect the information:
9
(a) from misuse, interference and loss; and
10
(b) from unauthorised access, modification or disclosure.
11
(2)
If:
12
(a) a credit provider holds credit eligibility information about an
13
individual; and
14
(b) the provider no longer needs the information for any purpose
15
for which the information may be used or disclosed by the
16
provider under this Division; and
17
(c) the provider is not required by or under an Australian law, or
18
a court/tribunal order, to retain the information;
19
the provider must take such steps as are reasonable in the
20
circumstances to destroy the information or to ensure that the
21
information is de-identified.
22
Civil penalty:
1,000 penalty units.
23
(3) If a credit provider is an APP entity, Australian Privacy Principle
24
11 does not apply to the provider in relation to credit eligibility
25
information.
26
Subdivision F--Access to, and correction of, information
27
21T Access to credit eligibility information
28
Access
29
(1) If a credit provider holds credit eligibility information about an
30
individual, the provider must, on request by an access seeker in
31
Schedule 2 Credit reporting
116 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
relation to the information, give the access seeker access to the
1
information.
2
Exceptions to access
3
(2) Despite subsection (1), the credit provider is not required to give
4
the access seeker access to the credit eligibility information to the
5
extent that:
6
(a) giving access would be unlawful; or
7
(b) denying access is required or authorised by or under an
8
Australian law or a court/tribunal order; or
9
(c) giving access would be likely to prejudice one or more
10
enforcement related activities conducted by, or on behalf of,
11
an enforcement body.
12
Dealing with requests for access
13
(3) The credit provider must respond to the request within a reasonable
14
period after the request is made.
15
Means of access
16
(4) If the credit provider gives access to the credit eligibility
17
information, the access must be given in the manner set out in the
18
registered CR code.
19
Access charges
20
(5) If the credit provider is an agency, the provider must not charge the
21
access seeker for the making of the request or for giving access to
22
the information.
23
(6) If a credit provider is an organisation or small business operator,
24
any charge by the provider for giving access to the information
25
must not be excessive and must not apply to the making of the
26
request.
27
Refusal to give access
28
(7) If the provider refuses to give access to the information because of
29
subsection (2), the provider must give the access seeker a written
30
notice that:
31
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 117
(a) sets out the reasons for the refusal except to the extent that,
1
having regard to the grounds for the refusal, it would be
2
unreasonable to do so; and
3
(b) states that, if the access seeker is not satisfied with the
4
response to the request, the access seeker may:
5
(i) access a recognised external dispute resolution scheme
6
of which the provider is a member; or
7
(ii) make a complaint to the Commissioner under Part V.
8
Interaction with the Australian Privacy Principles
9
(8) If a credit provider is an APP entity, Australian Privacy Principle
10
12 does not apply to the provider in relation to credit eligibility
11
information.
12
21U Correction of credit information or credit eligibility
13
information
14
(1)
If:
15
(a) a credit provider holds credit information or credit eligibility
16
information about an individual; and
17
(b) the provider is satisfied that, having regard to a purpose for
18
which the information is held by the provider, the
19
information is inaccurate, out-of-date, incomplete, irrelevant
20
or misleading;
21
the provider must take such steps (if any) as are reasonable in the
22
circumstances to correct the information to ensure that, having
23
regard to the purpose for which it is held, the information is
24
accurate, up-to-date, complete, relevant and not misleading.
25
Notice of correction
26
(2)
If:
27
(a) the credit provider corrects credit information or credit
28
eligibility information under subsection (1); and
29
(b) the provider has previously disclosed the information under:
30
(i) this Division (other than subsection 21V(4)); or
31
(ii) the Australian Privacy Principles (other than Australian
32
Privacy Principle 4.2);
33
the provider must, within a reasonable period, give each recipient
34
of the information written notice of the correction.
35
Schedule 2 Credit reporting
118 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(3) Subsection (2) does not apply if:
1
(a) it is impracticable for the credit provider to give the notice
2
under that subsection; or
3
(b) the credit provider is required by or under an Australian law,
4
or a court/tribunal order, not to give the notice under that
5
subsection.
6
Interaction with the Australian Privacy Principles
7
(4) If a credit provider is an APP entity, Australian Privacy Principle
8
13:
9
(a) applies to the provider in relation to credit information or
10
credit eligibility information that is identification
11
information; but
12
(b) does not apply to the provider in relation to any other kind of
13
credit information or credit eligibility information.
14
Note:
Identification information may be corrected under this section or
15
Australian Privacy Principle 13.
16
21V Individual may request the correction of credit information etc.
17
Request
18
(1) An individual may request a credit provider to correct personal
19
information about the individual if:
20
(a) the personal information is:
21
(i) credit information about the individual; or
22
(ii) CRB derived information about the individual; or
23
(iii) CP derived information about the individual; and
24
(b) the provider holds at least one kind of the personal
25
information referred to in paragraph (a).
26
Correction
27
(2) If the credit provider is satisfied that the personal information is
28
inaccurate, out-of-date, incomplete, irrelevant or misleading, the
29
provider must take such steps (if any) as are reasonable in the
30
circumstances to correct the information within:
31
(a) the period of 30 days that starts on the day on which the
32
request is made; or
33
(b) such longer period as the individual has agreed to in writing.
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 119
Consultation
1
(3) If the credit provider considers that the provider cannot be satisfied
2
of the matter referred to in subsection (2) in relation to the personal
3
information without consulting either or both of the following (the
4
interested party):
5
(a) a credit reporting body that holds or held the information and
6
that has an Australian link;
7
(b) another credit provider that holds or held the information and
8
that has an Australian link;
9
the provider must consult that interested party, or those interested
10
parties, about the individual's request.
11
(4) The use or disclosure of personal information about the individual
12
for the purposes of the consultation is taken, for the purposes of
13
this Act, to be a use or disclosure that is authorised by this
14
subsection.
15
No charge
16
(5) The credit provider must not charge the individual for the making
17
of the request or for correcting the information.
18
Interaction with the Australian Privacy Principles
19
(6) If a credit provider is an APP entity, Australian Privacy Principle
20
13:
21
(a) applies to the provider in relation to personal information
22
referred to in paragraph (1)(a) that is identification
23
information; but
24
(b) does not apply to the provider in relation to any other kind of
25
personal information referred to in that paragraph.
26
Note:
Identification information may be corrected under this section or
27
Australian Privacy Principle 13.
28
21W Notice of correction etc. must be given
29
(1) This section applies if an individual requests a credit provider to
30
correct personal information under subsection 21V(1).
31
Schedule 2 Credit reporting
120 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Notice of correction etc.
1
(2) If the credit provider corrects personal information about the
2
individual under subsection 21V(2), the provider must, within a
3
reasonable period:
4
(a) give the individual written notice of the correction; and
5
(b) if the provider consulted an interested party under subsection
6
21V(3) about the individual's request--give the party written
7
notice of the correction; and
8
(c) if the correction relates to information that the provider has
9
previously disclosed under:
10
(i) this Division (other than subsection 21V(4)); or
11
(ii) the Australian Privacy Principles (other than Australian
12
Privacy Principle 4.2);
13
give each recipient of the information written notice of the
14
correction.
15
(3) If the credit provider does not correct the personal information
16
under subsection 21V(2), the provider must, within a reasonable
17
period, give the individual written notice that:
18
(a) states that the correction has not been made; and
19
(b) sets out the provider's reasons for not correcting the
20
information (including evidence substantiating the
21
correctness of the information); and
22
(c) states that, if the individual is not satisfied with the response
23
to the request, the individual may:
24
(i) access a recognised external dispute resolution scheme
25
of which the provider is a member; or
26
(ii) make a complaint to the Commissioner under Part V.
27
Exceptions
28
(4) Paragraph (2)(c) does not apply if it is impracticable for the credit
29
provider to give the notice under that paragraph.
30
(5) Subsection (2) or (3) does not apply if the credit provider is
31
required by or under an Australian law, or a court/tribunal order,
32
not to give the notice under that subsection.
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 121
Division 4--Affected information recipients
1
22 Guide to this Division
2
This Division sets out rules that apply to affected information
3
recipients in relation to their handling of their regulated
4
information.
5
If an affected information recipient is an APP entity, the rules
6
apply in relation to the regulated information of the recipient in
7
addition to, or instead of, any relevant Australian Privacy
8
Principles.
9
Subdivision A--Consideration of information privacy
10
22A Open and transparent management of regulated information
11
(1) The object of this section is to ensure that an affected information
12
recipient manages the regulated information of the recipient in an
13
open and transparent way.
14
Compliance with this Division etc.
15
(2) An affected information recipient must take such steps as are
16
reasonable in the circumstances to implement practices, procedures
17
and systems relating to the recipient's functions or activities that:
18
(a) will ensure that the recipient complies with this Division and
19
the registered CR code if it binds the recipient; and
20
(b) will enable the recipient to deal with inquiries or complaints
21
from individuals about the recipient's compliance with this
22
Division or the registered CR code if it binds the recipient.
23
Policy about the management of regulated information
24
(3) An affected information recipient must have a clearly expressed
25
and up-to-date policy about the recipient's management of the
26
regulated information of the recipient.
27
(4) Without limiting subsection (3), the policy of the affected
28
information recipient must contain the following information:
29
Schedule 2 Credit reporting
122 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the kinds of regulated information that the recipient collects
1
and holds, and how the recipient collects and holds that
2
information;
3
(b) the purposes for which the recipient collects, holds, uses and
4
discloses regulated information;
5
(c) how an individual may access regulated information about
6
the individual that is held by the recipient and seek the
7
correction of such information;
8
(d) how an individual may complain about a failure of the
9
recipient to comply with this Division or the registered CR
10
code if it binds the recipient;
11
(e) how the recipient will deal with such a complaint.
12
Availability of policy etc.
13
(5) An affected information recipient must take such steps as are
14
reasonable in the circumstances to make the policy available:
15
(a) free of charge; and
16
(b) in such form as is appropriate.
17
Note:
An affected information recipient will usually make the policy
18
available on the recipient's website.
19
(6) If a person or body requests a copy, in a particular form, of the
20
policy of an affected information recipient, the recipient must take
21
such steps as are reasonable in the circumstances to give the person
22
or body a copy in that form.
23
Interaction with the Australian Privacy Principles
24
(7) If an affected information recipient is an APP entity, Australian
25
Privacy Principles 1.3 and 1.4 do not apply to the recipient in
26
relation to the regulated information of the recipient.
27
Subdivision B--Dealing with regulated information
28
22B Additional notification requirements for affected information
29
recipients
30
If an affected information recipient is an APP entity, then the
31
matters for the purposes of Australian Privacy Principle 5.1 include
32
the following matters to the extent that the personal information
33
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 123
referred to in that principle is regulated information of the
1
recipient:
2
(a) that the policy (the credit reporting policy) of the recipient
3
that is referred to in subsection 22A(3) contains information
4
about how an individual may access the regulated
5
information about the individual that is held by the recipient,
6
and seek the correction of such information;
7
(b) that the credit reporting policy of the recipient contains
8
information about how an individual may complain about a
9
failure of the recipient to comply with this Division or the
10
registered CR code if it binds the recipient; and
11
(c) that the credit reporting policy of the recipient contains
12
information about how the recipient will deal with such a
13
complaint.
14
22C Use or disclosure of information by mortgage insurers or trade
15
insurers
16
Prohibition on use or disclosure
17
(1)
If:
18
(a) a mortgage insurer or trade insurer holds or held personal
19
information about an individual; and
20
(b) the information was disclosed to the insurer by a credit
21
reporting body or credit provider under Division 2 or 3 of this
22
Part;
23
the insurer must not use or disclose the information, or any
24
personal information about the individual derived from that
25
information.
26
Civil penalty:
2,000 penalty units.
27
Permitted uses
28
(2) Subsection (1) does not apply to the use of the information if:
29
(a) for a mortgage insurer--the use is for:
30
(i) a mortgage insurance purpose of the insurer in relation
31
to the individual; or
32
(ii) any purpose arising under a contract for mortgage
33
insurance that has been entered into between the credit
34
provider and the insurer; or
35
Schedule 2 Credit reporting
124 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) for a trade insurer--the use is for a trade insurance purpose
1
of the insurer in relation to the individual; or
2
(c) the use is required or authorised by or under an Australian
3
law or a court/tribunal order.
4
Permitted disclosure
5
(3) Subsection (1) does not apply to the disclosure of the information
6
if the disclosure is required or authorised by or under an Australian
7
law or a court/tribunal order.
8
Interaction with the Australian Privacy Principles
9
(4) If the mortgage insurer or trade insurer is an APP entity, Australian
10
Privacy Principles 6, 7 and 8 do not apply to the insurer in relation
11
to the information.
12
(5)
If:
13
(a) the mortgage insurer or trade insurer is an APP entity; and
14
(b) the information is a government related identifier of the
15
individual;
16
Australian Privacy Principle 9.2 does not apply to the insurer in
17
relation to the information.
18
22D Use or disclosure of information by a related body corporate
19
Prohibition on use or disclosure
20
(1)
If:
21
(a) a body corporate holds or held credit eligibility information
22
about an individual; and
23
(b) the information was disclosed to the body by a credit
24
provider under paragraph 21G(3)(b);
25
the body must not use or disclose the information, or any personal
26
information about the individual derived from that information.
27
Civil penalty:
1,000 penalty units.
28
Permitted use or disclosure
29
(2) Subsection (1) does not apply to the use or disclosure of the
30
information by the body corporate if the body would be permitted
31
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 125
to use or disclose the information under section 21G if the body
1
were the credit provider.
2
(3) In determining whether the body corporate would be permitted to
3
use or disclose the information under section 21G, assume that the
4
body is whichever of the following is applicable:
5
(a) the credit provider that has provided the relevant credit to the
6
individual;
7
(b) the credit provider to which the relevant application for credit
8
was made by the individual.
9
Interaction with the Australian Privacy Principles
10
(4) If the body corporate is an APP entity, Australian Privacy
11
Principles 6, 7 and 8 do not apply to the body in relation to the
12
information.
13
(5)
If:
14
(a) the body corporate is an APP entity; and
15
(b) the information is a government related identifier of the
16
individual;
17
Australian Privacy Principle 9.2 does not apply to the body in
18
relation to the information.
19
22E Use or disclosure of information by credit managers
20
Prohibition on use or disclosure
21
(1)
If:
22
(a) a person holds or held credit eligibility information about an
23
individual; and
24
(b) the information was disclosed to the person by a credit
25
provider under paragraph 21G(3)(c) for use in managing
26
credit provided by the provider;
27
the person must not use or disclose the information, or any
28
personal information about the individual derived from that
29
information.
30
Civil penalty:
1,000 penalty units.
31
Schedule 2 Credit reporting
126 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Permitted uses
1
(2) Subsection (1) does not apply to the use of the information if:
2
(a) the person uses the information in managing credit provided
3
by the credit provider; or
4
(b) the use is required or authorised by or under an Australian
5
law or a court/tribunal order.
6
Permitted disclosure
7
(3) Subsection (1) does not apply to the disclosure of the information
8
if the disclosure is required or authorised by or under an Australian
9
law or a court/tribunal order.
10
Interaction with the Australian Privacy Principles
11
(4) If the person is an APP entity, Australian Privacy Principles 6, 7
12
and 8 do not apply to the person in relation to the information.
13
(5)
If:
14
(a) the person is an APP entity; and
15
(b) the information is a government related identifier of the
16
individual;
17
Australian Privacy Principle 9.2 does not apply to the person in
18
relation to the information.
19
22F Use or disclosure of information by advisers etc.
20
Prohibition on use or disclosure
21
(1)
If:
22
(a) any of the following (the recipient) holds or held credit
23
eligibility information about an individual:
24
(i)
an
entity;
25
(ii) a professional legal adviser of the entity;
26
(iii) a professional financial adviser of the entity; and
27
(b) the information was disclosed to the recipient by a credit
28
provider under subsection 21N(2);
29
the recipient must not use or disclose the information, or any
30
personal information about the individual derived from that
31
information.
32
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 127
Civil penalty:
1,000 penalty units.
1
Permitted uses
2
(2) Subsection (1) does not apply to the use of the information if:
3
(a) for a recipient that is the entity--the information is used for a
4
matter referred to in subsection 21N(3); or
5
(b) for a recipient that is the professional legal adviser, or
6
professional financial adviser, of the entity--the information
7
is used:
8
(i) in the adviser's capacity as an adviser of the entity; and
9
(ii) in connection with advising the entity about a matter
10
referred to in subsection 21N(3); or
11
(c) the use is required or authorised by or under an Australian
12
law or a court/tribunal order.
13
Permitted disclosure
14
(3) Subsection (1) does not apply to the disclosure of the information
15
if the disclosure is required or authorised by or under an Australian
16
law or a court/tribunal order.
17
Interaction with the Australian Privacy Principles
18
(4) If the recipient is an APP entity, Australian Privacy Principles 6, 7
19
and 8 do not apply to the recipient in relation to the information.
20
(5)
If:
21
(a) the recipient is an APP entity; and
22
(b) the information is a government related identifier of the
23
individual;
24
Australian Privacy Principle 9.2 does not apply to the recipient in
25
relation to the information.
26
Division 5--Complaints
27
23 Guide to this Division
28
This Division deals with complaints about credit reporting bodies
29
or credit providers.
30
Schedule 2 Credit reporting
128 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Individuals may complain to credit reporting bodies or credit
1
providers about acts or practices that may be a breach of certain
2
provisions of this Part or the registered CR code.
3
If a complaint is made, the respondent for the complaint must
4
investigate the complaint and make a decision about the complaint.
5
23A Individual may complain about a breach of a provision of this
6
Part etc.
7
Complaint
8
(1) An individual may complain to a credit reporting body about an act
9
or practice engaged in by the body that may be a breach of either of
10
the following provisions in relation to the individual:
11
(a) a provision of this Part (other than section 20R or 20T);
12
(b) a provision of the registered CR code (other than a provision
13
that relates to that section).
14
Note:
A complaint about a breach of section 20R or 20T, or a provision of
15
the registered CR code that relates to that section, may be made to the
16
Commissioner under Part V.
17
(2) An individual may complain to a credit provider about an act or
18
practice engaged in by the provider that may be a breach of either
19
of the following provisions in relation to the individual:
20
(a) a provision of this Part (other than section 21T or 21V);
21
(b) a provision of the registered CR code (other than a provision
22
that relates to that section) if it binds the credit provider.
23
Note:
A complaint about a breach of section 21T or 21V, or a provision of
24
the registered CR code that relates to that section, may be made to the
25
Commissioner under Part V.
26
Nature of complaint
27
(3) If an individual makes a complaint, the individual must specify the
28
nature of the complaint.
29
(4) The complaint may relate to personal information that has been
30
destroyed or de-identified.
31
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 129
No charge
1
(5) The credit reporting body or credit provider must not charge the
2
individual for the making of the complaint or for dealing with the
3
complaint.
4
23B Dealing with complaints
5
(1) If an individual makes a complaint under section 23A, the
6
respondent for the complaint:
7
(a) must, within 7 days after the complaint is made, give the
8
individual a written notice that:
9
(i) acknowledges the making of the complaint; and
10
(ii) sets out how the respondent will deal with the
11
complaint; and
12
(b) must investigate the complaint.
13
Consultation about the complaint
14
(2) If the respondent for the complaint considers that it is necessary to
15
consult a credit reporting body or credit provider about the
16
complaint, the respondent must consult the body or provider.
17
(3) The use or disclosure of personal information about the individual
18
for the purposes of the consultation is taken, for the purposes of
19
this Act, to be a use or disclosure that is authorised by this
20
subsection.
21
Decision about the complaint
22
(4) After investigating the complaint, the respondent must, within the
23
period referred to in subsection (5), make a decision about the
24
complaint and give the individual a written notice that:
25
(a) sets out the decision; and
26
(b) states that, if the individual is not satisfied with the decision,
27
the individual may:
28
(i) access a recognised external dispute resolution scheme
29
of which the respondent is a member; or
30
(ii) make a complaint to the Commissioner under Part V.
31
(5) The period for the purposes of subsection (4) is:
32
Schedule 2 Credit reporting
130 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) the period of 30 days that starts on the day on which the
1
complaint is made; or
2
(b) such longer period as the individual has agreed to in writing.
3
23C Notification requirements relating to correction complaints
4
(1) This section applies if an individual makes a complaint under
5
section 23A about an act or practice that may breach section 20S or
6
21U (which deal with the correction of personal information by
7
credit reporting bodies and credit providers).
8
Notification of complaint etc.
9
(2)
If:
10
(a) the respondent for the complaint is a credit reporting body;
11
and
12
(b) the complaint relates to credit information or credit eligibility
13
information that a credit provider holds;
14
the respondent must, in writing:
15
(c) notify the provider of the making of the complaint as soon as
16
practicable after it is made; and
17
(d) notify the provider of the making of a decision about the
18
complaint under subsection 23B(4) as soon as practicable
19
after it is made.
20
(3)
If:
21
(a) the respondent for the complaint is a credit provider; and
22
(b) the complaint relates to:
23
(i) credit reporting information that a credit reporting body
24
holds; or
25
(ii) credit information or credit eligibility information that
26
another credit provider holds;
27
the respondent must, in writing:
28
(c) notify the body or other provider (as the case may be) of the
29
making of the complaint as soon as practicable after it is
30
made; and
31
(d) notify the body or other provider (as the case may be) of the
32
making of a decision about the complaint under subsection
33
23B(4) as soon as practicable after it is made.
34
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 131
Notification of recipients of disclosed information
1
(4)
If:
2
(a) a credit reporting body discloses credit reporting information
3
to which the complaint relates under Division 2 of this Part;
4
and
5
(b) at the time of the disclosure, a decision about the complaint
6
under subsection 23B(4) has not been made;
7
the body must, at that time, notify in writing the recipient of the
8
information of the complaint.
9
(5)
If:
10
(a) a credit provider discloses personal information to which the
11
complaint relates under Division 3 of this Part or under the
12
Australian Privacy Principles; and
13
(b) at the time of the disclosure, a decision about the complaint
14
under subsection 23B(4) has not been made;
15
the provider must, at that time, notify in writing the recipient of the
16
information of the complaint.
17
Exceptions
18
(6) Subsection (2), (3), (4) or (5) does not apply if:
19
(a) it is impracticable for the credit reporting body or credit
20
provider to give the notification under that subsection; or
21
(b) the credit reporting body or credit provider is required by or
22
under an Australian law, or a court/tribunal order, not to give
23
the notification under that subsection.
24
Division 6--Unauthorised obtaining of credit reporting
25
information etc.
26
24 Obtaining credit reporting information from a credit reporting
27
body
28
Offences
29
(1) An entity commits an offence if:
30
(a) the entity obtains credit reporting information; and
31
(b) the information is obtained from a credit reporting body; and
32
(c) the entity is not:
33
Schedule 2 Credit reporting
132 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(i) an entity to which the body is permitted to disclose the
1
information under Division 2 of this Part; or
2
(ii) an access seeker for the information.
3
Penalty: 200 penalty units.
4
(2) An entity commits an offence if:
5
(a) the entity obtains credit reporting information; and
6
(b) the information is obtained from a credit reporting body; and
7
(c) the information is obtained by false pretence.
8
Penalty: 200 penalty units.
9
Civil penalties
10
(3) An entity must not obtain credit reporting information from a credit
11
reporting body if the entity is not:
12
(a) an entity to which the body is permitted to disclose the
13
information under Division 2 of this Part; or
14
(b) an access seeker for the information.
15
Civil penalty:
2,000 penalty units.
16
(4) An entity must not obtain, by false pretence, credit reporting
17
information from a credit reporting body.
18
Civil penalty:
2,000 penalty units.
19
24A Obtaining credit eligibility information from a credit provider
20
Offences
21
(1) An entity commits an offence if:
22
(a) the entity obtains credit eligibility information; and
23
(b) the information is obtained from a credit provider; and
24
(c) the entity is not:
25
(i) an entity to which the provider is permitted to disclose
26
the information under Division 3 of this Part; or
27
(ii) an access seeker for the information.
28
Penalty: 200 penalty units.
29
(2) An entity commits an offence if:
30
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 133
(a) the entity obtains credit eligibility information; and
1
(b) the information is obtained from a credit provider; and
2
(c) the information is obtained by false pretence.
3
Penalty: 200 penalty units.
4
Civil penalties
5
(3) An entity must not obtain credit eligibility information from a
6
credit provider if the entity is not:
7
(a) an entity to which the provider is permitted to disclose the
8
information under Division 3 of this Part; or
9
(b) an access seeker for the information.
10
Civil penalty:
2,000 penalty units.
11
(4) An entity must not obtain, by false pretence, credit eligibility
12
information from a credit provider.
13
Civil penalty:
2,000 penalty units.
14
Division 7--Court orders
15
25 Compensation orders
16
(1) The Federal Court or the Federal Magistrates Court may order an
17
entity to compensate a person for loss or damage (including injury
18
to the person's feelings or humiliation) suffered by the person if:
19
(a)
either:
20
(i) a civil penalty order has been made against the entity for
21
a contravention of a civil penalty provision (other than
22
section 13G); or
23
(ii) the entity is found guilty of an offence against this Part;
24
and
25
(b) that loss or damage resulted from the contravention or
26
commission of the offence.
27
The order must specify the amount of compensation.
28
(2) The court may make the order only if:
29
(a) the person applies for an order under this section; and
30
Schedule 2 Credit reporting
134 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) the application is made within 6 years of the day the cause of
1
action that relates to the contravention or commission of the
2
offence accrued.
3
(3) If the court makes the order, the amount of compensation specified
4
in the order that is to be paid to the person may be recovered as a
5
debt due to the person.
6
25A Other orders to compensate loss or damage
7
(1) This section applies if:
8
(a)
either:
9
(i) a civil penalty order has been made against an entity for
10
a contravention of a civil penalty provision (other than
11
section 13G); or
12
(ii) an entity is found guilty of an offence against this Part;
13
and
14
(b) a person has suffered, or is likely to suffer, loss or damage
15
(including injury to the person's feelings or humiliation) as a
16
result of the contravention or commission of the offence.
17
(2) The Federal Court or the Federal Magistrates Court may make such
18
order as the Court considers appropriate against the entity to:
19
(a) compensate the person, in whole or in part, for that loss or
20
damage; or
21
(b) prevent or reduce that loss or damage suffered, or likely to be
22
suffered, by the person.
23
(3) Without limiting subsection (2), examples of orders the court may
24
make include:
25
(a) an order directing the entity to perform any reasonable act, or
26
carry out any reasonable course of conduct, to redress the
27
loss or damage suffered by the person; and
28
(b) an order directing the entity to pay the person a specified
29
amount to reimburse the person for expenses reasonably
30
incurred by the person in connection with the contravention
31
or commission of the offence; and
32
(c) an order directing the defendant to pay to the person the
33
amount of loss or damage the plaintiff suffered.
34
(4) The court may make the order only if:
35
(a) the person applies for an order under this section; and
36
Credit reporting Schedule 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 135
(b) the application is made within 6 years of the day the cause of
1
action that relates to the contravention or commission of the
2
offence accrued.
3
(5) If the court makes an order that the entity pay an amount to the
4
person, the person may recover the amount as a debt due to the
5
person.
6
73 Subsections 30(3) and (4)
7
Omit "credit reporting agency" (wherever occurring), substitute "credit
8
reporting body".
9
74 Subsection 49(4) (paragraph (a) of the definition of credit
10
reporting offence)
11
Omit "18C(4), 18D(4), 18K(4), 18L(2), 18N(2), 18R(2) or 18S(3) or
12
section 18T", substitute "20P(1), 21R(1) or (2), 24(1) or (2) or 24A(1)
13
or (2)".
14
75 Subsection 68(1)
15
Omit "credit reporting agency", substitute "credit reporting body".
16
17
Schedule 3 Privacy codes
136 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Schedule 3--Privacy codes
1
2
Privacy Act 1988
3
1 Subsection 6(1)
4
Insert:
5
APP code has the meaning given by section 26C.
6
2 Subsection 6(1)
7
Insert:
8
APP code developer means:
9
(a) an APP entity; or
10
(b) a group of APP entities; or
11
(c) a body or association representing one or more APP entities.
12
3 Subsection 6(1) (definition of approved privacy code)
13
Repeal the definition.
14
4 Subsection 6(1) (definition of code complaint)
15
Omit "an approved privacy code", substitute "a registered APP code".
16
5 Subsection 6(1) (definition of Code of Conduct)
17
Repeal the definition.
18
6 Subsection 6(1)
19
Insert:
20
Codes Register has the meaning given by subsection 26U(1).
21
7 Subsection 6(1)
22
Insert:
23
CR code has the meaning given by section 26N.
24
8 Subsection 6(1)
25
Insert:
26
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 137
CR code developer means:
1
(a) an entity that is subject to Part IIIA; or
2
(b) a group of entities that are subject to Part IIIA; or
3
(c) a body or association representing one or more entities that
4
are subject to Part IIIA.
5
9 Subsection 6(1) (definition of credit provider)
6
After "III,", insert "IIIB,".
7
10 Subsection 6(1) (paragraph (a) of the definition of credit
8
reporting complaint)
9
Omit "the Code of Conduct", substitute "the registered CR code".
10
11 Subsection 6(1) (definition of credit reporting
11
infringement)
12
Repeal the definition.
13
12 Subsection 6(1) (definition of privacy code)
14
Repeal the definition.
15
13 Subsection 6(1)
16
Insert:
17
registered APP code has the meaning given by section 26B.
18
14 Subsection 6(1)
19
Insert:
20
registered CR code has the meaning given by section 26M.
21
15 Subsection 6(3A)
22
Repeal the subsection.
23
16 At the end of subsection 6(7)
24
Add:
25
; or (g) being both an APP complaint and a code complaint.
26
17 Section 6B (heading)
27
Repeal the heading, substitute:
28
Schedule 3 Privacy codes
138 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
6B Breach of a registered APP code
1
18 Subsections 6B(1), (2), (3) and (4)
2
Omit "an approved privacy code", substitute "a registered APP code".
3
19 After section 6B
4
Insert:
5
6BA Breach of the registered CR code
6
For the purposes of this Act, an act or practice breaches the
7
registered CR code if, and only if, it is contrary to, or inconsistent
8
with, the code.
9
20 Subsection 7(2)
10
Omit "an approved privacy code", substitute "a registered APP code".
11
21 Subsection 7B(2) (note)
12
Omit "or a binding approved privacy code", substitute ", or a registered
13
APP code that binds the organisation,".
14
22 Subsection 13B(1) (note)
15
Omit "or a binding approved privacy code", substitute "and a registered
16
APP code that binds them".
17
23 Subsection 13B(1) (paragraph (b) of the note)
18
Omit "or a corresponding provision in a binding approved privacy
19
code".
20
24 Subsection 13B(1A) (note)
21
Omit "a binding approved privacy code", substitute "a registered APP
22
code that binds the body".
23
25 Subsection 13C(1) (note)
24
Omit "or a binding approved privacy code", substitute "and a registered
25
APP code that binds them".
26
26 Subsection 13C(1) (note)
27
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 139
Omit "or a corresponding provision in a binding approved privacy
1
code".
2
27 Division 5 of Part III
3
Repeal the Division.
4
28 Part IIIAA
5
Repeal the Part.
6
29 Before Part IV
7
Insert:
8
Part IIIB--Privacy codes
9
Division 1--Introduction
10
26 Guide to this Part
11
This Part deals with privacy codes.
12
Division 2 deals with codes of practice about information privacy,
13
called APP codes. APP code developers or the Commissioner may
14
develop APP codes, which:
15
(a)
must set out how one or more of the Australian
16
Privacy Principles are to be applied or complied
17
with; and
18
(b)
may impose additional requirements to those
19
imposed by the Australian Privacy Principles; and
20
(c)
may deal with other specified matters.
21
If the Commissioner includes an APP code on the Codes Register,
22
an APP entity bound by the code must not breach it. A breach of a
23
registered APP code is an interference with the privacy of an
24
individual.
25
Schedule 3 Privacy codes
140 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Division 3 deals with a code of practice about credit reporting,
1
called a CR code. CR code developers or the Commissioner may
2
develop a CR code, which:
3
(a)
must set out how one or more of the provisions of
4
Part IIIA are to be applied or complied with; and
5
(b)
must deal with matters required or permitted by
6
Part IIIA to be provided for by the registered CR
7
code; and
8
(c)
may deal with other specified matters.
9
If the Commissioner includes a CR code on the Codes Register, an
10
entity bound by the code must not breach it. A breach of the
11
registered CR code is an interference with the privacy of an
12
individual.
13
Division 4 deals with the Codes Register, guidelines relating to
14
codes and the review of the operation of registered codes.
15
Division 2--Registered APP codes
16
Subdivision A--Compliance with registered APP codes etc.
17
26A APP entities to comply with binding registered APP codes
18
An APP entity must not do an act, or engage in a practice, that
19
breaches a registered APP code that binds the entity.
20
26B What is a registered APP code
21
(1)
A
registered APP code is an APP code:
22
(a) that is included on the Codes Register; and
23
(b) that is in force.
24
(2) A registered APP code is a legislative instrument.
25
(3) Despite subsection 12(2) of the Legislative Instruments Act 2003, a
26
registered APP code may be expressed to take effect before the
27
date it is registered under that Act.
28
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 141
Note:
An APP code cannot come into force before it is included on the
1
Codes Register: see paragraph 26C(2)(c).
2
26C What is an APP code
3
(1)
An
APP code is a written code of practice about information
4
privacy.
5
(2) An APP code must:
6
(a) set out how one or more of the Australian Privacy Principles
7
are to be applied or complied with; and
8
(b) specify the APP entities that are bound by the code, or a way
9
of determining the APP entities that are bound by the code;
10
and
11
(c) set out the period during which the code is in force (which
12
must not start before the day the code is registered under
13
section 26H).
14
(3) An APP code may do one or more of the following:
15
(a) impose additional requirements to those imposed by one or
16
more of the Australian Privacy Principles, so long as the
17
additional requirements are not contrary to, or inconsistent
18
with, those principles;
19
(b) cover an act or practice that is exempt within the meaning of
20
subsection 7B(1), (2) or (3);
21
(c) deal with the internal handling of complaints;
22
(d) provide for the reporting to the Commissioner about
23
complaints;
24
(e) deal with any other relevant matters.
25
(4) An APP code may be expressed to apply to any one or more of the
26
following:
27
(a) all personal information or a specified type of personal
28
information;
29
(b) a specified activity, or a specified class of activities, of an
30
APP entity;
31
(c) a specified industry sector or profession, or a specified class
32
of industry sectors or professions;
33
(d) APP entities that use technology of a specified kind.
34
(5) An APP code is not a legislative instrument.
35
Schedule 3 Privacy codes
142 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
26D Extension of Act to exempt acts or practices covered by
1
registered APP codes
2
If a registered APP code covers an act or practice that is exempt
3
within the meaning of subsection 7B(1), (2) or (3), this Act applies
4
in relation to the code as if that act or practice were not exempt.
5
Subdivision B--Development and registration of APP codes
6
26E Development of APP codes by APP code developers
7
Own initiative
8
(1) An APP code developer may develop an APP code.
9
At the Commissioner's request
10
(2) The Commissioner may, in writing, request an APP code developer
11
to develop an APP code, and apply to the Commissioner for the
12
code to be registered, if the Commissioner is satisfied it is in the
13
public interest for the code to be developed.
14
(3) The request must:
15
(a) specify the period within which the request must be complied
16
with; and
17
(b) set out the effect of section 26A.
18
(4)
The
period:
19
(a) must run for at least 120 days from the date the request is
20
made; and
21
(b) may be extended by the Commissioner.
22
(5) The request may:
23
(a) specify one or more matters that the APP code must deal
24
with; and
25
(b) specify the APP entities, or a class of APP entities, that
26
should be bound by the code.
27
(6) Despite paragraph (5)(a), the Commissioner must not require an
28
APP code to cover an act or practice that is exempt within the
29
meaning of subsection 7B(1), (2) or (3). However, the APP code
30
that is developed by the APP code developer may cover such an act
31
or practice.
32
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 143
(7) The Commissioner must make a copy of the request publicly
1
available as soon as practicable after the request is made.
2
26F Application for registration of APP codes
3
(1) If an APP code developer develops an APP code, the developer
4
may apply to the Commissioner for registration of the code.
5
(2) Before making the application, the APP code developer must:
6
(a) make a draft of the APP code publicly available; and
7
(b) invite the public to make submissions to the developer about
8
the draft within a specified period (which must run for at
9
least 28 days); and
10
(c) give consideration to any submissions made within the
11
specified period.
12
(3) The application must:
13
(a) be made in the form and manner specified by the
14
Commissioner; and
15
(b) be accompanied by such information as is specified by the
16
Commissioner.
17
(4) The APP code developer may vary the APP code at any time
18
before the Commissioner registers the code, but only with the
19
consent of the Commissioner.
20
26G Development of APP codes by the Commissioner
21
(1) This section applies if the Commissioner made a request under
22
subsection 26E(2) and either:
23
(a) the request has not been complied with; or
24
(b) the request has been complied with but the Commissioner has
25
decided not to register, under section 26H, the APP code that
26
was developed as requested.
27
(2) The Commissioner may develop an APP code if the Commissioner
28
is satisfied that it is in public interest to develop the code.
29
However, despite subsection 26C(3)(b), the APP code must not
30
cover an act or practice that is exempt within the meaning of
31
subsection 7B(1), (2) or (3).
32
Schedule 3 Privacy codes
144 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(3) Before registering the APP code under section 26H, the
1
Commissioner must:
2
(a) make a draft of the code publicly available; and
3
(b) invite the public to make submissions to the Commissioner
4
about the draft within a specified period (which must run for
5
at least 28 days); and
6
(c) give consideration to any submissions made within the
7
specified period.
8
26H Commissioner may register APP codes
9
(1)
If:
10
(a) an application for registration of an APP code is made under
11
section 26F; or
12
(b) the Commissioner develops an APP code under section 26G;
13
the Commissioner may register the code by including it on the
14
Codes Register.
15
(2) In deciding whether to register the APP code, the Commissioner
16
may:
17
(a) consult any person the Commissioner considers appropriate;
18
and
19
(b) consider the matters specified in any relevant guidelines
20
made under section 26V.
21
(3) If the Commissioner decides not to register an APP code developed
22
by an APP code developer, the Commissioner must give written
23
notice of the decision to the developer, including reasons for the
24
decision.
25
Subdivision C--Variation and removal of registered APP codes
26
26J Variation of registered APP codes
27
(1) The Commissioner may, in writing, approve a variation of a
28
registered APP code:
29
(a) on his or her own initiative; or
30
(b) on application by an APP entity that is bound by the code; or
31
(c) on application by a body or association representing one or
32
more APP entities that are bound by the code.
33
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 145
(2) An application under paragraph (1)(b) or (c) must:
1
(a) be made in the form and manner specified by the
2
Commissioner; and
3
(b) be accompanied by such information as is specified by the
4
Commissioner.
5
(3) If the Commissioner varies a registered APP code on his or her
6
own initiative, then, despite subsection 26C(3)(b), the variation
7
must not deal with an act or practice that is exempt within the
8
meaning of subsection 7B(1), (2) or (3).
9
(4) Before deciding whether to approve a variation, the Commissioner
10
must:
11
(a) make a draft of the variation publicly available; and
12
(b) consult any person the Commissioner considers appropriate
13
about the variation; and
14
(c) consider the extent to which members of the public have
15
been given an opportunity to comment on the variation.
16
(5) In deciding whether to approve a variation, the Commissioner may
17
consider the matters specified in any relevant guidelines made
18
under section 26V.
19
(6) If the Commissioner approves a variation of a registered APP code
20
(the original code), the Commissioner must:
21
(a) remove the original code from the Codes Register; and
22
(b) register the APP code, as varied, by including it on the
23
Register.
24
(7) If the Commissioner approves a variation, the variation comes into
25
effect on the day specified in the approval, which must not be
26
before the day on which the APP code, as varied, is included on the
27
Codes Register.
28
(8) An approval is not a legislative instrument.
29
Note:
The APP code, as varied, is a legislative instrument once it is included
30
on the Codes Register: see section 26B.
31
26K Removal of registered APP codes
32
(1) The Commissioner may remove a registered APP code from the
33
Codes Register:
34
Schedule 3 Privacy codes
146 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) on his or her own initiative; or
1
(b) on application by an APP entity that is bound by the code; or
2
(c) on application by a body or association representing one or
3
more APP entities that are bound by the code.
4
(2) An application under paragraph (1)(b) or (c) must:
5
(a) be made in the form and manner specified by the
6
Commissioner; and
7
(b) be accompanied by such information as is specified by the
8
Commissioner.
9
(3) Before deciding whether to remove the registered APP code, the
10
Commissioner must:
11
(a) consult any person the Commissioner considers appropriate
12
about the proposed removal; and
13
(b) consider the extent to which members of the public have
14
been given an opportunity to comment on the proposed
15
removal.
16
(4) In deciding whether to remove the registered APP code, the
17
Commissioner may consider the matters specified in any relevant
18
guidelines made under section 26V.
19
Division 3--Registered CR code
20
Subdivision A--Compliance with the registered CR code
21
26L Entities to comply with the registered CR code if bound by the
22
code
23
If an entity is bound by the registered CR code, the entity must not
24
do an act, or engage in a practice, that breaches the code.
25
Note:
There must always be one, and only one, registered CR code at all
26
times after this Part commences: see subsection 26S(4).
27
26M What is the registered CR code
28
(1)
The
registered CR code is the CR code that is included on the
29
Codes Register.
30
(2) The registered CR code is a legislative instrument.
31
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 147
(3) Despite subsection 12(2) of the Legislative Instruments Act 2003,
1
the registered CR code may be expressed to take effect before the
2
date it is registered under that Act.
3
26N What is a CR code
4
(1)
A
CR code is a written code of practice about credit reporting.
5
(2) A CR code must:
6
(a) set out how one or more of the provisions of Part IIIA are to
7
be applied or complied with; and
8
(b) make provision for, or in relation to, matters required or
9
permitted by Part IIIA to be provided for by the registered
10
CR code; and
11
(c) bind all credit reporting bodies; and
12
(d) specify the credit providers that are bound by the code, or a
13
way of determining which credit providers are bound; and
14
(e) specify any other entities subject to Part IIIA that are bound
15
by the code, or a way of determining which of those entities
16
are bound.
17
(3) A CR code may do one or more of the following:
18
(a) impose additional requirements to those imposed by
19
Part IIIA, so long as the additional requirements are not
20
contrary to, or inconsistent with, that Part;
21
(b) deal with the internal handling of complaints;
22
(c) provide for the reporting to the Commissioner about
23
complaints;
24
(d) deal with any other relevant matters.
25
(4) A CR code may be expressed to apply differently in relation to:
26
(a) classes of entities that are subject to Part IIIA; and
27
(b) specified classes of credit information, credit reporting
28
information or credit eligibility information; and
29
(c) specified classes of activities of entities that are subject to
30
Part IIIA.
31
(5) A CR code is not a legislative instrument.
32
Schedule 3 Privacy codes
148 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Subdivision B--Development and registration of CR code
1
26P Development of CR code by CR code developers
2
(1) The Commissioner may, in writing, request a CR code developer to
3
develop a CR code and apply to the Commissioner for the code to
4
be registered.
5
(2) The request must:
6
(a) specify the period within which the request must be complied
7
with; and
8
(b) set out the effect of section 26L.
9
(3)
The
period:
10
(a) must run for at least 120 days from the date the request is
11
made; and
12
(b) may be extended by the Commissioner.
13
(4) The request may:
14
(a) specify one or more matters that the CR code must deal with;
15
and
16
(b) specify the credit providers, or a class of credit providers,
17
that should be bound by the code; and
18
(c) specify the other entities, or a class of other entities, subject
19
to Part IIIA that should be bound by the code.
20
(5) The Commissioner must make a copy of the request publicly
21
available as soon as practicable after the request is made.
22
26Q Application for registration of CR code
23
(1) If a CR code developer develops a CR code, the developer may
24
apply to the Commissioner for registration of the code.
25
(2) Before making the application, the CR code developer must:
26
(a) make a draft of the CR code publicly available; and
27
(b) invite the public to make submissions to the developer about
28
the draft within a specified period (which must run for at
29
least 28 days); and
30
(c) give consideration to any submissions made within the
31
specified period.
32
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 149
(3) The application must:
1
(a) be made in the form and manner specified by the
2
Commissioner; and
3
(b) be accompanied by such information as is specified by the
4
Commissioner.
5
(4) The CR code developer may vary the CR code at any time before
6
the Commissioner registers the code, but only with the consent of
7
the Commissioner.
8
26R Development of CR code by the Commissioner
9
(1) The Commissioner may develop a CR code if the Commissioner
10
made a request under section 26P and either:
11
(a) the request has not been complied with; or
12
(b) the request has been complied with but the Commissioner has
13
decided not to register, under section 26S, the CR code that
14
was developed as requested.
15
(2) Before registering the CR code under section 26S, the
16
Commissioner must:
17
(a) make a draft of the code publicly available; and
18
(b) invite the public to make submissions to the Commissioner
19
about the draft within a specified period (which must run for
20
at least 28 days); and
21
(c) give consideration to any submissions made within the
22
specified period.
23
26S Commissioner may register CR code
24
(1)
If:
25
(a) an application for registration of a CR code is made under
26
section 26Q; or
27
(b) the Commissioner develops a CR code under section 26R;
28
the Commissioner may register the code by including it on the
29
Codes Register.
30
(2) In deciding whether to register the CR code, the Commissioner
31
may:
32
(a) consult any person the Commissioner considers appropriate;
33
and
34
Schedule 3 Privacy codes
150 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) consider the matters specified in any guidelines made under
1
section 26V.
2
(3) If the Commissioner decides not to register a CR code developed
3
by a CR code developer, the Commissioner must give written
4
notice of the decision to the developer, including reasons for the
5
decision.
6
(4) The Commissioner must ensure that there is one, and only one,
7
registered CR code at all times after this Part commences.
8
Subdivision C--Variation of the registered CR code
9
26T Variation of the registered CR code
10
(1) The Commissioner may, in writing, approve a variation of the
11
registered CR code:
12
(a) on his or her own initiative; or
13
(b) on application by an entity that is bound by the code; or
14
(c) on application by a body or association representing one or
15
more of the entities that are bound by the code.
16
(2) An application under paragraph (1)(b) or (c) must:
17
(a) be made in the form and manner specified by the
18
Commissioner; and
19
(b) be accompanied by such information as is specified by the
20
Commissioner.
21
(3) Before deciding whether to approve a variation, the Commissioner
22
must:
23
(a) make a draft of the variation publicly available; and
24
(b) consult any person the Commissioner considers appropriate
25
about the variation; and
26
(c) consider the extent to which members of the public have
27
been given an opportunity to comment on the variation.
28
(4) In deciding whether to approve a variation, the Commissioner may
29
consider the matters specified in any relevant guidelines made
30
under section 26V.
31
(5) If the Commissioner approves a variation of the registered CR code
32
(the original code), the Commissioner must:
33
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 151
(a) remove the original code from the Codes Register; and
1
(b) register the CR code, as varied, by including it on the
2
Register.
3
(6) If the Commissioner approves a variation, the variation comes into
4
effect on the day specified in the approval, which must not be
5
before the day on which the CR code, as varied, is included on the
6
Codes Register.
7
(7) An approval is not a legislative instrument.
8
Note:
The CR code, as varied, is a legislative instrument once it is included
9
on the Codes Register: see section 26M.
10
Division 4--General matters
11
26U Codes Register
12
(1) The Commissioner must keep a register (the Codes Register)
13
which includes:
14
(a) the APP codes the Commissioner has decided to register
15
under section 26H; and
16
(b) the APP codes the Commissioner must register under
17
section 26J; and
18
(c) the CR code the Commissioner has decided to register under
19
section 26S; and
20
(d) the CR code the Commissioner must register under
21
section 26T.
22
(2) Despite subsection (1), the Commissioner is not required to include
23
on the Codes Register:
24
(a) an APP code removed from the Register under section 26J or
25
26K; or
26
(b) the CR code removed from the Register under section 26T.
27
(3) The Commissioner must make the Codes Register available on the
28
Commissioner's website.
29
(4) The Commissioner may charge fees for providing copies of, or
30
extracts from, the Codes Register.
31
Schedule 3 Privacy codes
152 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
26V Guidelines relating to codes
1
(1) The Commissioner may make written guidelines:
2
(a) to assist APP code developers to develop APP codes; or
3
(b) to assist APP entities bound by registered APP codes to apply
4
or comply with the codes; or
5
(c) to assist CR code developers to develop a CR code; or
6
(d) to assist entities bound by the registered CR code to apply or
7
comply with the code.
8
(2) The Commissioner may make written guidelines about matters the
9
Commissioner may consider in deciding whether:
10
(a) to register an APP code or a CR code; or
11
(b) to approve a variation of a registered APP code or the
12
registered CR code; or
13
(c) to remove a registered APP code from the Codes Register.
14
(3) The Commissioner may publish any such guidelines on the
15
Commissioner's website.
16
(4) Guidelines are not a legislative instrument.
17
26W Review of operation of registered codes
18
(1) The Commissioner may review the operation of a registered APP
19
code.
20
Note:
The review may inform a decision by the Commissioner to approve a
21
variation of a registered APP code or to remove a registered APP code
22
from the Codes Register.
23
(2) The Commissioner may review the operation of the registered CR
24
code.
25
Note:
The review may inform a decision by the Commissioner to approve a
26
variation of the registered CR code.
27
30 Subsection 36(1)
28
Omit "Subject to subsection (1A), an", substitute "An".
29
31 Subsections 36(1A), (1B) and (1C)
30
Repeal the subsections.
31
32 Subsections 54(1A), 55A(7) and 55B(2)
32
Privacy codes Schedule 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 153
Repeal the subsections.
1
33 Subsection 55B(3)
2
Omit "or (2)".
3
34 Subsection 55B(3)
4
Omit "or adjudicator".
5
35 Subsection 55B(4)
6
Omit "or (2)".
7
36 Subsection 64(1)
8
Omit "(1)".
9
37 Subsection 64(2)
10
Repeal the subsection.
11
38 Section 95C
12
Omit "an approved privacy code", substitute "a registered APP code".
13
14
Schedule 4 Other amendments of the Privacy Act 1988
154 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Schedule 4--Other amendments of the
1
Privacy Act 1988
2
3
1 After section 2
4
Insert:
5
2A Objects of this Act
6
The objects of this Act are:
7
(a) to promote the protection of the privacy of individuals; and
8
(b) to recognise that the protection of the privacy of individuals
9
is balanced with the interests of entities in carrying out their
10
functions or activities; and
11
(c) to provide the basis for nationally consistent regulation of
12
privacy and the handling of personal information; and
13
(d) to promote responsible and transparent handling of personal
14
information by entities; and
15
(e) to facilitate an efficient credit reporting system while
16
ensuring that the privacy of individuals is respected; and
17
(f) to facilitate the free flow of information across national
18
borders while ensuring that the privacy of individuals is
19
respected; and
20
(g) to provide a means for individuals to complain about an
21
alleged interference with their privacy; and
22
(h) to implement Australia's international obligation in relation
23
to privacy.
24
2 Subsections 5B(1) and (1A)
25
Repeal the subsections, substitute:
26
Agencies
27
(1) This Act, a registered APP code and the registered CR code extend
28
to an act done, or practice engaged in, outside Australia and the
29
external Territories by an agency.
30
Note:
The act or practice overseas will not breach an Australian Privacy
31
Principle or a registered APP code if the act or practice is required by
32
an applicable foreign law (see sections 6A and 6B).
33
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 155
Organisations and small business operators
1
(1A) This Act, a registered APP code and the registered CR code extend
2
to an act done, or practice engaged in, outside Australia and the
3
external Territories by an organisation, or small business operator,
4
that has an Australian link.
5
Note:
The act or practice overseas will not breach an Australian Privacy
6
Principle or a registered APP code if the act or practice is required by
7
an applicable foreign law (see sections 6A and 6B).
8
3 Subsection 5B(2) (heading)
9
Repeal the heading, substitute:
10
Australian link
11
4 Subsection 5B(2)
12
Omit "The organisation must be", substitute "An organisation or small
13
business operator has an Australian link if the organisation or operator
14
is".
15
5 Subsection 5B(3) (heading)
16
Repeal the heading.
17
6 Subsection 5B(3)
18
Omit "All of the following conditions must be met", substitute "An
19
organisation or small business operator also has an Australian link if all
20
of the following apply".
21
7 Paragraphs 5B(3)(a), (b) and (c)
22
After "organisation", insert "or operator".
23
8 Subsection 5B(4)
24
After "subsection (1)", insert "or (1A)".
25
9 Subsection 6(1)
26
Insert:
27
advice related functions has the meaning given by subsection
28
28B(1).
29
10 Subsection 6(1)
30
Schedule 4 Other amendments of the Privacy Act 1988
156 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Insert:
1
Australian link has the meaning given by subsections 5B(2) and
2
(3).
3
11 Subsection 6(1) (all the definitions of breach)
4
Repeal the definitions, substitute:
5
breach:
6
(a) in relation to an Australian Privacy Principle, has the
7
meaning given by section 6A; and
8
(b) in relation to a registered APP code, has the meaning given
9
by section 6B; and
10
(c) in relation to the registered CR code, has the meaning given
11
by section 6BA.
12
12 Subsection 6(1)
13
Insert:
14
civil penalty order has the meaning given by subsection 80W(4).
15
13 Subsection 6(1)
16
Insert:
17
civil penalty provision has the meaning given by section 80U.
18
14 Subsection 6(1) (definition of code complaint)
19
Omit "the complainant", substitute "an individual".
20
15 Subsection 6(1)
21
Insert:
22
committee of management of an unincorporated association means
23
a body (however described) that governs, manages or conducts the
24
affairs of the association.
25
16 Subsection 6(1) (definition of credit reporting complaint)
26
Omit "the complainant", substitute "an individual".
27
17 Subsection 6(1)
28
Insert:
29
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 157
Defence Department means the Department of State that deals
1
with defence and that is administered by the Minister administering
2
section 1 of the Defence Act 1903.
3
18 Subsection 6(1) (definition of file number complaint)
4
Omit "the complainant", substitute "an individual".
5
19 Subsection 6(1) (paragraph (a) of the definition of file
6
number complaint)
7
Omit "guideline", substitute "rule".
8
20 Subsection 6(1)
9
Insert:
10
guidance related functions has the meaning given by subsection
11
28(1).
12
21 Subsection 6(1) (definition of individual concerned)
13
Repeal the definition.
14
22 Subsection 6(1)
15
Insert:
16
interference with the privacy of an individual has the meaning
17
given by sections 13 to 13F.
18
23 Subsection 6(1)
19
Insert:
20
monitoring related functions has the meaning given by
21
subsections 28A(1) and (2).
22
24 Subsection 6(1)
23
Insert:
24
offence against this Act includes an offence against section 6 of
25
the Crimes Act 1914, or section 11.1, 11.2, 11.2A, 11.4 or 11.5 of
26
the Criminal Code, that relates to an offence against this Act.
27
25 Subsection 6(1)
28
Insert:
29
Schedule 4 Other amendments of the Privacy Act 1988
158 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
recognised external dispute resolution scheme means an external
1
dispute resolution scheme recognised under section 35A.
2
26 Subsection 6(1) (definition of tax file number information)
3
Omit "(including information forming part of a database)".
4
27 Subsection 6(3)
5
Omit "guideline" (wherever occurring), substitute "rule".
6
28 Subsection 6(6)
7
Omit "Department of Defence", substitute "Defence Department".
8
29 Paragraphs 7(1)(ca) and (g) and (1A)(c)
9
Omit "Department of Defence", substitute "Defence Department".
10
30 Subsection 7(2)
11
Omit "under section 27", substitute "in relation to the principles and
12
such a code".
13
31 Paragraph 7(2)(b)
14
Omit "Department of Defence", substitute "Defence Department".
15
32 Subsection 7(3A)
16
Repeal the subsection.
17
33 Subsection 7(4)
18
Omit "paragraphs 27(1)(b), (c), (d), (e), (g), (k) and (m)", substitute
19
"section 28, of paragraphs 28A(2)(a) to (e)".
20
34 Section 12B (heading)
21
Repeal the heading, substitute:
22
12B Severability--additional effect of this Act
23
35 Subsections 12B(1) and (2)
24
Repeal the subsections, substitute:
25
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 159
(1) Without limiting its effect apart from this section, this Act has
1
effect in relation to the following (the regulated entities) as
2
provided by this section:
3
(a)
an
agency;
4
(b)
an
organisation;
5
(c) a small business operator;
6
(d) a body politic.
7
Note:
Subsection 27(4) applies in relation to an investigation of an act or
8
practice referred to in subsection 29(1) of the Healthcare Identifiers
9
Act 2010.
10
(2) This Act also has the effect it would have if its operation in relation
11
to regulated entities were expressly confined to an operation to
12
give effect to the following:
13
(a) the International Covenant on Civil and Political Rights done
14
at New York on 16 December 1966 ([1980] ATS 23), and in
15
particular Articles 17 and 24(1) of the Covenant;
16
(b) Article 16 of the Convention on the Rights of the Child done
17
at New York on 20 November 1989 ([1991] ATS 4).
18
Note:
In 2012, the text of the Covenant and Convention in the Australian
19
Treaty Series was accessible through the Australian Treaties Library
20
on the AustLII website (www.austlii.edu.au).
21
36 Subsection 12B(3)
22
Omit "to organisations", substitute "to regulated entities".
23
37 Subsection 12B(3)
24
Omit "subsection 5B(1)", substitute "section 5B".
25
38 Subsection 12B(3)
26
Omit "by organisations".
27
39 Subsections 12B(4) and (5)
28
Omit "organisations" (wherever occurring), substitute "regulated
29
entities".
30
40 After subsection 12B(5)
31
Insert:
32
Schedule 4 Other amendments of the Privacy Act 1988
160 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(5A) This Act also has the effect it would have if its operation in relation
1
to regulated entities were expressly confined to acts or practices
2
engaged in by regulated entities in the course of:
3
(a) banking (other than State banking not extending beyond the
4
limits of the State concerned); or
5
(b) insurance (other than State insurance not extending beyond
6
the limits of the State concerned).
7
41 Subsections 12B(6) to (8)
8
Omit "organisations" (wherever occurring), substitute "regulated
9
entities".
10
42 Sections 13 and 13A
11
Repeal the sections, substitute:
12
13 Interferences with privacy
13
APP entities
14
(1) An act or practice of an APP entity is an interference with the
15
privacy of an individual if:
16
(a) the act or practice breaches an Australian Privacy Principle in
17
relation to personal information about the individual; or
18
(b) the act or practice breaches a registered APP code that binds
19
the entity in relation to personal information about the
20
individual.
21
Credit reporting
22
(2) An act or practice of an entity is an interference with the privacy
23
of an individual if:
24
(a) the act or practice breaches a provision of Part IIIA in
25
relation to personal information about the individual; or
26
(b) the act or practice breaches the registered CR code in relation
27
to personal information about the individual and the code
28
binds the entity.
29
Contracted service providers
30
(3) An act or practice of an organisation is an interference with the
31
privacy of an individual if:
32
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 161
(a) the act or practice relates to personal information about the
1
individual; and
2
(b) the organisation is a contracted service provider for a
3
Commonwealth contract (whether or not the organisation is a
4
party to the contract); and
5
(c) the act or practice does not breach:
6
(i) an Australian Privacy Principle; or
7
(ii) a registered APP code that binds the organisation;
8
in relation to the personal information because of a provision
9
of the contract that is inconsistent with the principle or code;
10
and
11
(d) the act is done, or the practice is engaged in, in a manner
12
contrary to, or inconsistent with, that provision.
13
Note:
See subsections 6A(2) and 6B(2) for when an act or practice does not
14
breach an Australian Privacy Principle or a registered APP code.
15
Tax file numbers
16
(4) An act or practice is an interference with the privacy of an
17
individual if:
18
(a) it is an act or practice of a file number recipient and the act or
19
practice breaches a rule issued under section 17 in relation to
20
tax file number information that relates to the individual; or
21
(b) the act or practice involves an unauthorised requirement or
22
request for disclosure of the tax file number of the individual.
23
Other interferences with privacy
24
(5) An act or practice is an interference with the privacy of an
25
individual if the act or practice:
26
(a) constitutes a breach of Part 2 of the Data-matching Program
27
(Assistance and Tax) Act 1990 or the rules issued under
28
section 12 of that Act; or
29
(b) constitutes a breach of the rules issued under section 135AA
30
of the National Health Act 1953.
31
Note:
Other Acts may provide that an act or practice is an interference with
32
the privacy of an individual. For example, see the Healthcare
33
Identifiers Act 2010, the Anti-Money Laundering and
34
Counter-Terrorism Financing Act 2006 and the Personal Property
35
Securities Act 2009.
36
43 Subsection 13B(1)
37
Schedule 4 Other amendments of the Privacy Act 1988
162 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Omit "paragraphs 13A(1)(a) and (b)", substitute "subsection 13(1)".
1
44 Subsection 13B(1)
2
Omit "of an individual", substitute "of an individual".
3
45 Subsection 13B(2)
4
Repeal the subsection, substitute:
5
Relationship with subsection 13(3)
6
(2) Subsection (1) does not prevent an act or practice of an
7
organisation from being an interference with the privacy of an
8
individual under subsection 13(3).
9
46 Subsection 13C(1)
10
Omit "of the individual", substitute "of the individual".
11
47 Subsection 13C(2)
12
Repeal the subsection, substitute:
13
Effect of subsection (1)
14
(2) Subsection (1) has effect despite subsections 13(1) and (3).
15
48 Subsection 13D(1)
16
Omit "of an individual", substitute "of an individual".
17
49 Subsection 13D(2)
18
Repeal the subsection, substitute:
19
Effect of subsection (1)
20
(2) Subsection (1) has effect despite subsections 13(1) and (3).
21
50 Sections 13E and 13F
22
Repeal the sections, substitute:
23
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 163
13E Effect of sections 13B, 13C and 13D
1
Sections 13B, 13C and 13D do not prevent an act or practice of an
2
organisation from being an interference with the privacy of an
3
individual under subsection 13(2), (4) or (5).
4
13F Act or practice not covered by section 13 is not an interference
5
with privacy
6
An act or practice that is not covered by section 13 is not an
7
interference with the privacy of an individual.
8
13G Serious and repeated interferences with privacy
9
An entity contravenes this subsection if:
10
(a) the entity does an act, or engages in a practice, that is a
11
serious interference with the privacy of an individual; or
12
(b) the entity repeatedly does an act, or engages in a practice,
13
that is an interference with the privacy of one or more
14
individuals.
15
Civil penalty:
2,000 penalty units.
16
51 Section 17
17
Repeal the section, substitute:
18
17 Rules relating to tax file number information
19
The Commissioner must, by legislative instrument, issue rules
20
concerning the collection, storage, use and security of tax file
21
number information.
22
52 Section 18 (heading)
23
Repeal the heading, substitute:
24
18 File number recipients to comply with rules
25
53 Section 18
26
Omit "guideline", substitute "rule".
27
54 Sections 27 to 29
28
Schedule 4 Other amendments of the Privacy Act 1988
164 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Repeal the sections, substitute:
1
27 Functions of the Commissioner
2
(1) The Commissioner has the following functions:
3
(a) the functions that are conferred on the Commissioner by or
4
under:
5
(i) this Act; or
6
(ii) any other law of the Commonwealth;
7
(b) the guidance related functions;
8
(c) the monitoring related functions;
9
(d) the advice related functions;
10
(e) to do anything incidental or conducive to the performance of
11
any of the above functions.
12
(2) The Commissioner has power to do all things necessary or
13
convenient to be done for, or in connection with, the performance
14
of the Commissioner's functions.
15
(3) Without limiting subsection (2), the Commissioner may establish a
16
panel of persons with expertise in relation to a particular matter to
17
assist the Commissioner in performing any of the Commissioner's
18
functions.
19
(4) Section 38 of the Healthcare Identifiers Act 2010, rather than
20
section 12B of this Act, applies in relation to an investigation of an
21
act or practice referred to in subsection 29(1) of that Act in the
22
same way as it applies to Parts 3 and 4 of that Act.
23
Note:
Section 38 of the Healthcare Identifiers Act 2010 deals with the
24
additional effect of Parts 3 and 4 of that Act.
25
28 Guidance related functions of the Commissioner
26
(1) The following are the guidance related functions of the
27
Commissioner:
28
(a) making guidelines for the avoidance of acts or practices that
29
may or might be interferences with the privacy of
30
individuals, or which may otherwise have any adverse effects
31
on the privacy of individuals;
32
(b) making, by legislative instrument, guidelines for the purposes
33
of paragraph (d) of Australian Privacy Principle 6.3;
34
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 165
(c) promoting an understanding and acceptance of:
1
(i) the Australian Privacy Principles and the objects of
2
those principles; and
3
(ii) a registered APP code; and
4
(iii) the provisions of Part IIIA and the objects of those
5
provisions; and
6
(iv) the registered CR code;
7
(d) undertaking educational programs for the purposes of
8
promoting the protection of individual privacy.
9
(2) The Commissioner may publish the guidelines referred to in
10
paragraphs (1)(a) and (b) in such manner as the Commissioner
11
considers appropriate.
12
(3) The educational programs referred to in paragraph (1)(d) may be
13
undertaken by:
14
(a) the Commissioner; or
15
(b) a person or authority acting on behalf of the Commissioner.
16
(4) Guidelines made under paragraph (1)(a) are not a legislative
17
instrument.
18
28A Monitoring related functions of the Commissioner
19
Credit reporting and tax file number information
20
(1) The following are the monitoring related functions of the
21
Commissioner:
22
(a) monitoring the security and accuracy of information held by
23
an entity that is information to which Part IIIA applies;
24
(b) examining the records of entities to ensure that the entities:
25
(i) are not using information to which Part IIIA applies for
26
unauthorised purposes; and
27
(ii) are taking adequate measures to prevent the unlawful
28
disclosure of such information;
29
(c) examining the records of the Commissioner of Taxation to
30
ensure that the Commissioner:
31
(i) is not using tax file number information for purposes
32
beyond his or her powers; and
33
Schedule 4 Other amendments of the Privacy Act 1988
166 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(ii) is taking adequate measures to prevent the unlawful
1
disclosure of the tax file number information that he or
2
she holds;
3
(d) evaluating compliance with the rules issued under section 17;
4
(e) monitoring the security and accuracy of tax file number
5
information kept by file number recipients.
6
Other matters
7
(2) The following are also the monitoring related functions of the
8
Commissioner:
9
(a) examining a proposed enactment that would require or
10
authorise acts or practices of an entity that might otherwise
11
be interferences with the privacy of individuals, or which
12
may otherwise have any adverse effects on the privacy of
13
individuals;
14
(b) examining a proposal for data matching or linkage that may
15
involve an interference with the privacy of individuals, or
16
which may otherwise have any adverse effects on the privacy
17
of individuals;
18
(c) ensuring that any adverse effects of the proposed enactment
19
or the proposal on the privacy of individuals are minimised;
20
(d) undertaking research into, and monitoring developments in,
21
data processing and technology (including data matching and
22
linkage) to ensure that any adverse effects of such
23
developments on the privacy of individuals are minimised;
24
(e) reporting to the Minister the results of that research and
25
monitoring;
26
(f) monitoring and reporting on the adequacy of equipment and
27
user safeguards.
28
(3) The functions referred to in paragraphs (2)(a) and (b) may be
29
performed by the Commissioner:
30
(a) on request by a Minister or Norfolk Island Minister; or
31
(b) on the Commissioner's own initiative.
32
(4) If the reporting referred to in paragraph (2)(e) or (f) is done in
33
writing, the instrument is not a legislative instrument.
34
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 167
28B Advice related functions of the Commissioner
1
(1) The following are the advice related functions of the
2
Commissioner:
3
(a) providing advice to a Minister, Norfolk Island Minister or
4
entity about any matter relevant to the operation of this Act;
5
(b) informing the Minister of action that needs to be taken by an
6
agency in order to comply with the Australian Privacy
7
Principles;
8
(c) providing reports and recommendations to the Minister in
9
relation to any matter concerning the need for, or the
10
desirability of, legislative or administrative action in the
11
interests of the privacy of individuals;
12
(d) providing advice to file number recipients about:
13
(i) their obligations under the Taxation Administration Act
14
1953 in relation to the confidentiality of tax file number
15
information; or
16
(ii) any matter relevant to the operation of this Act.
17
(2) The functions referred to in paragraphs (1)(a), (c) and (d) may be
18
performed by the Commissioner on request or on the
19
Commissioner's own initiative.
20
(3) The Commissioner may perform the function referred to in
21
paragraph (1)(b) whenever the Commissioners think it is necessary
22
to do so.
23
(4) If the Minister is informed under paragraph (1)(b) in writing, or the
24
report referred to in paragraph (1)(c) is provided in writing, the
25
instrument is not a legislative instrument.
26
29 Commissioner must have due regard to the objects of the Act
27
The Commissioner must have due regard to the objects of this Act
28
in performing the Commissioner's functions, and exercising the
29
Commissioner's powers, conferred by this Act.
30
Note:
The objects of this Act are set out in section 2A.
31
55 Subparagraph 30(1)(b)(ii)
32
Repeal the subparagraph, substitute:
33
Schedule 4 Other amendments of the Privacy Act 1988
168 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(ii) does not consider that it is reasonably possible that the
1
matter that gave rise to the investigation can be
2
conciliated successfully or has attempted to conciliate
3
the matter without success.
4
56 Subsection 30(3)
5
Omit "under paragraph 27(1)(a), 28(1)(b) or (c) or 28A(1)(b)".
6
57 Subsection 30(3)
7
After "credit provider" (first occurring), insert "that is an interference
8
with the privacy of an individual under subsection 13(1), (2) or (4)".
9
58 Subsection 30(6)
10
Repeal the subsection.
11
59 Subsection 31(1)
12
Omit "paragraph 27(1)(b)", substitute "paragraph 28A(2)(a)".
13
60 Subsection 31(2)
14
Omit "agency or organisation", substitute "entity".
15
61 Section 32 (heading)
16
Repeal the heading, substitute:
17
32 Commissioner may report to the Minister if the Commissioner
18
has monitored certain activities etc.
19
62 Subsection 32(1)
20
Repeal the subsection, substitute:
21
(1) If the Commissioner has:
22
(a) monitored an activity in the performance of a function under
23
paragraph 28(1)(d), 28A(1)(a), (b), (d) or (e) or (2)(b), (c) or
24
(d) or 28B(1)(b) or (c); or
25
(b) conducted an assessment under section 33C;
26
the Commissioner may report to the Minister about the activity or
27
assessment, and must do so if so directed by the Minister.
28
63 Subsection 32(2)
29
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 169
After "activity", insert "or assessment".
1
64 After section 33B
2
Insert:
3
Division 3A--Assessments by, or at the direction of, the
4
Commissioner
5
33C Commissioner may conduct an assessment relating to the
6
Australian Privacy Principles etc.
7
(1) The Commissioner may conduct an assessment of the following
8
matters:
9
(a) whether personal information held by an APP entity is being
10
maintained and handled in accordance with the following:
11
(i) the Australian Privacy Principles;
12
(ii) a registered APP code that binds the entity;
13
(b) whether information held by an entity is being maintained
14
and handled in accordance with the following to the extent
15
that they apply to the information:
16
(i) the provisions of Part IIIA;
17
(ii) the registered CR code if it binds the entity;
18
(c) whether tax file number information held by a file number
19
recipient is being maintained and handled in accordance with
20
any relevant rules issued under section 17;
21
(d) whether the data matching program (within the meaning of
22
the Data-matching Program (Assistance and Tax) Act 1990)
23
of an agency complies with Part 2 of that Act and the rules
24
issued under section 12 of that Act;
25
(e) whether information to which section 135AA of the National
26
Health Act 1953 applies is being maintained and handled in
27
accordance with the rules issued under that section.
28
(2) The Commissioner may conduct the assessment in such manner as
29
the Commissioner considers fit.
30
33D Commissioner may direct an agency to give a privacy impact
31
assessment
32
(1)
If:
33
Schedule 4 Other amendments of the Privacy Act 1988
170 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(a) an agency proposes to engage in an activity or function
1
involving the handling
of
personal information about
2
individuals; and
3
(b) the Commissioner considers that the activity or function
4
might have a significant impact on the privacy of individuals;
5
the Commissioner may, in writing, direct the agency to give the
6
Commissioner, within a specified period, a privacy impact
7
assessment about the activity or function.
8
(2) A direction under subsection (1) is not a legislative instrument.
9
Privacy impact assessment
10
(3)
A
privacy impact assessment is a written assessment of an activity
11
or function that:
12
(a) identifies the impact that the activity or function might have
13
on the privacy of individuals; and
14
(b) sets out recommendations for managing, minimising or
15
eliminating that impact.
16
(4) Subsection (3) does not limit the matters that the privacy impact
17
assessment may deal with.
18
(5) A privacy impact assessment is not a legislative instrument.
19
Failure to comply with a direction
20
(6) If an agency does not comply with a direction under subsection (1),
21
the Commissioner must advise both of the following of the failure:
22
(a)
the
Minister;
23
(b) if another Minister is responsible for the agency--that other
24
Minister.
25
Review
26
(7) Before the fifth anniversary of the commencement of this section,
27
the Minister must cause a review to be undertaken of whether this
28
section should apply in relation to organisations.
29
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 171
Division 3B--Enforceable undertakings
1
33E Commissioner may accept undertakings
2
(1) The Commissioner may accept any of the following undertakings:
3
(a) a written undertaking given by an entity that the entity will,
4
in order to comply with this Act, take specified action;
5
(b) a written undertaking given by an entity that the entity will,
6
in order to comply with this Act, refrain from taking
7
specified action;
8
(c) a written undertaking given by an entity that the entity will
9
take specified action directed towards ensuring that the entity
10
does not do an act, or engage in a practice, in the future that
11
interferes with the privacy of an individual.
12
(2) The undertaking must be expressed to be an undertaking under this
13
section.
14
(3) The entity may withdraw or vary the undertaking at any time, but
15
only with the consent of the Commissioner.
16
(4) The Commissioner may, by written notice given to the entity,
17
cancel the undertaking.
18
(5) The Commissioner may publish the undertaking on the
19
Commissioner's website.
20
33F Enforcement of undertakings
21
(1)
If:
22
(a) an entity gives an undertaking under section 33E; and
23
(b) the undertaking has not been withdrawn or cancelled; and
24
(c) the Commissioner considers that the entity has breached the
25
undertaking;
26
the Commissioner may apply to the Federal Court or Federal
27
Magistrates Court for an order under subsection (2).
28
(2) If the court is satisfied that the entity has breached the undertaking,
29
the court may make any or all of the following orders:
30
(a) an order directing the entity to comply with the undertaking;
31
Schedule 4 Other amendments of the Privacy Act 1988
172 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(b) any order that the court considers appropriate directing the
1
person to compensate any other person who has suffered loss
2
or damage as a result of the breach;
3
(c) any other order that the court considers appropriate.
4
65 Subsections 34(1) and (2)
5
Omit "functions referred to in section 27", substitute "Commissioner's
6
functions".
7
66 At the end of Part IV
8
Add:
9
35A Commissioner may recognise external dispute resolution
10
schemes
11
(1) The Commissioner may, by written notice, recognise an external
12
dispute resolution scheme:
13
(a) for an entity or a class of entities; or
14
(b) for a specified purpose.
15
(2) In considering whether to recognise an external dispute resolution
16
scheme, the Commissioner must take the following matters into
17
account:
18
(a) the accessibility of the scheme;
19
(b) the independence of the scheme;
20
(c) the fairness of the scheme;
21
(d) the accountability of the scheme;
22
(e) the efficiency of the scheme;
23
(f) the effectiveness of the scheme;
24
(g) any other matter the Commissioner considers relevant.
25
(3) The Commissioner may:
26
(a) specify a period for which the recognition of an external
27
dispute resolution scheme is in force; and
28
(b) make the recognition of an external dispute resolution
29
scheme subject to specified conditions, including conditions
30
relating to the conduct of an independent review of the
31
operation of the scheme; and
32
(c) vary or revoke:
33
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 173
(i) the recognition of an external dispute resolution
1
scheme; or
2
(ii) the period for which the recognition is in force; or
3
(iii) a condition to which the recognition is subject.
4
(4) A notice under subsection (1) is not a legislative instrument.
5
67 Part V (heading)
6
Repeal the heading, substitute:
7
Part V--Investigations etc.
8
68 Before Division 1 of Part V
9
Insert:
10
Division 1A--Introduction
11
36A Guide to this Part
12
In general, this Part deals with complaints and investigations about
13
acts or practices that may be an interference with the privacy of an
14
individual.
15
An individual may complain to the Commissioner about an act or
16
practice that may be an interference with the privacy of the
17
individual. If a complaint is made, the Commissioner is required to
18
investigate the act or practice except in certain circumstances.
19
The Commissioner may also, on his or her own initiative,
20
investigate an act or practice that may be an interference with the
21
privacy of an individual or a breach of Australian Privacy Principle
22
1.
23
The Commissioner has a range powers relating to the conduct of
24
investigations including powers:
25
(a)
to conciliate complaints; and
26
(b)
to make preliminary inquiries of any person; and
27
Schedule 4 Other amendments of the Privacy Act 1988
174 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(c)
to require a person to give information or
1
documents, or to attend a compulsory conference;
2
and
3
(d)
to transfer matters to an alternative complaint body
4
in certain circumstances.
5
After an investigation, the Commissioner may make a
6
determination in relation to the investigation. An entity to which a
7
determination relates must comply with certain declarations
8
included in the determination. Court proceedings may be
9
commenced to enforce a determination.
10
69 Subsection 36(7) (note)
11
Omit "Section 70A contains", substitute "Sections 98A to 98C contain".
12
70 Subsection 36(8)
13
Omit "one of paragraphs 13(b) to (d) (inclusive)", substitute "subsection
14
13(2), (4) or (5)".
15
71 Subsection 36(8)
16
After "person", insert "or entity".
17
72 Subsection 38(1)
18
Omit "or accepted under subsection 40(1B)".
19
73 Paragraph 38(1)(a)
20
After "person", insert "or entity".
21
74 Subsection 38(2)
22
Omit "or accepted under subsection 40(1B)".
23
75 Subsection 38B(2)
24
Omit all the words after "representative", substitute:
25
complaint:
26
(a) if the complaint was lodged without the consent of the
27
member--at any time; or
28
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 175
(b) otherwise--at any time before the Commissioner begins to
1
hold an inquiry into the complaint.
2
76 Add at the end of subsection 38B(2)
3
Add:
4
Note:
If a class member withdraws from a representative complaint that
5
relates to a matter, the former member may make a complaint under
6
section 36 that relates to the matter.
7
77 Subsections 40(1B) and (1C)
8
Repeal the subsections, substitute:
9
(1B) Subsection (1A) does not apply if the complaint is about an act or
10
practice that may breach:
11
(a) section 20R, 20T, 21T or 21V (which are about access to,
12
and correction of, credit reporting information etc.); or
13
(b) a provision of the registered CR code that relates to that
14
section.
15
78 Subsection 40(2)
16
After "Commissioner may", insert ", on the Commissioner's own
17
initiative,".
18
79 Paragraph 40(2)(a)
19
After "individual", insert "or a breach of Australian Privacy Principle
20
1".
21
80 Section 40A
22
Repeal the section, substitute:
23
40A Conciliation of complaints
24
(1)
If:
25
(a) a complaint about an act or practice is made under section 36;
26
and
27
(b) the Commissioner considers it is reasonably possible that the
28
complaint may be conciliated successfully;
29
the Commissioner must make a reasonable attempt to conciliate the
30
complaint.
31
Schedule 4 Other amendments of the Privacy Act 1988
176 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(2) Subsection (1) does not apply if the Commissioner has decided
1
under section 41 or 50 not to investigate, or not to investigate
2
further, the act or practice.
3
(3) If the Commissioner is satisfied that there is no reasonable
4
likelihood that the complaint will be resolved by conciliation, the
5
Commissioner must, in writing, notify the complainant and
6
respondent of that matter.
7
(4) If a notification is given under subsection (3), the Commissioner
8
may decide not to investigate, or not to investigate further, the act
9
or practice.
10
(5) Evidence of anything said or done in the course of the conciliation
11
is not admissible in any hearing before the Commissioner, or in
12
any legal proceedings, relating to complaint or the act or practice
13
unless:
14
(a) the complainant and respondent otherwise agree; or
15
(b) the thing was said or done in furtherance of the commission
16
of a fraud or an offence, or the commission of an act that
17
renders a person liable to a civil penalty.
18
81 Section 41 (heading)
19
Repeal the heading, substitute:
20
41 Commissioner may or must decide not to investigate etc. in
21
certain circumstances
22
82 Subsection 41(1)
23
Omit ", or which the Commissioner has accepted under subsection
24
40(1B),".
25
83 At the end of paragraphs 41(1)(a) and (c)
26
Add "or".
27
84 Paragraph 41(1)(d)
28
Omit "or lacking in substance;", substitute ", lacking in substance or not
29
made in good faith; or".
30
85 After paragraph 41(1)(d)
31
Insert:
32
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 177
(da) an investigation, or further investigation, of the act or
1
practice is not warranted having regard to all the
2
circumstances; or
3
(db) the complainant has not responded, within the period
4
specified by the Commissioner, to a request for information
5
in relation to the complaint; or
6
(dc) the act or practice is being dealt with by a recognised external
7
dispute resolution scheme; or
8
(dd) the act or practice would be more effectively or appropriately
9
dealt with by a recognised external dispute resolution
10
scheme; or
11
86 After subsection 41(1)
12
Insert:
13
(1A) The Commissioner must not investigate, or investigate further, an
14
act or practice about which a complaint has been made under
15
section 36 if the Commissioner is satisfied that the complainant has
16
withdrawn the complaint.
17
87 Subsections 41(2) and (3)
18
Omit ", or accepted by the Commissioner under subsection 40(1B),".
19
88 Section 42
20
Before "Where", insert "(1)".
21
89 Section 42
22
Omit "or the Commissioner accepts a complaint under subsection
23
40(1B),".
24
90 Section 42
25
Omit "respondent", substitute "respondent or any other person".
26
91 At the end of section 42
27
Add:
28
(2) The Commissioner may make inquiries of any person for the
29
purpose of determining whether to investigate an act or practice
30
under subsection 40(2).
31
Schedule 4 Other amendments of the Privacy Act 1988
178 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
92 After subsection 43(1)
1
Insert:
2
(1AA) Before commencing an investigation of an act or practice of a
3
person or entity under subsection 40(2), the Commissioner must
4
inform the person or entity that the act or practice is to be
5
investigated.
6
93 Subsection 43(2)
7
Omit "in private but otherwise".
8
94 Subsections 43(4), (5) and (6)
9
Repeal the subsections, substitute:
10
(4) The Commissioner may make a determination under section 52 in
11
relation to an investigation under this Division without holding a
12
hearing, if:
13
(a) it appears to the Commissioner that the matter to which the
14
investigation relates can be adequately determined in the
15
absence of:
16
(i) in the case of an investigation under subsection 40(1)--
17
the complainant and respondent; or
18
(ii) otherwise--the person or entity that engaged in the act
19
or practice that is being investigated; and
20
(b) the Commissioner is satisfied that there are no unusual
21
circumstances that would warrant the Commissioner holding
22
a hearing; and
23
(c) an application for a hearing has not been made under
24
section 43A.
25
95 Subsection 43(7)
26
Omit "afford the complainant or respondent an opportunity to appear
27
before the Commissioner and to make submissions under
28
subsection (5)", substitute "hold a hearing".
29
96 Subsection 43(8A)
30
Omit "an approved privacy code or the National Privacy Principles",
31
substitute "the Australian Privacy Principles or a registered APP code".
32
97 After section 43
33
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 179
Insert:
1
43A Interested party may request a hearing
2
(1) An interested party in relation to an investigation under this
3
Division may, in writing, request that the Commissioner hold a
4
hearing before the Commissioner makes a determination under
5
section 52 in relation to the investigation.
6
(2) If an interested party makes request under subsection (1), the
7
Commissioner must:
8
(a) notify any other interested party of the request; and
9
(b) give all interested parties a reasonable opportunity to make a
10
submission about the request; and
11
(c) decide whether or not to hold a hearing.
12
(3) In this section:
13
interested party in relation to an investigation means:
14
(a) in the case of an investigation under subsection 40(1)--the
15
complainant or respondent; or
16
(b) otherwise--the person or entity that engaged in the act or
17
practice that is being investigated.
18
98 Subsection 44(4)
19
Omit "sections 69 and", substitute "section".
20
99 Subsection 46(1)
21
Omit "(except an NPP complaint or a code complaint accepted under
22
subsection 40(1B))".
23
100 Subsection 50(1)
24
Insert:
25
alternative complaint body means:
26
(a) the Australian Human Rights Commission; or
27
(b) the Ombudsman; or
28
(c) the Postal Industry Ombudsman; or
29
(d) the Overseas Students Ombudsman; or
30
(e) the Public Service Commissioner; or
31
(f) the Norfolk Island Public Service Board; or
32
Schedule 4 Other amendments of the Privacy Act 1988
180 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(g) a recognised external dispute resolution scheme.
1
101 At the end of paragraph 50(2)(a)
2
Add:
3
(v) to a recognised external dispute resolution scheme; or
4
102 Subsection 50(2)
5
Omit "Australian Human Rights Commission, the Ombudsman, the
6
Postal Industry Ombudsman, the Overseas Students Ombudsman or the
7
Public Service Commissioner, as the case may be", substitute
8
"alternative complaint body".
9
103 Paragraphs 50(2)(c) and (e)
10
Omit "Australian Human Rights Commission, the Ombudsman, the
11
Postal Industry Ombudsman, the Overseas Students Ombudsman or the
12
Public Service Commissioner", substitute "alternative complaint body".
13
104 At the end of paragraph 50(3)(a)
14
Add:
15
(v) to the recognised external dispute resolution scheme; or
16
105 Subsection 50A(2) (note 2)
17
Repeal the note, substitute:
18
Note 2:
The Commissioner may determine under section 53B that the
19
determination applies in relation to an agency if the organisation has
20
not complied with the determination.
21
106 Subparagraph 52(1)(b)(i)
22
Omit "should" (wherever occurring), substitute "must".
23
107 After subparagraph 52(1)(b)(i)
24
Insert:
25
(ia) a declaration that the respondent must take specified
26
steps within a specified period to ensure that such
27
conduct is not repeated or continued;
28
108 Subparagraph 52(1)(b)(ii)
29
Omit "should", substitute "must".
30
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 181
109 Subsection 52(1A)
1
Repeal the subsection, substitute:
2
(1A) After investigating an act or practice of a person or entity under
3
subsection 40(2), the Commissioner may make a determination
4
that includes one or more of the following:
5
(a) a declaration that:
6
(i) the act or practice is an interference with the privacy of
7
one or more individuals; and
8
(ii) the person or entity must not repeat or continue the act
9
or practice;
10
(b) a declaration that the person or entity must take specified
11
steps within a specified period to ensure that the act or
12
practice is not repeated or continued;
13
(c) a declaration that the person or entity must perform any
14
reasonable act or course of conduct to redress any loss or
15
damage suffered by one or more of those individuals;
16
(d) a declaration that one or more of those individuals are
17
entitled to a specified amount by way of compensation for
18
any loss or damage suffered by reason of the act or practice;
19
(e) a declaration that it would be inappropriate for any further
20
action to be taken in the matter.
21
(1AA) The steps specified by the Commissioner under
22
subparagraph (1)(b)(ia) or paragraph (1A)(b) must be reasonable
23
and appropriate.
24
(1AB) The loss or damage referred to in paragraph (1)(b) or
25
subsection (1A) includes:
26
(a) injury to the feelings of the complainant or individual; and
27
(b) humiliation suffered by the complainant or individual.
28
110 Subsection 52(1B)
29
After "subsection (1)", insert "or (1A)".
30
111 Subsections 52(3A) and (3B)
31
Repeal the subsections, substitute:
32
(3A) A determination under paragraph (1)(b) or subsection (1A) may
33
include any order that the Commissioner considers necessary or
34
appropriate.
35
Schedule 4 Other amendments of the Privacy Act 1988
182 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
112 Subsection 53A(1)
1
Omit "to which a contracted service provider for a Commonwealth
2
contract is the respondent", substitute "that applies in relation to a
3
contracted service provider for a Commonwealth contract".
4
113 Section 53B (heading)
5
Repeal the heading, substitute:
6
53B Substituting an agency for a contracted service provider
7
114 Paragraph 53B(1)(a)
8
Repeal the paragraph, substitute:
9
(a) a determination under section 52 applies in relation to a
10
contracted service provider for a Commonwealth contract;
11
and
12
115 After subparagraph 53B(1)(b)(i)
13
Insert:
14
(ia) a declaration under paragraph 52(1A)(d) that one or
15
more individuals are entitled to a specified amount by
16
way of the compensation; or
17
116 Paragraph 53B(1)(c)
18
Omit "respondent", substitute "provider".
19
117 Paragraph 53B(1)(d)
20
After "complainant", insert "or individuals".
21
118 Paragraph 53B(1)(d)
22
Omit "subparagraph (b)(i) or (b)(ii)", substitute "paragraph (b)".
23
119 Subsection 53B(2)
24
After "writing that", insert "the determination under section 52 instead
25
applies in relation to".
26
120 Subsection 53B(2)
27
Omit "is the respondent to the determination under section 52".
28
121 Subsection 53B(2) (at the end of the note)
29
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 183
Add "or individuals".
1
122 Subsection 54(1)
2
Omit "respondent to the determination is", substitute "determination
3
applies in relation to".
4
123 Section 55
5
Repeal the section, substitute:
6
55 Obligations of organisations and small business operators
7
If the determination applies in relation to an organisation or small
8
business operator, the organisation or operator:
9
(a) must not repeat or continue conduct that is covered by a
10
declaration included in the determination under
11
sub-subparagraph 52(1)(b)(i)(B) or paragraph 52(1A)(a); and
12
(b) must take the steps that are specified in a declaration
13
included in the determination under subparagraph
14
52(1)(b)(ia) or paragraph 52(1A)(b) within the specified
15
period; and
16
(c) must perform the act or course of conduct that is covered by
17
a declaration included in the determination under
18
subparagraph 52(1)(b)(ii) or paragraph 52(1A)(c).
19
124 Subsection 55A(1)
20
Omit "Any of the", substitute "The".
21
125 Paragraphs 55A(1)(a) to (c)
22
Repeal the paragraphs, substitute:
23
(a) if the determination was made under subsection 52(1)--the
24
complainant;
25
(b)
the
Commissioner.
26
126 Subsection 55A(2)
27
Omit "respondent", substitute "person or entity in relation to which the
28
determination applies".
29
127 Subsection 55A(2)
30
Omit "the complainant", substitute "an individual".
31
Schedule 4 Other amendments of the Privacy Act 1988
184 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
128 Subsection 55A(5)
1
Omit "respondent", substitute "person or entity in relation to which the
2
determination applies".
3
129 Subsection 55A(5)
4
Omit "the complainant", substitute "an individual".
5
130 Paragraph 55A(6)(c)
6
Omit "appearance", substitute "hearing".
7
131 Paragraph 55A(6)(c)
8
Omit "under subsection 43(5)".
9
132 Subsection 55A(7A)
10
Omit "matters that paragraph 29(a) requires the Commissioner to have
11
due regard to", substitute "objects of this Act".
12
133 Paragraphs 55B(1)(a) and (b) and (3)(a) and (b)
13
Repeal the paragraphs, substitute:
14
(a) a specified APP entity had breached an Australian Privacy
15
Principle; or
16
(b) a specified APP entity had breached a registered APP code
17
that binds the entity.
18
134 Subsection 57(1)
19
Omit "has an agency, or the principal executive of an agency, as the
20
respondent", substitute "that applies in relation to an agency or the
21
principal executive of an agency".
22
135 Section 58
23
Repeal the section, substitute:
24
58 Obligations of agencies
25
If this Division applies to a determination and the determination
26
applies in relation to an agency, the agency:
27
(a) must not repeat or continue conduct that is covered by a
28
declaration included in the determination under subparagraph
29
52(1)(b)(i) or paragraph 52(1A)(a); and
30
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 185
(b) must take the steps that are specified in a declaration
1
included in the determination under subparagraph
2
52(1)(b)(ia) or paragraph 52(1A)(b) within the specified
3
period; and
4
(c) must perform the act or course of conduct that is covered by
5
a declaration included in the determination under
6
subparagraph 52(1)(b)(ii) or paragraph 52(1A)(c).
7
136 Section 59
8
Omit "the principal executive of an agency is the respondent to a
9
determination to which this Division applies", substitute "this Division
10
applies to a determination and the determination applies in relation to
11
the principal executive of an agency".
12
137 Paragraph 59(b)
13
After "subparagraph 52(1)(b)(i)", insert "or paragraph 52(1A)(a)".
14
138 After paragraph 59(b)
15
Insert:
16
(ba) that the steps specified in a declaration included in the
17
determination under subparagraph 52(1)(b)(ia) or paragraph
18
52(1A)(b) are taken within the specified period; and
19
139 At the end of paragraph 59(c)
20
Add "or paragraph 52(1A)(c)".
21
140 Subsection 60(1)
22
After "subparagraph 52(1)(b)(iii)", insert ", paragraph 52(1A)(d)".
23
141 Subsection 60(1)
24
After "complainant", insert "or individual".
25
142 Subsection 60(2)
26
Omit "respondent is", substitute "determination applies in relation to".
27
143 Subsection 60(2)
28
After "complainant" (wherever occurring), insert "or individual".
29
144 Section 61
30
Schedule 4 Other amendments of the Privacy Act 1988
186 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Repeal the section.
1
145 Subsection 62(3)
2
Repeal the subsection, substitute:
3
(3) The application may be made by:
4
(a) if the determination was made under subsection 52(1)--the
5
complainant; or
6
(b)
the
Commissioner.
7
146 Subsection 62(4)
8
Omit "respondent", substitute "agency or principal executive".
9
147 Paragraph 62(5)(a)
10
Omit "section 61", substitute "section 96".
11
148 At the end of section 62
12
Add:
13
(6) In this section:
14
complainant, in relation to a representative complaint, means a
15
class member.
16
149 Subsection 63(2A)
17
Omit "NPP", substitute "APP".
18
150 Paragraphs 67(aa) and (ab)
19
Repeal the paragraphs.
20
151 Sections 69 and 70A
21
Repeal the sections.
22
152 Subsection 72(1)
23
Repeal the subsection.
24
153 Subsection 72(2) (heading)
25
Repeal the heading, substitute:
26
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 187
Determinations about an APP entity's acts and practices
1
154 Paragraph 72(2)(a)
2
Repeal the paragraph, substitute:
3
(a) an act or practice of an APP entity breaches, or may breach:
4
(i) an Australian Privacy Principle; or
5
(ii) a registered APP code that binds the entity; but
6
155 Paragraph 72(2)(b)
7
Omit "organisation", substitute "entity".
8
156 Paragraph 72(2)(b)
9
Omit "Principle", substitute "principle".
10
157 Subsection 72(2)
11
Omit "make a written", substitute ", by legislative instrument, make a".
12
158 Subsection 72(3)
13
Omit "organisation is taken not to contravene section 16A if the
14
organisation", substitute "APP entity is taken not to contravene
15
section 15 or 26A if the entity".
16
159 Subsection 72(4)
17
Omit "make a written", substitute ", by legislative instrument, make a".
18
160 Subsection 72(4)
19
Omit "organisation is taken to contravene section 16A", substitute
20
"APP entity is taken to contravene section 15 or 26A".
21
161 Subsection 72(4)
22
Omit "organisation does", substitute "APP entity does".
23
162 Subsection 72(4)
24
Omit "organisation or any other organisation", substitute "entity or any
25
other APP entity".
26
163 Section 73 (heading)
27
Repeal the heading, substitute:
28
Schedule 4 Other amendments of the Privacy Act 1988
188 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
73 Application by APP entity
1
164 Subsection 73(1)
2
Omit "An agency or organisation", substitute "An APP entity".
3
165 Subsection 73(1)
4
Omit "the agency or organisation", substitute "the entity".
5
166 After subsection 73(1)
6
Insert:
7
(1A)
If:
8
(a) an application is made under subsection (1); and
9
(b) the Commissioner is satisfied that the application is frivolous,
10
vexatious, misconceived, lacking in substance or not made in
11
good faith;
12
the Commissioner may, in writing, dismiss the application.
13
167 Section 74 (heading)
14
Repeal the heading, substitute:
15
74 Publication of application etc.
16
168 Subsection 74(1)
17
Omit all the words after "notice", substitute:
18
of:
19
(a) the receipt by the Commissioner of an application; and
20
(b) if the Commissioner dismisses an application under
21
subsection 73(1A)--the dismissal of the application.
22
169 At the end of subsection 75(1)
23
Add "unless the Commissioner dismisses the application under
24
subsection 73(1A)".
25
170 Subsection 79(3)
26
Repeal the subsection.
27
171 Section 80
28
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 189
Repeal the section.
1
172 Paragraph 80A(1)(a)
2
Omit "agency or organisation", substitute "APP entity".
3
173 Subparagraphs 80A(1)(a)(i) and (ii)
4
Repeal the subparagraphs, substitute:
5
(i) an Australian Privacy Principle; or
6
(ii) a registered APP code that binds the entity; and
7
174 Paragraph 80A(1)(b)
8
Omit "agency or organisation", substitute "entity".
9
175 Paragraph 80A(1)(b)
10
Omit "Principle", substitute "principle".
11
176 Subsection 80A(2)
12
Omit "make a written temporary public interest", substitute ", by
13
legislative instrument, make a".
14
177 Paragraph 80A(2)(a)
15
Omit "agency or organisation", substitute "APP entity".
16
178 Subsection 80A(3)
17
Repeal the subsection, substitute:
18
(3) The Commissioner must specify in the determination a period of
19
up to 12 months during which the determination is in force (subject
20
to subsection 80D(2)).
21
179 Subsections 80B(1) and (2)
22
Repeal the subsections, substitute:
23
APP entity covered by a determination
24
(1) If an act or practice of an APP entity is the subject of a temporary
25
public interest determination, the entity is taken not to breach
26
section 15 or 26A if the entity does the act, or engages in the
27
practice, while the determination is in force.
28
Schedule 4 Other amendments of the Privacy Act 1988
190 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
180 Subsection 80B(3)
1
Omit "make a written", substitute ", by legislative instrument, make a".
2
181 Subsection 80B(3)
3
Omit "organisation is taken to contravene section 16A", substitute
4
"APP entity is taken to contravene section 15 or 26A".
5
182 Subsection 80B(3)
6
Omit "organisation does", substitute "APP entity does".
7
183 Subsection 80B(3)
8
Omit "organisation or another organisation", substitute "entity or
9
another APP entity".
10
184 Section 80C
11
Repeal the section.
12
185 Paragraph 80D(2)(a)
13
Omit "subsection 72(1) or (2) (as appropriate)", substitute "subsection
14
72(2)".
15
186 Paragraph 80P(1)(a)
16
Omit "concerned".
17
187 Subsections 80P(4) and (5)
18
Repeal the subsections, substitute:
19
(4) An entity does not breach an Australian Privacy Principle, or a
20
registered APP code that binds the entity, in respect of a collection,
21
use or disclosure of personal information authorised by
22
subsection (1).
23
188 Paragraphs 80Q(2)(a) and (b)
24
Repeal the paragraphs, substitute:
25
(a) if the first person is an APP entity--a disclosure permitted
26
under an Australian Privacy Principle or a registered APP
27
code that binds the person;
28
189 After Part VIA
29
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 191
Insert:
1
Part VIB--Civil penalty orders
2
Division 1--Civil penalty provisions
3
80U Civil penalty provisions
4
A subsection of this Act (or a section of this Act that is not divided
5
into subsections) is a civil penalty provision if the words "civil
6
penalty" and one or more amounts in penalty units are set out at the
7
foot of the subsection (or section).
8
80V Ancillary contravention of civil penalty provisions
9
(1) An entity must not:
10
(a) attempt to contravene a civil penalty provision; or
11
(b) aid, abet, counsel or procure a contravention of a civil
12
penalty provision; or
13
(c) induce (by threats, promises or otherwise) a contravention of
14
a civil penalty provision; or
15
(d) be in any way, directly or indirectly, knowingly concerned in,
16
or party to, a contravention of a civil penalty provision; or
17
(e) conspire with others to effect a contravention of a civil
18
penalty provision.
19
(2) An entity that contravenes subsection (1) in relation to a civil
20
penalty provision is taken to have contravened the provision.
21
Division 2--Obtaining a civil penalty order
22
80W Civil penalty orders
23
Application for order
24
(1) The Commissioner may apply to the Federal Court or Federal
25
Magistrates Court for an order that an entity, that is alleged to have
26
contravened a civil penalty provision, pay the Commonwealth a
27
pecuniary penalty.
28
Schedule 4 Other amendments of the Privacy Act 1988
192 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(2) The Commissioner must make the application within 6 years of the
1
alleged contravention.
2
Court may order entity to pay pecuniary penalty
3
(3) If the court is satisfied that the entity has contravened the civil
4
penalty provision, the court may order the entity to pay to the
5
Commonwealth such pecuniary penalty for the contravention as the
6
court determines to be appropriate.
7
Note:
Subsection (5) sets out the maximum penalty that the court may order
8
the entity to pay.
9
(4) An order under subsection (3) is a civil penalty order.
10
Determining pecuniary penalty
11
(5) The pecuniary penalty must not be more than:
12
(a) if the entity is a body corporate--5 times the amount of the
13
pecuniary penalty specified for the civil penalty provision; or
14
(b) otherwise--the amount of the pecuniary penalty specified for
15
the civil penalty provision.
16
(6) In determining the pecuniary penalty, the court must take into
17
account all relevant matters, including:
18
(a) the nature and extent of the contravention; and
19
(b) the nature and extent of any loss or damage suffered because
20
of the contravention; and
21
(c) the circumstances in which the contravention took place; and
22
(d) whether the entity has previously been found by a court in
23
proceedings under this Act to have engaged in any similar
24
conduct.
25
80X Civil enforcement of penalty
26
(1) A pecuniary penalty is a debt payable to the Commonwealth.
27
(2) The Commonwealth may enforce a civil penalty order as if it were
28
an order made in civil proceedings against the entity to recover a
29
debt due by the entity. The debt arising from the order is taken to
30
be a judgement debt.
31
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 193
80Y Conduct contravening more than one civil penalty provision
1
(1) If conduct constitutes a contravention of 2 or more civil penalty
2
provisions, proceedings may be instituted under this Division
3
against an entity in relation to the contravention of any one or more
4
of those provisions.
5
(2) However, the entity is not liable to more than one pecuniary
6
penalty under this Division in relation to the same conduct.
7
80Z Multiple contraventions
8
(1) The Federal Court or Federal Magistrates Court may make a single
9
civil penalty order against an entity for multiple contraventions of a
10
civil penalty provision if:
11
(a) proceedings for the contraventions are founded on the same
12
facts; or
13
(b) the contraventions form, or are part of, a series of
14
contraventions of the same or a similar character.
15
(2) However, the pecuniary penalty must not exceed the sum of the
16
maximum pecuniary penalties that could be ordered if a separate
17
civil penalty order were made for each of the contraventions.
18
80ZA Proceedings may be heard together
19
The Federal Court or Federal Magistrates Court may direct that 2
20
or more proceedings for civil penalty orders are to be heard
21
together.
22
80ZB Civil evidence and procedure rules for civil penalty orders
23
The Federal Court or Federal Magistrates Court must apply the
24
rules of evidence and procedure for civil matters when hearing
25
proceedings for a civil penalty order.
26
80ZC Contravening a civil penalty provision is not an offence
27
A contravention of a civil penalty provision is not an offence.
28
Schedule 4 Other amendments of the Privacy Act 1988
194 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Division 3--Civil proceedings and criminal proceedings
1
80ZD Civil proceedings after criminal proceedings
2
The Federal Court or Federal Magistrates Court must not make a
3
civil penalty order against an entity for a contravention of a civil
4
penalty provision if the entity has been convicted of an offence
5
constituted by conduct that is the same, or substantially the same,
6
as the conduct constituting the contravention.
7
80ZE Criminal proceedings during civil proceedings
8
(1) Proceedings for a civil penalty order against an entity for a
9
contravention of a civil penalty provision are stayed if:
10
(a) criminal proceedings are commenced or have already been
11
commenced against the entity for an offence; and
12
(b) the offence is constituted by conduct that is the same, or
13
substantially the same, as the conduct alleged to constitute
14
the contravention.
15
(2) The proceedings for the civil penalty order may be resumed if the
16
entity is not convicted of the offence. Otherwise:
17
(a) the proceedings are dismissed; and
18
(b) costs must not be awarded in relation to the proceedings.
19
80ZF Criminal proceedings after civil proceedings
20
Criminal proceedings may be commenced against an entity for
21
conduct that is the same, or substantially the same, as conduct that
22
would constitute a contravention of a civil penalty provision
23
regardless of whether a civil penalty order has been made against
24
the entity in relation to the contravention.
25
80ZG Evidence given in proceedings for civil penalty order not
26
admissible in criminal proceedings
27
(1) Evidence of information given, or evidence of production of
28
documents, by an individual is not admissible in criminal
29
proceedings against the individual if:
30
(a) the individual previously gave the evidence or produced the
31
documents in proceedings for a civil penalty order against the
32
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 195
individual for an alleged contravention of a civil penalty
1
provision (whether or not the order was made); and
2
(b) the conduct alleged to constitute the offence is the same, or
3
substantially the same, as the conduct alleged to constitute
4
the contravention.
5
(2) However, subsection (1) does not apply to criminal proceedings in
6
relation to the falsity of the evidence given by the individual in the
7
proceedings for the civil penalty order.
8
190 After paragraph 82(2)(a)
9
Insert:
10
(aa) the Privacy Commissioner (within the meaning of the
11
Australian Information Commissioner Act 2010); and
12
191 Paragraph 82(2)(b)
13
Omit "6 other", substitute "8 other".
14
192 Subsection 82(3)
15
After "Commissioner", insert "and Privacy Commissioner (within the
16
meaning of that Act)".
17
193 Paragraph 82(7)(a)
18
Repeal the paragraph, substitute:
19
(a) at least one must be a person who has had at least 5 years'
20
experience at a high level in industry or commerce; and
21
(aa) at least one must be a person who has had at least 5 years'
22
experience at a high level in public administration, or the
23
service of a government or an authority of a government; and
24
(ab) at least one must be a person who has had extensive
25
experience in health privacy; and
26
194 Paragraph 82(7)(b)
27
Omit "shall", substitute "must".
28
195 At the end of paragraph 82(7)(b)
29
Add "and".
30
196 Paragraph 82(7)(c)
31
Schedule 4 Other amendments of the Privacy Act 1988
196 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Repeal the paragraph, substitute:
1
(c) at least one must be a person who has had extensive
2
experience in information and communication technologies;
3
and
4
197 Paragraphs 82(7)(d) and (e)
5
Omit "shall", substitute "must".
6
198 Paragraph 83(b)
7
Omit "guidelines", substitute "rules or guidelines".
8
199 Subsections 95(5), 95A(7) and 95AA(3)
9
Repeal the subsections.
10
200 After section 95C
11
Insert:
12
96 Review by the Administrative Appeals Tribunal
13
(1) An application may be made to the Administrative Appeals
14
Tribunal for review of the following decisions of the
15
Commissioner:
16
(a) a decision under subsection 26H(1) not to register an APP
17
code developed by an APP code developer;
18
(b) a decision under subsection 26S(1) not to register a CR code
19
developed by a CR code developer;
20
(c) a decision under subsection 52(1) or (1A) to make a
21
determination;
22
(d) a decision under subsection 73(1A) to dismiss an application;
23
(e) a decision under section 95 to refuse to approve the issue of
24
guidelines;
25
(f) a decision under subsection 95A(2) or (4) or 95AA(2) to
26
refuse to approve guidelines;
27
(g) a decision under subsection 95A(6) to revoke an approval of
28
guidelines.
29
(2) An application under paragraph (1)(a) may only be made by the
30
APP code developer that developed the APP code.
31
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 197
(3) An application under paragraph (1)(b) may only be made by the
1
CR code developer that developed the CR code.
2
201 After section 98
3
Insert:
4
98A Treatment of partnerships
5
(1) If, apart from this subsection, this Act would impose an obligation
6
on a partnership, the obligation is imposed instead on each partner
7
but may be discharged by any of the partners.
8
(2) If, apart from this subsection, an offence against this Act would be
9
committed by a partnership, the offence is taken to have been
10
committed by each partner.
11
(3) If, apart from this subsection, a partnership would contravene a
12
civil penalty provision, the contravention is taken to have been
13
committed by each partner.
14
(4) A partner does not commit an offence against this Act because of
15
subsection (2), or contravene a civil penalty provision because of
16
subsection (3), if the partner:
17
(a) does not know of the circumstances that constitute the
18
contravention of the provision concerned; or
19
(b) knows of those circumstances but takes all reasonable steps
20
to correct the contravention as soon as possible after the
21
partner becomes aware of those circumstances.
22
Note:
In criminal proceedings, a defendant bears an evidential burden in
23
relation to the matters in subsection (4) (see subsection 13.3(3) of the
24
Criminal Code).
25
98B Treatment of unincorporated associations
26
(1) If, apart from this subsection, this Act would impose an obligation
27
on an unincorporated association, the obligation is imposed instead
28
on each member of the association's committee of management but
29
may be discharged by any of the members.
30
(2) If, apart from this subsection, an offence against this Act would be
31
committed by an unincorporated association, the offence is taken to
32
have been committed by each member of the association's
33
committee of management.
34
Schedule 4 Other amendments of the Privacy Act 1988
198 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(3) If, apart from this subsection, an unincorporated association would
1
contravene a civil penalty provision, the contravention is taken to
2
have been committed by each member of the association's
3
committee of management.
4
(4) A member of an unincorporated association's committee of
5
management does not commit an offence against this Act because
6
of subsection (2), or contravene a civil penalty provision because
7
of subsection (3), if the member:
8
(a) does not know of the circumstances that constitute the
9
contravention of the provision concerned; or
10
(b) knows of those circumstances but takes all reasonable steps
11
to correct the contravention as soon as possible after the
12
member becomes aware of those circumstances.
13
Note:
In criminal proceedings, a defendant bears an evidential burden in
14
relation to the matters in subsection (4) (see subsection 13.3(3) of the
15
Criminal Code).
16
98C Treatment of trusts
17
(1) If, apart from this subsection, this Act would impose an obligation
18
on a trust, the obligation is imposed instead on each trustee of the
19
trust but may be discharged by any of the trustees.
20
(2) If, apart from this subsection, an offence against this Act would be
21
committed by a trust, the offence is taken to have been committed
22
by each trustee of the trust.
23
(3) If, apart from this subsection, a trust would contravene a civil
24
penalty provision, the contravention is taken to have been
25
committed by each trustee of the trust.
26
(4) A trustee of a trust does not commit an offence against this Act
27
because of subsection (2), or contravene a civil penalty provision
28
because of subsection (3), if the trustee:
29
(a) does not know of the circumstances that constitute the
30
contravention of the provision concerned; or
31
(b) knows of those circumstances but takes all reasonable steps
32
to correct the contravention as soon as possible after the
33
trustee becomes aware of those circumstances.
34
Note:
In criminal proceedings, a defendant bears an evidential burden in
35
relation to the matters in subsection (4) (see subsection 13.3(3) of the
36
Criminal Code).
37
Other amendments of the Privacy Act 1988 Schedule 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 199
202 Subsection 99A(1)
1
After "this Act", insert "or for a civil penalty order".
2
203 Subsection 99A(2)
3
After "this Act", insert "or proceedings for a civil penalty order".
4
204 Subsection 99A(3)
5
After "this Act", insert "or for a civil penalty order".
6
205 Subsection 99A(4)
7
After "this Act", insert "or proceedings for a civil penalty order".
8
206 Subsection 99A(9)
9
Repeal the subsection.
10
11
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
200 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Schedule 5--Amendment of other Acts
1
Part 1--Amendments relating to the Australian
2
Privacy Principles
3
Acts Interpretation Act 1901
4
1 Section 2B
5
Insert:
6
Australian Privacy Principle has the same meaning as in the
7
Privacy Act 1988.
8
Aged Care Act 1997
9
2 Subsection 91-2(3)
10
Omit "Information Privacy Principles 1, 2 and 3 of the Privacy Act
11
1988", substitute "Australian Privacy Principles 3 and 5".
12
3 Subsection 92-7(4)
13
Omit "Information Privacy Principles 1, 2 and 3 of the Privacy Act
14
1988", substitute "Australian Privacy Principles 3 and 5".
15
4 Subsection 93-1(5)
16
Omit "Information Privacy Principles 1, 2 and 3 of the Privacy Act
17
1988", substitute "Australian Privacy Principles 3 and 5".
18
5 Clause 1 of Schedule 1 (definition of personal information)
19
Repeal the definition, substitute:
20
personal information has the same meaning as in the Privacy Act
21
1988.
22
A New Tax System (Family Assistance) (Administration) Act
23
1999
24
6 Paragraphs 219GA(7)(a) and (b)
25
Repeal the paragraphs, substitute:
26
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 201
(a) paragraph 6.2(b) of Australian Privacy Principle 6; and
1
7 Subsection 219GA(7)
2
Omit "that is authorised by law", substitute "that is authorised by this
3
Act".
4
8 Section 219PA
5
Omit "law", substitute "this Act".
6
Anti-Money Laundering and Counter-Terrorism Financing
7
Act 2006
8
9 Subsection 35A(3)
9
Omit "law for the purposes of paragraph 2.1(g) of National Privacy
10
Principle 2 in Schedule 3 to the Privacy Act 1988", substitute "this Act
11
for the purposes of paragraph 6.2(b) of Australian Privacy Principle 6".
12
10 Subsection 126(3)
13
Omit "Information Privacy Principles set out in section 14 of the
14
Privacy Act 1988", substitute "Australian Privacy Principles".
15
AusCheck Act 2007
16
11 Subsections 13(1) and (2)
17
Omit "law", substitute "this Act".
18
12 Subsection 16(2)
19
Omit "law", substitute "this Act".
20
Australian Citizenship Act 2007
21
13 Subsection 43(1A) (note 2)
22
Omit "Paragraph 3 of Information Privacy Principle 11 in section 14 of
23
the Privacy Act 1988", substitute "Australian Privacy Principle 6".
24
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
202 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Australian Curriculum, Assessment and Reporting Authority
1
Act 2008
2
14 Subsection 40(2)
3
Omit "law for the purposes of Information Privacy Principle 10 in
4
section 14 of the Privacy Act 1988", substitute "this Act for the
5
purposes of Australian Privacy Principle 6".
6
15 Subsection 40(3)
7
Omit "law for the purposes of Information Privacy Principle 11 in
8
section 14 of the Privacy Act 1988", substitute "this Act for the
9
purposes of Australian Privacy Principle 6".
10
16 Subsection 40(3) (note)
11
Omit "Paragraph 3 of Information Privacy Principle 11 in section 14 of
12
the Privacy Act 1988", substitute "Australian Privacy Principle 6".
13
Australian Passports Act 2005
14
17 Paragraphs 42(3)(a) and (b)
15
Repeal the paragraphs, substitute:
16
(a) paragraph 6.2(b) of Australian Privacy Principle 6; and
17
18 Subsection 42(3)
18
Omit "or authorised by law", substitute "or authorised by this Act".
19
19 Section 46 (note)
20
Omit "section 14 of the Privacy Act 1988 (including Information
21
Privacy Principles 4(b) and 11.3)", substitute "the Australian Privacy
22
Principles".
23
20 Subsection 47(1) (note)
24
Omit "section 14 of the Privacy Act 1988 (including Information
25
Privacy Principles 1 and 4)", substitute "the Australian Privacy
26
Principles".
27
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 203
Australian Prudential Regulation Authority Act 1998
1
21 Subsection 56(12)
2
Omit "law for the purposes of paragraph (1)(d) of Information Privacy
3
Principle 11 in section 14 of the Privacy Act 1988", substitute "this Act
4
for the purposes of paragraph 6.2(b) of Australian Privacy Principle 6".
5
Commonwealth Electoral Act 1918
6
22 Subsection 7A(1C)
7
Omit "law", substitute "this Act".
8
23 Subsection 7A(1C) (note)
9
Omit "paragraph (1)(c) of Information Privacy Principle 10 in
10
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
11
Australian Privacy Principle 6".
12
24 Paragraph 7A(1D)(a)
13
Omit "law", substitute "this Act".
14
25 Subsection 7A(1D) (note)
15
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
16
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
17
Australian Privacy Principle 6".
18
Crimes Act 1914
19
26 Paragraph 85ZZ(2)(e)
20
Omit "Information Privacy Principles set out in section 14 of the
21
Privacy Act", substitute "Australian Privacy Principles".
22
Dairy Produce Act 1986
23
27 Subsection 37ZB(1)
24
Omit "A record keeper who has possession or control of", substitute
25
"An APP entity that holds".
26
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
204 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Defence Act 1903
1
28 Subsection 72Q(3)
2
Omit "law for the purposes of Information Privacy Principle 11 in
3
section 14 of the Privacy Act 1988", substitute "this Act for the
4
purposes of Australian Privacy Principle 6".
5
29 Subsection 72Q(3) (note)
6
Omit "Paragraph 3 of Information Privacy Principle 11 in section 14 of
7
the Privacy Act 1988", substitute "Australian Privacy Principle 6".
8
Defence Force (Home Loans Assistance) Act 1990
9
30 Subsection 36A(4)
10
Omit "to be authorised by law", substitute "to be authorised by this
11
Act".
12
Defence Home Ownership Assistance Scheme Act 2008
13
31 Subsection 79(4)
14
Omit "to be authorised by law", substitute "to be authorised by this
15
Act".
16
Defence Service Homes Act 1918
17
32 Subsection 45C(4)
18
Omit "to be authorised by law", substitute "to be authorised by this
19
Act".
20
Education Services for Overseas Students Act 2000
21
33 Subsection 50D(1) (note 1)
22
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
23
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
24
Australian Privacy Principle 6".
25
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 205
Extradition Act 1988
1
34 Subsection 54A(1)
2
Omit "law", substitute "this Act".
3
Fair Work (Building Industry) Act 2012
4
35 Subsection 65(7)
5
Omit "law for the purposes of paragraph (1)(d) of Information Privacy
6
Principle 11 in section 14 of the Privacy Act 1988", substitute "this Act
7
for the purposes of paragraph 6.2(b) of Australian Privacy Principle 6".
8
Freedom of Information Act 1982
9
36 Subsection 4(1) (definition of personal information)
10
Repeal the definition, substitute:
11
personal information has the same meaning as in the Privacy Act
12
1988.
13
Healthcare Identifiers Act 2010
14
37 Section 5 (definition of National Privacy Principle)
15
Repeal the definition.
16
38 Subsection 9(6)
17
Repeal the subsection, substitute:
18
(6) A healthcare identifier is a government related identifier for the
19
purposes of the Privacy Act 1988.
20
39 Section 18
21
Omit "a person who is responsible (within the meaning of subclause 2.5
22
of National Privacy Principle 2)", substitute "a responsible person
23
(within the meaning of the Privacy Act 1988)".
24
40 Paragraph 23(b)
25
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
206 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Omit "a person who is responsible (within the meaning of subclause 2.5
1
of National Privacy Principle 2)", substitute "a responsible person
2
(within the meaning of the Privacy Act 1988)".
3
41 Paragraph 26(2)(c)
4
Omit "section 16E", substitute "section 16".
5
Higher Education Support Act 2003
6
42 Subsection 19-60(1)
7
Omit "information privacy principles set out in section 14 of the
8
Privacy Act 1988", substitute "Australian Privacy Principles".
9
43 Section 179-5 (paragraph (a) of the definition of personal
10
information)
11
Repeal the paragraph, substitute:
12
(a) information or an opinion about an identified individual, or
13
an individual who is reasonably identifiable:
14
(i) whether the information or opinion is true or not; and
15
(ii) whether the information or opinion is recorded in a
16
material form or not; and
17
44 Subclause 23(1) of Schedule 1A
18
Omit "information privacy principles set out in section 14 of the
19
Privacy Act 1988", substitute "Australian Privacy Principles".
20
45 Clause 72 of Schedule 1A (paragraph (a) of the definition
21
of VET personal information)
22
Repeal the paragraph, substitute:
23
(a) information or an opinion about an identified individual, or
24
an individual who is reasonably identifiable:
25
(i) whether the information or opinion is true or not; and
26
(ii) whether the information or opinion is recorded in a
27
material form or not; and
28
Horse Disease Response Levy Collection Act 2011
29
46 Subsection 36(2) (note 2)
30
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 207
Omit "paragraph 3 of Information Privacy Principle 11 in section 14 of
1
that Act", substitute "Australian Privacy Principle 6".
2
Inspector of Transport Security Act 2006
3
47 Subsection 35(4) (note)
4
Omit "paragraph 2.1(g) of National Privacy Principle 2 in Schedule 3 to
5
the Privacy Act 1988", substitute "paragraph 6.2(b) of Australian
6
Privacy Principle 6".
7
48 Subsection 36(3) (note)
8
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
9
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
10
Australian Privacy Principle 6".
11
49 Subsection 37(5) (note)
12
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
13
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
14
Australian Privacy Principle 6".
15
50 Subsection 71(2) (note)
16
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
17
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
18
Australian Privacy Principle 6".
19
51 Subsection 76(2) (note)
20
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
21
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
22
Australian Privacy Principle 6".
23
Migration Act 1958
24
52 Paragraphs 140ZI(2)(a) and (b)
25
Repeal the paragraphs, substitute:
26
(a) paragraph 6.2(b) of Australian Privacy Principle 6; and
27
53 Subsection 140ZI(2)
28
Omit "that is authorised by law", substitute "that is authorised by this
29
Act".
30
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
208 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
54 Subsection 336FD(1)
1
Repeal the subsection, substitute:
2
(1) For the purposes of paragraph 6.2(b) of Australian Privacy
3
Principle 6, the disclosure by a person of personal information
4
about another person (the subject) is taken to be a disclosure that is
5
authorised by this Act if:
6
(a) the person is disclosing a personal identifier of the subject
7
and the disclosure is authorised by section 336FC; and
8
(b) the personal information is disclosed together with the
9
personal identifier; and
10
(c) the disclosure of the personal information is for the purpose
11
mentioned in paragraph 336FC(1)(b).
12
55 Subsection 503A(7)
13
Omit "Information Privacy Principles set out in section 14 of the
14
Privacy Act 1988, to be authorised by law", substitute "Australian
15
Privacy Principles, to be authorised by this Act".
16
Military Rehabilitation and Compensation Act 2004
17
56 Subsection 409(4)
18
Omit "Information Privacy Principles set out in section 14 of the
19
Privacy Act 1988, to be authorised by law", substitute "Australian
20
Privacy Principles, to be authorised by this Act".
21
Mutual Assistance in Criminal Matters Act 1987
22
57 Subsection 43D(1)
23
Omit "law", substitute "this Act".
24
National Health Act 1953
25
58 Subsection 9BA(5)
26
Omit "law for the purposes of paragraph (1)(c) of Information Privacy
27
Principle 10 in section 14 of the Privacy Act 1988", substitute "this Act
28
for the purposes of paragraph 6.2(b) of Australian Privacy Principle 6".
29
59 Subsection 9BA(6)
30
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 209
Omit "law for the purposes of paragraph (1)(d) of Information Privacy
1
Principle 11 in section 14 of the Privacy Act 1988", substitute "this Act
2
for the purposes of paragraph 6.2(b) of Australian Privacy Principle 6".
3
60 Subsection 9BA(7) (definition of personal information)
4
Repeal the definition, substitute:
5
personal information has the same meaning as in the Privacy Act
6
1988.
7
61 Subsection 135AB(3)
8
Omit "IPP", substitute "APP".
9
62 Subsection 135AC(1)
10
Omit "law for the purposes of subparagraph 10.2(b)(i) of National
11
Privacy Principle 10 in Schedule 3 to", substitute "this Act for the
12
purposes of subparagraph 16B(1)(b)(i) of".
13
National Health Reform Act 2011
14
63 Subsection 127(3)
15
Omit "law", substitute "this Act".
16
National Health Security Act 2007
17
64 Sections 19, 20, 47, 52, 85, 86, 87, 88 and 89 (notes)
18
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
19
section 14 of the Privacy Act 1988" (wherever occurring), substitute
20
"paragraph 6.2(b) of Australian Privacy Principle 6".
21
National Vocational Education and Training Regulator Act
22
2011
23
65 Paragraphs 210(2)(a) and (b)
24
Repeal the paragraphs, substitute:
25
(a) paragraph 6.2(b) of Australian Privacy Principle 6; and
26
66 Subsection 210(2)
27
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
210 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Omit "that is authorised by law", substitute "that is authorised by this
1
Act".
2
Olympic Insignia Protection Act 1987
3
67 Subsection 57(3) (note)
4
Omit "Principles 1, 2 and 3 in section 14 of the Privacy Act 1988",
5
substitute "Australian Privacy Principles 3 and 5".
6
Ombudsman Act 1976
7
68 Subsections 7A(1D) and 8(2D)
8
Omit "law", substitute "this Act".
9
Paid Parental Leave Act 2010
10
69 Subsection 128(1) (note)
11
Omit "section 14 of the Privacy Act 1988", substitute "the Australian
12
Privacy Principles".
13
70 Subsection 207(7)
14
Omit "to be authorised by law", substitute "to be authorised by this
15
Act".
16
Personally Controlled Electronic Health Records Act 2012
17
71 Paragraph 73(b)
18
Omit "or 13A".
19
Private Health Insurance Act 2007
20
72 Subsection 250-10(2)
21
Omit "to be authorised by law", substitute "to be authorised by this
22
Act".
23
73 Clause 1 of Schedule 1 (definition of personal information)
24
Repeal the definition, substitute:
25
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 211
personal information has the same meaning as in the Privacy Act
1
1988.
2
Product Stewardship Act 2011
3
74 Subsection 60(1) (note 1)
4
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
5
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
6
Australian Privacy Principle 6".
7
Quarantine Act 1908
8
75 Section 66AZD
9
Omit "law", substitute "this Act".
10
76 Section 66AZD (note)
11
Omit "paragraph (1)(d) of Information Privacy Principle 11 in
12
section 14 of the Privacy Act 1988", substitute "paragraph 6.2(b) of
13
Australian Privacy Principle 6".
14
Retirement Savings Accounts Act 1997
15
77 Subsection 137A(3)
16
Omit "subclauses 7.1 and 7.1A of National Privacy Principle 7 in
17
Schedule 3 to the Privacy Act 1988", substitute "Australian Privacy
18
Principle 9".
19
78 Subsection 137A(3) (note 1)
20
Omit "Subclause 7.1", substitute "Australian Privacy Principle 9".
21
Social Security (Administration) Act 1999
22
79 Subsection 202(8) (note)
23
Omit "section 14 of the Privacy Act 1988", substitute "the Australian
24
Privacy Principles".
25
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
212 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Stronger Futures in the Northern Territory Act 2012
1
80 Subsection 105(2)
2
Omit "law", substitute "this Act".
3
Superannuation Industry (Supervision) Act 1993
4
81 Subsection 299LA(3)
5
Omit "subclauses 7.1 and 7.1A of National Privacy Principle 7 in
6
Schedule 3 to the Privacy Act 1988", substitute "Australian Privacy
7
Principle 9".
8
82 Subsection 299LA(3) (note 1)
9
Omit "Subclause 7.1", substitute "Australian Privacy Principle 9".
10
Supported Accommodation Assistance Act 1994
11
83 Paragraph 12(3)(b)
12
Omit "principles set out in that Act", substitute "Australian Privacy
13
Principles".
14
Telecommunications Act 1997
15
84 Subparagraph 117(1)(k)(i)
16
Omit "National Privacy Principles (as defined in the Privacy Act
17
1988)", substitute "Australian Privacy Principles".
18
85 Subparagraph 117(1)(k)(ii)
19
Omit "that Act that relate to those Principles", substitute "the Privacy
20
Act 1988 that relate to those principles".
21
86 Subsection 118(1) (note)
22
Omit "National", substitute "Australian".
23
87 Paragraph 118(4A)(a)
24
Omit "National Privacy Principles (as defined in the Privacy Act
25
1988)", substitute "Australian Privacy Principles".
26
Amendment of other Acts Schedule 5
Amendments relating to the Australian Privacy Principles Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 213
88 Paragraph 118(4A)(b)
1
Omit "that Act relating to those Principles", substitute "the Privacy Act
2
1988 relating to those principles".
3
89 Subsection 121(1A)
4
Omit "National Privacy Principles (as defined in the Privacy Act
5
1988)", substitute "Australian Privacy Principles".
6
90 Subsection 122(3)
7
Omit "National Privacy Principles (as defined in the Privacy Act
8
1988)", substitute "Australian Privacy Principles".
9
91 Subsection 130(1) (note)
10
Omit "National", substitute "Australian".
11
92 Paragraph 134(1)(a)
12
Omit "National Privacy Principles (as defined in the Privacy Act
13
1988)", substitute "Australian Privacy Principles".
14
93 Paragraph 134(1)(b)
15
Omit "that Act relating to those Principles", substitute "the Privacy Act
16
1988 relating to those principles".
17
94 Section 303B (heading)
18
Repeal the heading, substitute:
19
303B Acts taken to be authorised by this Act for purposes of Privacy
20
Act
21
95 Subsections 303B(1) and (2)
22
Omit "law", substitute "this Act".
23
96 Subclause 15(2) of Schedule 2
24
Omit "Information Privacy Principles set out in section 14 of the
25
Privacy Act 1988 and the National Privacy Principles (as defined in that
26
Act)", substitute "Australian Privacy Principles".
27
Schedule 5 Amendment of other Acts
Part 1 Amendments relating to the Australian Privacy Principles
214 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Telecommunications (Consumer Protection and Service
1
Standards) Act 1999
2
97 Subparagraphs 147(2)(l)(i) and (ia)
3
Repeal the subparagraphs, substitute:
4
(i) Australian Privacy Principle 6;
5
Therapeutic Goods Act 1989
6
98 Subsections 61(4B) and (5B)
7
Omit "paragraph 1(d) of Information Privacy Principle 11 in section 14
8
of the Privacy Act 1988, to be authorised by law", substitute "paragraph
9
6.2(b) of Australian Privacy Principle 6, to be authorised by this Act".
10
Trade Marks Act 1995
11
99 Subsection 143(1) (note 2)
12
Omit "Principles 1, 2 and 3 in section 14 of the Privacy Act 1988",
13
substitute "Australian Privacy Principles 3 and 5".
14
Veterans' Entitlements Act 1986
15
100 Subsection 38AA(1)
16
Omit "A record keeper who has possession or control of", substitute
17
"An APP entity that holds".
18
101 Subsection 38AA(2)
19
Omit "Information Privacy Principles set out in section 14 of the
20
Privacy Act 1988, to be authorised by law", substitute "Australian
21
Privacy Principles, to be authorised by this Act".
22
23
Amendment of other Acts Schedule 5
Amendments relating to credit reporting Part 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 215
Part 2--Amendments relating to credit reporting
1
Anti-Money Laundering and Counter-Terrorism Financing
2
Act 2006
3
102 Section 5 (definition of assessment)
4
Omit "agency", substitute "body".
5
103 Section 5 (definition of credit information file)
6
Repeal the definition.
7
104 Section 5 (definition of credit reporting agency)
8
Repeal the definition.
9
105 Section 5
10
Insert:
11
credit reporting body has the same meaning as in the Privacy Act
12
1988.
13
106 Section 35A (heading)
14
Repeal the heading, substitute:
15
35A Reporting entities may disclose certain personal information to
16
credit reporting bodies for identity verification purposes
17
107 Paragraph 35A(1)(a)
18
Omit "agency", substitute "body".
19
108 Paragraph 35A(1)(b)
20
Omit "agency" (first occurring), substitute "body".
21
109 Paragraph 35A(1)(b)
22
Omit "contained in a credit information file in the possession or control
23
of the credit reporting agency", substitute "held by the credit reporting
24
body".
25
110 Subparagraph 35A(2)(a)(ii)
26
Schedule 5 Amendment of other Acts
Part 2 Amendments relating to credit reporting
216 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Omit "agency", substitute "body".
1
111 Subparagraph 35A(2)(a)(iii)
2
Omit "agency" (first occurring), substitute "body".
3
112 Subparagraph 35A(2)(a)(iii)
4
Omit "contained in a credit information file in the possession or control
5
of the credit reporting agency", substitute "held by the credit reporting
6
body".
7
113 Subparagraph 35A(2)(a)(iv)
8
Omit "agency", substitute "body".
9
114 Subparagraph 35A(2)(a)(v)
10
Omit "agency", substitute "body".
11
115 Subparagraph 35A(2)(a)(v)
12
Omit "the names, residential addresses and dates of birth contained in
13
credit information files of other individuals", substitute "personal
14
information held by the body that is the names, residential addresses
15
and dates of birth of other individuals".
16
116 Section 35B (heading)
17
Repeal the heading, substitute:
18
35B Credit reporting bodies may use and disclose certain personal
19
information for identity verification purposes
20
117 Subsection 35B(1)
21
Omit "agency" (first occurring), substitute "body".
22
118 Paragraph 35B(1)(a)
23
Omit "contained in a credit information file in the possession or control
24
of the credit reporting agency", substitute "held by the credit reporting
25
body".
26
119 Paragraph 35B(1)(b)
27
Amendment of other Acts Schedule 5
Amendments relating to credit reporting Part 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 217
Omit "the names, residential addresses and dates of birth contained in
1
credit information files of other individuals", substitute "personal
2
information held by the credit reporting body that is the names,
3
residential addresses and dates of birth of other individuals".
4
120 Paragraph 35B(2)(a)
5
Omit "contained in a credit information file in the possession or control
6
of the credit reporting agency", substitute "held by the credit reporting
7
body".
8
121 Subsection 35B(3)
9
Omit "contained in an individual's credit information file", substitute
10
"held by the credit reporting body".
11
122 Subsection 35B(3)
12
Omit "law for the purposes of paragraph 18K(1)(m)", substitute "this
13
Act for the purposes of paragraph 20E(3)(e)".
14
123 Paragraph 35C(2)(b)
15
Omit "agency", substitute "body".
16
124 Section 35D
17
Repeal the section, substitute:
18
35D Verification information not to be collected or held by a credit
19
reporting body
20
Subject to section 35E, a credit reporting body must not collect or
21
hold personal information about an individual that relates to a
22
verification request or an assessment in relation to the individual.
23
125 Section 35E (heading)
24
Repeal the heading, substitute:
25
35E Retention of verification information--credit reporting bodies
26
126 Sections 35E, 35F and 35G
27
Omit "agency" (wherever occurring), substitute "body".
28
127 Section 35L
29
Schedule 5 Amendment of other Acts
Part 2 Amendments relating to credit reporting
218 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Repeal the section, substitute:
1
35L Breach of requirement is an interference with privacy
2
A breach of a requirement of this Division in relation to an
3
individual constitutes an act or practice involving an interference
4
with the privacy of the individual for the purposes of section 13 of
5
the Privacy Act 1988.
6
Note:
The act or practice may be the subject of a complaint under section 36
7
of that Act.
8
Australian Crime Commission Act 2002
9
128 Paragraph 29A(7)(b)
10
Omit "agency (within the meaning of section 11A of the Privacy Act
11
1988) would be required, under subsection 18K(5)", substitute "body
12
(within the meaning of the Privacy Act 1988) would be required, under
13
subsection 20E(5)".
14
Law Enforcement Integrity Commissioner Act 2006
15
129 Paragraph 77A(9)(c)
16
Omit "agency (within the meaning of section 11A of the Privacy Act
17
1988) would be required, under subsection 18K(5)", substitute "body
18
(within the meaning of the Privacy Act 1988) would be required, under
19
subsection 20E(5)".
20
130 Paragraph 91(9)(c)
21
Omit "agency (within the meaning of section 11A of the Privacy Act
22
1988) would be required, under subsection 18K(5)", substitute "body
23
(within the meaning of the Privacy Act 1988) would be required, under
24
subsection 20E(5)".
25
National Consumer Credit Protection Act 2009
26
131 Paragraph 88(3)(i) of the National Credit Code
27
Repeal the paragraph, substitute:
28
(i) that, under the Privacy Act 1988, a credit reporting body
29
(within the meaning of that Act) may collect and hold default
30
Amendment of other Acts Schedule 5
Amendments relating to credit reporting Part 2
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 219
information (within the meaning of that Act) in relation to the
1
default; and
2
132 Paragraph 179D(2)(h) of the National Credit Code
3
Repeal the paragraph, substitute:
4
(h) that, under the Privacy Act 1988, a credit reporting body
5
(within the meaning of that Act) may collect and hold default
6
information (within the meaning of that Act) in relation to the
7
default; and
8
Taxation Administration Act 1953
9
133 Section 355-200 in Schedule 1 (example)
10
Omit "agency" (wherever occurring), substitute "body".
11
134 Section 355-200 in Schedule 1 (example)
12
Omit "record of the disclosure in the entity's credit information file, as
13
required by subsection 18K(5)", substitute "written note of the
14
disclosure as required by subsection 20E(5)".
15
16
Schedule 5 Amendment of other Acts
Part 3 Amendments relating to codes
220 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Part 3--Amendments relating to codes
1
Australian Information Commissioner Act 2010
2
135 Paragraph 32(1)(b)
3
Repeal the paragraph, substitute:
4
(b) a statement about the operation of registered APP codes
5
under the Privacy Act 1988 that contain procedures covered
6
by subsection (2), including details about the number of
7
complaints made under codes, their nature and outcome.
8
Telecommunications Act 1997
9
136 Section 116A
10
Omit "an approved privacy code", substitute "a registered APP code".
11
137 Subparagraph 117(1)(k)(iii)
12
Omit "an approved privacy code", substitute "a registered APP code".
13
138 Subparagraph 117(1)(k)(iv)
14
Omit "the approved privacy code", substitute "the registered APP
15
code".
16
139 Subsection 118(1) (note)
17
Omit "approved privacy code", substitute "registered APP code".
18
140 Paragraph 118(4A)(c)
19
Omit "an approved privacy code", substitute "a registered APP code".
20
141 Paragraph 118(4A)(d)
21
Omit "the approved privacy code", substitute "the registered APP
22
code".
23
142 Subsections 121(1A) and 122(3)
24
Omit "an approved privacy code (as defined in that Act)", substitute "a
25
registered APP code (within the meaning of the Privacy Act 1988)".
26
143 Subsection 130(1) (note)
27
Amendment of other Acts Schedule 5
Amendments relating to codes Part 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 221
Omit "an approved privacy code", substitute "a registered APP code".
1
144 Paragraphs 134(1)(c) and (d)
2
Omit "an approved privacy code", substitute "a registered APP code".
3
145 Subsections 303B(1), 303B(2) and 303C(1)
4
Omit "an approved privacy code", substitute "a registered APP code".
5
Telecommunications (Consumer Protection and Service
6
Standards) Act 1999
7
146 Subparagraph 147(2)(l)(ib)
8
Omit "approved privacy code", substitute "registered APP code".
9
10
Schedule 5 Amendment of other Acts
Part 4 Other amendments
222 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Part 4--Other amendments
1
Australian Human Rights Commission Act 1986
2
147 Paragraph 20(4A)(b)
3
Omit "in the performance of the functions referred to in paragraph
4
27(1)(a) or 28(1)(b) or (c) of the Privacy Act 1988", substitute "under
5
the Privacy Act 1988 as an interference with the privacy of an
6
individual under subsection 13(1) or (4) of that Act".
7
Australian Information Commissioner Act 2010
8
148 Subsection 9(2) (table item 3, column headed
9
"Provision")
10
Omit ", and the Schedule".
11
149 Paragraphs 12(4)(a) and (b)
12
Repeal the paragraphs, substitute:
13
(a) performing the functions, and exercising the powers,
14
conferred on the Commissioner by Part IIIB of the Privacy
15
Act 1988;
16
150 Paragraph 12(4)(c)
17
Repeal the paragraph, substitute:
18
(c) the making of guidelines under paragraph 28(1)(a) or (b) of
19
the Privacy Act 1988, or the variation or revocation of those
20
guidelines;
21
151 Paragraph 12(4)(d)
22
Repeal the paragraph, substitute:
23
(d) the issue, variation or revocation of rules under:
24
(i) section 17 of the Privacy Act 1988; or
25
(ii) section 12 of the Data-matching Program (Assistance
26
and Tax) Act 1990; or
27
(iii) section 135AA of the National Health Act 1953;
28
152 Paragraph 12(4)(e)
29
Omit "paragraph 27(1)(r)", substitute "paragraph 28B(1)(c)".
30
Amendment of other Acts Schedule 5
Other amendments Part 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 223
153 Paragraph 12(4)(f)
1
Repeal the paragraph.
2
154 Paragraph 25(k)
3
Omit "guidelines", substitute "rules".
4
155 Paragraph 32(1)(a)
5
Omit "paragraphs 28(1)(a) and (f)", substitute "section 17 and
6
paragraph 28A(1)(d)".
7
Crimes Act 1914
8
156 Subsection 85ZZG(1)
9
Omit ", 96".
10
Data-matching Program (Assistance and Tax) Act 1990
11
157 Subsection 5(2)
12
Omit "Guidelines", substitute "Rules".
13
158 Section 12 (heading)
14
Repeal the heading, substitute:
15
12 Rules relating to privacy
16
159 Section 12
17
Omit "guidelines" (wherever occurring), substitute "rules".
18
160 Subsection 13(2)
19
Omit "guidelines in the Schedule", substitute "rules issued under
20
section 12".
21
161 Subsections 13(3) and (4)
22
Omit "guidelines", substitute "rules".
23
162 Subsection 13(7)
24
Omit "Part 5 and section 99", substitute "Part V".
25
Schedule 5 Amendment of other Acts
Part 4 Other amendments
224 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
163 Subsection 14(1)
1
Omit "guidelines", substitute "rules".
2
Healthcare Identifiers Act 2010
3
164 Subsection 29(3)
4
Repeal the subsection, substitute:
5
Assessment by Information Commissioner
6
(3) For the purpose of paragraph 33C(1)(a) of the Privacy Act 1988, a
7
healthcare identifier is taken to be personal information.
8
National Health Act 1953
9
165 Section 135AA (heading)
10
Repeal the heading, substitute:
11
135AA Privacy rules
12
166 Subsection 135AA(3) (heading)
13
Repeal the heading, substitute:
14
Issuing rules
15
167 Subsections 135AA(3) and (3A)
16
Omit "guidelines", substitute "rules".
17
168 Subsection 135AA(4) (heading)
18
Repeal the heading, substitute:
19
Replacing or varying rules
20
169 Subsection 135AA(4)
21
Omit "guidelines" (wherever occurring), substitute "rules".
22
170 Subsection 135AA(5) (heading)
23
Repeal the heading, substitute:
24
Amendment of other Acts Schedule 5
Other amendments Part 4
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 225
Content of rules
1
171 Subsections 135AA(5) and (5A)
2
Omit "guidelines" (wherever occurring), substitute "rules".
3
172 Subsection 135AA(5AA)
4
Omit "guidelines", substitute "rules".
5
173 Subsections 135AA(5B) and (6)
6
Omit "guidelines" (wherever occurring), substitute "rules".
7
174 Subsection 135AA(8) (heading)
8
Repeal the heading, substitute:
9
When rules take effect
10
175 Subsection 135AA(8)
11
Omit "guidelines" (wherever occurring), substitute "rules".
12
176 Section 135AB (heading)
13
Repeal the heading, substitute:
14
135AB Breaches of the privacy rules
15
177 Subsections 135AB(1) and (2)
16
Omit "guidelines", substitute "rules".
17
Retirement Savings Accounts Act 1997
18
178 Subsection 137A(3) (note 2)
19
Omit "guidelines", substitute "rules".
20
179 Section 147
21
Omit "guidelines", substitute "rules".
22
Superannuation Industry (Supervision) Act 1993
23
180 Subsection 299LA(3) (note 2)
24
Schedule 5 Amendment of other Acts
Part 4 Other amendments
226 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Omit "guidelines", substitute "rules".
1
2
Application, transitional and savings provisions Schedule 6
Definitions Part 1
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 227
Schedule 6--Application, transitional and
1
savings provisions
2
Part 1--Definitions
3
1 Definitions
4
In this Schedule:
5
commencement time means the time Schedule 1 to this Act
6
commences.
7
Privacy Act means the Privacy Act 1988.
8
transition period means the period:
9
(a) starting on the day this Act receives the Royal Assent; and
10
(b) ending immediately before the commencement time.
11
12
Schedule 6 Application, transitional and savings provisions
Part 2 Provisions relating to Schedule 1 to this Act
228 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Part 2--Provisions relating to Schedule 1 to this Act
1
2 Application--court/tribunal orders
2
The definition of court/tribunal order in subsection 6(1) of the Privacy
3
Act, as inserted by Schedule 1 to this Act, applies in relation to an
4
order, direction or other instrument made before or after the
5
commencement time.
6
3 Saving--guidelines relating to medical research etc.
7
(1)
This item applies to guidelines if:
8
(a) the guidelines were issued or approved under subsection
9
95(1), 95A(2), 95A(4) or 95AA(2) of the Privacy Act; and
10
(b) the guidelines were in force immediately before the
11
commencement time.
12
(2)
The guidelines have effect, after that time, as if they had been issued or
13
approved under that subsection, as amended by Schedule 1 to this Act.
14
15
Application, transitional and savings provisions Schedule 6
Provisions relating to Schedule 2 to this Act Part 3
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 229
Part 3--Provisions relating to Schedule 2 to this Act
1
4 Application--credit reporting
2
(1)
To the extent that the amendments of the Privacy Act made by
3
Schedule 2 to this Act apply in relation to credit, they apply in relation
4
to credit applied for, or provided, before or after the commencement
5
time.
6
(2)
The definition of court proceedings information in subsection 6(1) of
7
the Privacy Act, as inserted by Schedule 2 to this Act, applies in relation
8
to a judgement of an Australian court made or given before or after the
9
commencement time.
10
(3)
The definition of serious credit infringement in subsection 6(1) of the
11
Privacy Act, as inserted by Schedule 2 to this Act, applies in relation to
12
an act done before or after the commencement time.
13
(4)
Paragraph 6N(k) of the Privacy Act, as inserted by Schedule 2 to this
14
Act, applies in relation to activities done before or after the
15
commencement time.
16
(5)
Section 6R of the Privacy Act, as inserted by Schedule 2 to this Act,
17
applies in relation to an information request made before or after the
18
commencement time.
19
(6)
Section 6V of the Privacy Act, as inserted by Schedule 2 to this Act,
20
applies in relation to a monthly payment that is due and payable on or
21
after the day this Act receives the Royal Assent.
22
23
Schedule 6 Application, transitional and savings provisions
Part 4 Provisions relating to Schedule 3 to this Act
230 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Part 4--Provisions relating to Schedule 3 to this Act
1
5 Privacy codes may be developed etc. during the transition
2
period
3
(1)
A function or power conferred on the Commissioner or an entity by
4
Part IIIB of the Privacy Act, as inserted by Schedule 3 to this Act, may
5
be performed or exercised during the transition period as if the Privacy
6
Act, as amended by this Act, was in force during that period.
7
(2)
The performance of such a function, or the exercise of such a power,
8
during the transition period has effect, after the commencement time, as
9
if it had been performed or exercised under Part IIIB of the Privacy Act
10
as inserted by Schedule 3 to this Act.
11
12
Application, transitional and savings provisions Schedule 6
Provisions relating to Schedule 4 to this Act Part 5
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 231
Part 5--Provisions relating to Schedule 4 to this Act
1
6 Application--section 13G of the Privacy Act
2
Section 13G of the Privacy Act, as inserted by Schedule 4 to this Act,
3
applies in relation to an act done, or a practice engaged in, after the
4
commencement time.
5
7 Saving--guidelines relating to tax file number information
6
(1)
This item applies to guidelines if:
7
(a) the guidelines were issued under subsection 17(1) of the
8
Privacy Act; and
9
(b) the guidelines were in force immediately before the
10
commencement time.
11
(2)
The guidelines have effect, after that time, as if they had been rules
12
issued under section 17 of that Act, as inserted by Schedule 4 to this
13
Act.
14
8 Saving--guidelines prepared and published under the
15
Privacy Act
16
(1)
This item applies to guidelines if:
17
(a) the guidelines were prepared and published under paragraph
18
27(1)(e) or 28A(1)(e) of the Privacy Act; and
19
(b) the guidelines were in force immediately before the
20
commencement time.
21
(2)
The guidelines have effect, after that time, as if they had been made
22
under paragraph 28(1)(a) of that Act, as inserted by Schedule 4 to this
23
Act.
24
9 Audits by the Commissioner
25
(1)
This item applies if:
26
(a) before the commencement time, the Commissioner was
27
conducting an audit under paragraph 27(1)(h) or (ha),
28
28(1)(e) or 28A(1)(g) of the Privacy Act; and
29
(b) immediately before that time, the audit has not been
30
completed.
31
Schedule 6 Application, transitional and savings provisions
Part 5 Provisions relating to Schedule 4 to this Act
232 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(2)
Despite the amendments of the Privacy Act made by this Act, the
1
Commissioner may continue, after the commencement time, to conduct
2
the audit as if those amendments had not been made.
3
10 Application--amendment made by item 75 of Schedule 4
4
The amendment made by item 75 of Schedule 4 to this Act applies in
5
relation to a representative complaint lodged after the commencement
6
time.
7
11 Application--paragraph 41(1)(db) of the Privacy Act
8
Paragraph 41(1)(db) of the Privacy Act, as inserted by Schedule 4 to
9
this Act, applies in relation to a request made after the commencement
10
time.
11
12 Saving--public interest determinations
12
(1)
This item applies to a determination if:
13
(a) the determination was made under section 72 of the Privacy
14
Act; and
15
(b) the determination was in force immediately before the
16
commencement time.
17
(2)
The determination has effect, after the commencement time, as if it had
18
been made under that section, as amended by Schedule 4 to this Act.
19
(3)
The Commissioner may, by legislative instrument, vary the
20
determination after the commencement time to take account of the
21
amendments of the Privacy Act made by this Act.
22
(4)
In deciding whether to vary the determination, the Commissioner may:
23
(a) consult any person or entity; and
24
(b) take into account any matter that the Commissioner considers
25
relevant.
26
13 Application--subsection 73(1A) of the Privacy Act
27
Subsection 73(1A) of the Privacy Act, as inserted by Schedule 4 to this
28
Act, applies in relation to an application made under subsection 73(1) of
29
the Privacy Act after the commencement time.
30
14 Application--review by the Administrative Appeals
31
Tribunal
32
Application, transitional and savings provisions Schedule 6
Provisions relating to Schedule 4 to this Act Part 5
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 233
Paragraphs 96(1)(c), (e), (f) and (g) of the Privacy Act, as inserted by
1
Schedule 4 to this Act, apply in relation to a decision made after the
2
commencement time.
3
4
Schedule 6 Application, transitional and savings provisions
Part 6 Provisions relating to Schedule 5 to this Act
234 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
Part 6--Provisions relating to Schedule 5 to this Act
1
15 Saving--guidelines issued under other Acts
2
(1)
This item applies to guidelines if:
3
(a) the guidelines were issued under section 135AA of the
4
National Health Act 1953 or section 12 of the Data-matching
5
Program (Assistance and Tax) Act 1990; and
6
(b) the guidelines were in force immediately before the
7
commencement time.
8
(2)
The guidelines have effect, after that time, as if they had been rules
9
issued under that section, as amended by Schedule 5 to this Act.
10
11
Application, transitional and savings provisions Schedule 6
Provisions relating to other matters Part 7
Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012 235
Part 7--Provisions relating to other matters
1
16 Pre-commencement complaints
2
(1)
This item applies if:
3
(a) before the commencement time, a complaint about an act or
4
practice was made to the Commissioner under section 36 of
5
the Privacy Act; and
6
(b) immediately before that time, the Commissioner has not:
7
(i) decided under Part V of that Act not to investigate, or
8
not to investigate further, the act or practice; or
9
(ii) made a determination under section 52 of that Act in
10
relation to the complaint.
11
(2)
Despite the amendments of the Privacy Act made by this Act, the
12
complaint may be dealt with under the Privacy Act after the
13
commencement time as if those amendments had not been made.
14
17 Pre-commencement own initiative investigations
15
(1)
This item applies if:
16
(a) before the commencement time, the Commissioner
17
commenced an investigation under subsection 40(2) of the
18
Privacy Act; and
19
(b) immediately before that time, the Commissioner has not
20
finished conducting the investigation.
21
(2)
Despite the amendments of the Privacy Act made by this Act, the
22
Commissioner may continue to conduct the investigation under the
23
Privacy Act after the commencement time as if those amendments had
24
not been made.
25
18 Pre-commencement acts and practices
26
(1)
This item applies if:
27
(a) before the commencement time, an act was done, or a
28
practice was engaged in, by an agency or organisation; and
29
(b) the act or practice may be an interference with the privacy of
30
an individual under section 13 or 13A of the Privacy Act (as
31
in force immediately before that time); and
32
(c) immediately before that time:
33
Schedule 6 Application, transitional and savings provisions
Part 7 Provisions relating to other matters
236 Privacy Amendment (Enhancing Privacy Protection) Bill 2012 No. , 2012
(i) the individual has not made a complaint about the act or
1
practice to the Commissioner under section 36 of that
2
Act; and
3
(ii) the Commissioner has not decided to investigate the act
4
or practice under subsection 40(2) of that Act.
5
(2)
Despite the amendments of the Privacy Act made by this Act, the
6
individual may, after the commencement time, complain to the
7
Commissioner about the act or practice, and the complaint may be dealt
8
with, under the Privacy Act as if those amendments had not been made.
9
(3)
Despite the amendments of the Privacy Act made by this Act, the
10
Commissioner may, after the commencement time, investigate the act
11
or practice under subsection 40(2) of the Privacy Act as if those
12
amendments had not been made.
13
19 Regulations may deal with transitional etc. matters
14
The Governor-General may make regulations dealing with matters of a
15
transitional, application or saving nature relating to the amendments
16
made by this Act.
17

 


[Index] [Search] [Download] [Related Items] [Help]