(1) An organisation must not do an act, or engage in a practice, that contravenes an Information Privacy Principle in respect of personal information collected, held, managed, used, disclosed or transferred by it.
(2) A public sector agency or a Council must, in administering a public register, so far as is reasonably practicable, not do an act or engage in a practice that would contravene an Information Privacy Principle in respect of information collected, held, managed, used, disclosed or transferred by it in connection with the administration of the public register if that information were personal information.
(3) Subsections (1) and (2) do not apply if the act or practice is permitted under—
(a) a public interest determination; or
(b) a temporary public interest determination; or
(c) an approved information usage arrangement.
Division 3—Codes of practice