Commonwealth Consolidated Acts

[Index] [Table] [Search] [Search this Act] [Notes] [Noteup] [Download] [Help]

PRIVACY ACT 1988


TABLE OF PROVISIONS

           Long Title

   PART I--PRELIMINARY

   1.      Short title  
   2.      Commencement  
   2A.     Objects of this Act  
   3.      Saving of certain State and Territory laws  
   3A.     Application of the Criminal Code  
   4.      Act to bind the Crown  
   5A.     Extension to external Territories  
   5B.     Extra - territorial operation of Act  

   PART II--INTERPRETATION

           Division 1--General definitions

   6.      Interpretation  
   6AA.    Meaning of responsible person  
   6A.     Breach of an Australian Privacy Principle  
   6B.     Breach of a registered APP code  
   6BA.    Breach of the registered CR code  
   6C.     Organisations  
   6D.     Small business and small business operators  
   6DA.    What is the annual turnover of a business?  
   6E.     Small business operator treated as organisation  
   6EA.    Small business operators choosing to be treated as organisations  
   6F.     State instrumentalities etc. treated as organisations  
   6FA.    Meaning of health information  
   6FB.    Meaning of health service  

           Division 2--Key definitions relating to credit reporting

              Subdivision A--Credit provider

   6G.     Meaning of credit provider  
   6H.     Agents of credit providers  
   6J.     Securitisation arrangements etc.  
   6K.     Acquisition of the rights of a credit provider  

              Subdivision B--Other definitions

   6L.     Meaning of access seeker  
   6M.     Meaning of credit and amount of credit  
   6N.     Meaning of credit information  
   6P.     Meaning of credit reporting business  
   6Q.     Meaning of default information  
   6QA.    Meanings of financial hardship arrangement and financial hardship information  
   6R.     Meaning of information request  
   6S.     Meaning of new arrangement information  
   6T.     Meaning of payment information  
   6U.     Meaning of personal insolvency information  
   6V.     Meaning of repayment history information  

           Division 3--Other matters

   7.      Acts and practices of agencies, organisations etc.  
   7A.     Acts of certain agencies treated as acts of organisation  
   7B.     Exempt acts and exempt practices of organisations  
   7C.     Political acts and practices are exempt  
   8.      Acts and practices of, and disclosure of information to, staff of agency, organisation etc.  
   10.     Agencies that are taken to hold a record  
   11.     File number recipients  
   12A.    Act not to apply in relation to State banking or insurance within that State  
   12B.    Severability--additional effect of this Act  

   PART III--INFORMATION--PRIVACY

           Division 1--Interferences with privacy

   13.     Interferences with privacy  
   13B.    Related bodies corporate  
   13C.    Change in partnership because of change in partners  
   13D.    Overseas act required by foreign law  
   13E.    Effect of sections 13B, 13C and 13D  
   13F.    Act or practice not covered by section 13 is not an interference with privacy  
   13G.    Serious and repeated interferences with privacy  

           Division 2--Australian Privacy Principles

   14.     Australian Privacy Principles  
   15.     APP entities must comply with Australian Privacy Principles  
   16.     Personal, family or household affairs  
   16A.    Permitted general situations in relation to the collection, use or disclosure of personal information  
   16B.    Permitted health situations in relation to the collection, use or disclosure of health information  
   16C.    Acts and practices of overseas recipients of personal information  

           Division 4--Tax file number information

   17.     Rules relating to tax file number information  
   18.     File number recipients to comply with rules  

   PART IIIA--CREDIT--REPORTING

           Division 1--Introduction

   19.     Guide to this Part  

           Division 2--Credit reporting bodies

              Subdivision A--Introduction and application of this Division etc.

   20.     Guide to this Division  
   20A.    Application of this Division and the Australian Privacy Principles to credit reporting bodies  

              Subdivision B--Consideration of information privacy

   20B.    Open and transparent management of credit reporting information  

              Subdivision C--Collection of credit information

   20C.    Collection of solicited credit information  
   20D.    Dealing with unsolicited credit information  

              Subdivision D--Dealing with credit reporting information etc.

   20E.    Use or disclosure of credit reporting information  
   20F.    Permitted CRB disclosures in relation to individuals  
   20G.    Use or disclosure of credit reporting information for the purposes of direct marketing  
   20H.    Use or disclosure of pre - screening assessments  
   20J.    Destruction of pre - screening assessment  
   20K.    No use or disclosure of credit reporting information during a ban period  
   20L.    Adoption of government related identifiers  
   20M.    Use or disclosure of credit reporting information that is de - identified  

              Subdivision E--Integrity of credit reporting information

   20N.    Quality of credit reporting information  
   20P.    False or misleading credit reporting information  
   20Q.    Security of credit reporting information  

              Subdivision F--Access to, and correction of, information

   20R.    Access to credit reporting information  
   20S.    Correction of credit reporting information  
   20T.    Individual may request the correction of credit information etc.  
   20U.    Notice of correction etc. must be given  

              Subdivision G--Dealing with credit reporting information after the retention period ends etc.

   20V.    Destruction etc. of credit reporting information after the retention period ends  
   20W.    Retention period for credit information--general  
   20X.    Retention period for credit information--personal insolvency information  
   20Y.    Destruction of credit reporting information in cases of fraud  
   20Z.    Dealing with information if there is a pending correction request etc.  
   20ZA.   Dealing with information if an Australian law etc. requires it to be retained  

           Division 3--Credit providers

              Subdivision A--Introduction and application of this Division

   21.     Guide to this Division  
   21A.    Application of this Division to credit providers  

              Subdivision B--Consideration of information privacy

   21B.    Open and transparent management of credit information etc.  

              Subdivision C--Dealing with credit information

   21C.    Additional notification requirements for the collection of personal information etc.  
   21D.    Disclosure of credit information to a credit reporting body  
   21E.    Payment information must be disclosed to a credit reporting body  
   21EA.   Financial hardship information must be disclosed  
   21F.    Limitation on the disclosure of credit information during a ban period  

              Subdivision D--Dealing with credit eligibility information etc.

   21G.    Use or disclosure of credit eligibility information  
   21H.    Permitted CP uses in relation to individuals  
   21J.    Permitted CP disclosures between credit providers  
   21K.    Permitted CP disclosures relating to guarantees etc.  
   21L.    Permitted CP disclosures to mortgage insurers  
   21M.    Permitted CP disclosures to debt collectors  
   21N.    Permitted CP disclosures to other recipients  
   21NA.   Disclosures to certain persons and bodies that do not have an Australian link  
   21P.    Notification of a refusal of an application for consumer credit  

              Subdivision E--Integrity of credit information and credit eligibility information

   21Q.    Quality of credit eligibility information  
   21R.    False or misleading credit information or credit eligibility information  
   21S.    Security of credit eligibility information  

              Subdivision F--Access to, and correction of, information

   21T.    Access to credit eligibility information  
   21U.    Correction of credit information or credit eligibility information  
   21V.    Individual may request the correction of credit information etc.  
   21W.    Notice of correction etc. must be given  

           Division 4--Affected information recipients

   22.     Guide to this Division  

              Subdivision A--Consideration of information privacy

   22A.    Open and transparent management of regulated information  

              Subdivision B--Dealing with regulated information

   22B.    Additional notification requirements for affected information recipients  
   22C.    Use or disclosure of information by mortgage insurers or trade insurers  
   22D.    Use or disclosure of information by a related body corporate  
   22E.    Use or disclosure of information by credit managers etc.  
   22F.    Use or disclosure of information by advisers etc.  

           Division 5--Complaints

   23.     Guide to this Division  
   23A.    Individual may complain about a breach of a provision of this Part etc.  
   23B.    Dealing with complaints  
   23C.    Notification requirements relating to correction complaints  

           Division 6--Unauthorised obtaining of credit reporting information etc.

   24.     Obtaining credit reporting information from a credit reporting body  
   24A.    Obtaining credit eligibility information from a credit provider  

           Division 7--Court orders

   25.     Compensation orders  
   25A.    Other orders to compensate loss or damage  

           Division 8--Review

   25B.    Review of operation of this Part  

   PART IIIB--PRIVACY--CODES

           Division 1--Introduction

   26.     Guide to this Part  

           Division 2--Registered APP codes

              Subdivision A--Compliance with registered APP codes etc.

   26A.    APP entities to comply with binding registered APP codes  
   26B.    What is a registered APP code  
   26C.    What is an APP code  
   26D.    Extension of Act to exempt acts or practices covered by registered APP codes  

              Subdivision B--Development and registration of APP codes

   26E.    Development of APP codes by APP code developers  
   26F.    Application for registration of APP codes  
   26G.    Development of APP codes by the Commissioner  
   26H.    Commissioner may register APP codes  

              Subdivision C--Variation and removal of registered APP codes

   26J.    Variation of registered APP codes  
   26K.    Removal of registered APP codes  

           Division 3--Registered CR code

              Subdivision A--Compliance with the registered CR code

   26L.    Entities to comply with the registered CR code if bound by the code  
   26M.    What is the registered CR code  
   26N.    What is a CR code  

              Subdivision B--Development and registration of CR code

   26P.    Development of CR code by CR code developers  
   26Q.    Application for registration of CR code  
   26R.    Development of CR code by the Commissioner  
   26S.    Commissioner may register CR code  

              Subdivision C--Variation of the registered CR code

   26T.    Variation of the registered CR code  

           Division 4--General matters

   26U.    Codes Register  
   26V.    Guidelines relating to codes  
   26W.    Review of operation of registered codes  

   PART IIIC--NOTIFICATION--OF ELIGIBLE DATA BREACHES

           Division 1--Introduction

   26WA.   Simplified outline of this Part  
   26WB.   Entity  
   26WC.   Deemed holding of information  
   26WD.   Exception--notification under the My Health Records Act 2012  

           Division 2--Eligible data breach

   26WE.   Eligible data breach  
   26WF.   Exception--remedial action  
   26WG.   Whether access or disclosure would be likely, or would not be likely, to result in serious harm--relevant matters  

           Division 3--Notification of eligible data breaches

              Subdivision A--Suspected eligible data breaches

   26WH.   Assessment of suspected eligible data breach  
   26WJ.   Exception--eligible data breaches of other entities  

              Subdivision B--General notification obligations

   26WK.   Statement about eligible data breach  
   26WL.   Entity must notify eligible data breach  
   26WM.   Exception--eligible data breaches of other entities  
   26WN.   Exception--enforcement related activities  
   26WP.   Exception--inconsistency with secrecy provisions  
   26WQ.   Exception--declaration by Commissioner  

              Subdivision C--Commissioner may direct entity to notify eligible data breach

   26WR.   Commissioner may direct entity to notify eligible data breach  
   26WS.   Exception--enforcement related activities  
   26WT.   Exception--inconsistency with secrecy provisions  

           Division 4--Commissioner's powers to obtain information or documents relating to eligible data breaches

   26WU.   Power to obtain information and documents relating to eligible data breaches  

   PART IV--FUNCTIONS--OF THE INFORMATION COMMISSIONER

           Division 2--Functions of Commissioner

   27.     Functions of the Commissioner  
   28.     Guidance related functions of the Commissioner  
   28A.    Monitoring related functions of the Commissioner  
   28B.    Advice related functions of the Commissioner  
   29.     Commissioner must have due regard to the objects of the Act  

           Division 3--Reports and information sharing by Commissioner

   30.     Reports following investigation of act or practice  
   31.     Report following examination of proposed law  
   32.     Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.  
   33.     Exclusion of certain matters from reports  
   33A.    Commissioner may share information with other authorities  
   33B.    Commissioner may disclose certain information if in the public interest etc.  

           Division 3A--Assessments by, or at the direction of, the Commissioner

   33C.    Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.  
   33D.    Commissioner may direct an agency to give a privacy impact assessment  

           Division 4--Miscellaneous

   34.     Provisions relating to documents exempt under the Freedom of Information Act 1982  
   35.     Direction where refusal or failure to amend exempt document  
   35A.    Commissioner may recognise external dispute resolution schemes  

   PART V--INVESTIGATIONS--ETC.

           Division 1A--Introduction

   36A.    Guide to this Part  

           Division 1--Investigation of complaints and investigations on the Commissioner's initiative

   36.     Complaints  
   36B.    Complaints relating to the data sharing scheme  
   37.     Principal executive of agency  
   38.     Conditions for making a representative complaint  
   38A.    Commissioner may determine that a complaint is not to continue as a representative complaint  
   38B.    Additional rules applying to the determination of representative complaints  
   38C.    Amendment of representative complaints  
   39.     Class member for representative complaint not entitled to lodge individual complaint  
   40.     Investigations  
   40A.    Conciliation of complaints  
   41.     Commissioner may or must decide not to investigate etc. in certain circumstances  
   42.     Preliminary inquiries  
   43.     Conduct of investigations  
   43A.    Interested party may request a hearing  
   44.     Power to obtain information and documents  
   45.     Power to examine witnesses  
   46.     Directions to persons to attend compulsory conference  
   47.     Conduct of compulsory conference  
   48.     Complainant and certain other persons to be informed of various matters  
   49.     Investigation under section 40 to cease if certain offences may have been committed  
   49A.    Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened  
   49B.    Transfer of complaints from the Inspector - General of Intelligence and Security  
   50.     Reference of matters to other authorities  
   50A.    Substitution of respondent to complaint  
   51.     Effect of investigation by Auditor - General  

           Division 2--Determinations following investigation of complaints

   52.     Determination of the Commissioner  
   52A.    Determination--requirement to notify conduct constituting interference with privacy of individual  
   53.     Determination must identify the class members who are to be affected by the determination  
   53A.    Notice to be given to outsourcing agency  
   53B.    Substituting an agency for a contracted service provider  

           Division 3--Enforcement of determinations

   54.     Application of Division  
   55.     Obligations of organisations and small business operators  
   55A.    Proceedings in the Federal Court or Federal Circuit and Family Court of Australia (Division 2) to enforce a determination  
   55B.    Evidentiary certificate  

           Division 4--Review and enforcement of determinations involving Commonwealth agencies

   57.     Application of Division  
   58.     Obligations of agencies  
   59.     Obligations of principal executive of agency  
   60.     Compensation and expenses  
   62.     Enforcement of determination against an agency  

           Division 5--Miscellaneous

   63.     Legal assistance  
   64.     Commissioner etc. not to be sued  
   65.     Failure to attend etc. before Commissioner  
   66.     Failure to give information etc.  
   67.     Protection from civil actions  
   68.     Power to enter premises  
   68A.    Identity cards  
   70.     Certain documents and information not required to be disclosed  
   70B.    Application of this Part to former organisations  

   PART VI--PUBLIC--INTEREST DETERMINATIONS AND TEMPORARY PUBLIC INTEREST DETERMINATIONS

           Division 1--Public interest determinations

   71.     Interpretation  
   72.     Power to make, and effect of, determinations  
   73.     Application by APP entity  
   74.     Publication of application etc.  
   75.     Draft determination  
   76.     Conference  
   77.     Conduct of conference  
   78.     Determination of application  
   79.     Making of determination  

           Division 2--Temporary public interest determinations

   80A.    Temporary public interest determinations  
   80B.    Effect of temporary public interest determination  
   80D.    Commissioner may continue to consider application  

           Division 3--Register of determinations

   80E.    Register of determinations  

   PART VIA--DEALING--WITH PERSONAL INFORMATION IN EMERGENCIES AND DISASTERS

           Division 1--Object and interpretation

   80F.    Object  
   80G.    Interpretation  
   80H.    Meaning of permitted purpose  

           Division 2--Declaration of emergency

   80J.    Declaration of emergency--events of national significance  
   80K.    Declaration of emergency--events outside Australia  
   80L.    Form of declarations  
   80M.    When declarations take effect  
   80N.    When declarations cease to have effect  

           Division 3--Provisions dealing with the use and disclosure of personal information

   80P.    Authorisation of collection, use and disclosure of personal information  

           Division 4--Other matters

   80Q.    Disclosure of information--offence  
   80R.    Operation of Part  
   80S.    Severability--additional effect of Part  
   80T.    Compensation for acquisition of property--constitutional safety net  

   PART VIB--ENFORCEMENT

           Division 1--Civil penalties

   80U.    Civil penalty provisions  

           Division 1A--Infringement notices

   80UB.   Infringement notices  

           Division 2--Enforceable undertakings

   80V.    Enforceable undertakings  

           Division 3--Injunctions

   80W.    Injunctions  

   PART VII--PRIVACY--ADVISORY COMMITTEE

   81.     Interpretation  
   82.     Establishment and membership  
   83.     Functions  
   84.     Leave of absence  
   85.     Removal and resignation of members  
   86.     Disclosure of interests of members  
   87.     Meetings of Advisory Committee  
   88.     Travel allowance  

   PART VIII--OBLIGATIONS--OF CONFIDENCE

   89.     Obligations of confidence to which Part applies  
   90.     Application of Part  
   91.     Effect of Part on other laws  
   92.     Extension of certain obligations of confidence  
   93.     Relief for breach etc. of certain obligations of confidence  
   94.     Jurisdiction of courts  

   PART IX--MISCELLANEOUS

   95.     Medical research guidelines  
   95A.    Guidelines for Australian Privacy Principles about health information  
   95AA.   Guidelines for Australian Privacy Principles about genetic information  
   95B.    Requirements for Commonwealth contracts  
   95C.    Disclosure of certain provisions of Commonwealth contracts  
   96.     Review by the Administrative Appeals Tribunal  
   98A.    Treatment of partnerships  
   98B.    Treatment of unincorporated associations  
   98C.    Treatment of trusts  
   99A.    Conduct of directors, employees and agents  
   100.    Regulations  
           SCHEDULE 1 Australian Privacy Principles


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback