An Act to make provision to protect the privacy of individuals, and for related purposes

WHEREAS Australia is a party to the International Covenant on Civil and Political Rights, the English text of which is set out in Schedule 2 to the Human Rights and Equal Opportunity Commission Act 1986:

AND WHEREAS, by that Covenant, Australia has undertaken to adopt such legislative measures as may be necessary to give effect to the right of persons not to be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence:

AND WHEREAS Australia is a member of the Organisation for Economic Co‑operation and Development:

AND WHEREAS the Council of that Organisation has recommended that member countries take into account in their domestic legislation the principles concerning the protection of privacy and individual liberties set forth in Guidelines annexed to the recommendation:

AND WHEREAS Australia has informed that Organisation that it will participate in the recommendation concerning those Guidelines:

BE IT THEREFORE ENACTED by the Queen, and the Senate and the House of Representatives of the Commonwealth of Australia, as follows:

Part I—Preliminary

1 Short title [see Note 1]

This Act may be cited as the Privacy Act 1988.

2 Commencement [see Note 1]

This Act commences on a day to be fixed by Proclamation.

3 Saving of certain State and Territory laws

It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.

Note: Such a law can have effect for the purposes of the provisions of the National Privacy Principles that regulate the handling of personal information by organisations by reference to the effect of other laws.

3A Application of the Criminal Code

Chapter 2 of the Criminal Code (except Part 2.5) applies to all offences against this Act.

Note: Chapter 2 of the Criminal Code sets out the general principles of criminal responsibility.

4 Act to bind the Crown

(1) This Act binds the Crown in right of the Commonwealth, of each of the States, of the Australian Capital Territory, of the Northern Territory and of Norfolk Island.

(2) Nothing in this Act renders the Crown in right of the Commonwealth, of a State, of the Australian Capital Territory, of the Northern Territory or of Norfolk Island liable to be prosecuted for an offence.

(3) Nothing in this Act shall be taken to have the effect of making the Crown in right of a State, of the Australian Capital Territory, of the Northern Territory or of Norfolk Island an agency for the purposes of this Act.

5 Interpretation of Information Privacy Principles

For the purposes of the interpretation of the Information Privacy Principles, each Information Privacy Principle shall be treated as if it were a section of this Act.

5A Extension to external Territories

This Act extends to all external Territories.

5B Extra‑territorial operation of Act

Application to overseas acts and practices of organisations

(1) This Act (except Divisions 4 and 5 of Part III and Part IIIA) and approved privacy codes extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation if:

(a) subject to subsection (1A), the act or practice relates to personal information about an Australian citizen or a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; and

(b) the requirements of subsection (2) or (3) are met.

Note: The act or practice overseas will not breach a National Privacy Principle or approved privacy code or be an interference with the privacy of an individual if the act or practice is required by an applicable foreign law. See sections 6A, 6B and 13A.

(1A) Paragraph (1)(a) does not apply in relation to National Privacy Principle 9.

Note: Because of subsection (1A), the extra‑territorial application of National Privacy Principle 9 is not limited by the citizenship etc. requirement of paragraph (1)(a).

Organisational link with Australia

(2) The organisation must be:

(a) an Australian citizen; or

(b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or

(d) a trust created in Australia or an external Territory; or

(e) a body corporate incorporated in Australia or an external Territory; or

(f) an unincorporated association that has its central management and control in Australia or an external Territory.

Other link with Australia

(3) All of the following conditions must be met:

(a) the organisation is not described in subsection (2);

(b) the organisation carries on business in Australia or an external Territory;

(c) the personal information was collected or held by the organisation in Australia or an external Territory, either before or at the time of the act or practice.

Power to deal with complaints about overseas acts and practices

(4) Part V of this Act has extra‑territorial operation so far as that Part relates to complaints and investigation concerning acts and practices to which this Act extends because of subsection (1).

Note: This lets the Commissioner take action overseas to investigate complaints and lets the ancillary provisions of Part V operate in that context.

Part II—Interpretation

6 Interpretation

(1) In this Act, unless the contrary intention appears:

ACC means the Australian Crime Commission.

ACT enactment has the same meaning as enactment has in the Australian Capital Territory (Self‑Government) Act 1988.

agency means:

(a) a Minister; or

(b) a Department; or

(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment, not being:

(i) an incorporated company, society or association; or

(ii) an organisation within the meaning of the Conciliation and Arbitration Act 1904 or a branch of such an organisation; or

(d) a body established or appointed by the Governor‑General, or by a Minister, otherwise than by or under a Commonwealth enactment; or

(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department; or

(f) a person holding or performing the duties of an appointment, being an appointment made by the Governor‑General, or by a Minister, otherwise than under a Commonwealth enactment; or

(g) a federal court; or

(h) the Australian Federal Police; or

(i) an eligible case manager; or

(j) the nominated AGHS company; or

(k) an eligible hearing service provider.

annual turnover of a business has the meaning given by section 6DA.

approved privacy code means:

(a) a privacy code approved by the Commissioner under section 18BB; or

(b) a privacy code approved by the Commissioner under section 18BB with variations approved by the Commissioner under section 18BD.

bank means:

(a) the Reserve Bank of Australia; or

(b) a body corporate that is an ADI (authorised deposit‑taking institution) for the purposes of the Banking Act 1959; or

Board of the ACC means the Board of the Australian Crime Commission established under section 7B of the Australian Crime Commission Act 2002.

breach an approved privacy code has the meaning given by section 6B.

breach an Information Privacy Principle has a meaning affected by subsection 6(2).

breach a National Privacy Principle has the meaning given by section 6A.

class member, in relation to a representative complaint, means any of the persons on whose behalf the complaint was lodged, but does not include a person who has withdrawn under section 38B.

code complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because it breached an approved privacy code.

Code of Conduct means the Code of Conduct issued under section 18A.

commercial credit means a loan sought or obtained by a person, other than a loan of a kind referred to in the definition of credit in this subsection.

Commissioner means the Privacy Commissioner.

Commissioner of Police means the Commissioner of Police appointed under the Australian Federal Police Act 1979.

Commonwealth contract means a contract, to which the Commonwealth or an agency is or was a party, under which services are to be, or were to be, provided to an agency.

Note: See also subsection (9) about provision of services to an agency.

Commonwealth enactment means:

(a) an Act other than:

(i) the Northern Territory (Self‑Government) Act 1978; or

(ii) an Act providing for the administration or government of an external Territory; or

(iii) the Australian Capital Territory (Self‑Government) Act 1988;

(b) an Ordinance of the Australian Capital Territory;

(c) an instrument (including rules, regulations or by‑laws) made under an Act to which paragraph (a) applies or under an Ordinance to which paragraph (b) applies; or

(d) any other legislation that applies as a law of the Commonwealth (other than legislation in so far as it is applied by an Act referred to in subparagraph (a)(i) or (ii)) or as a law of the Australian Capital Territory, to the extent that it operates as such a law.

Commonwealth officer means a person who holds office under, or is employed by, the Commonwealth, and includes:

(a) a person appointed or engaged under the Public Service Act 1999;

(b) a person (other than a person referred to in paragraph (a)) permanently or temporarily employed by, or in the service of, an agency;

(d) a member, staff member or special member of the Australian Federal Police;

but does not include a person permanently or temporarily employed in the Australian Capital Territory Government Service or in the Public Service of the Northern Territory or of Norfolk Island.

consent means express consent or implied consent.

contracted service provider, for a government contract, means:

(a) an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to an agency or a State or Territory authority under the government contract; or

(b) a subcontractor for the government contract.

corporation means a body corporate that:

(a) is a foreign corporation;

(b) is a trading corporation formed within the limits of Australia or is a financial corporation so formed; or

credit means a loan sought or obtained by an individual from a credit provider in the course of the credit provider carrying on a business or undertaking as a credit provider, being a loan that is intended to be used wholly or primarily for domestic, family or household purposes.

credit card means any article of a kind commonly known as a credit card, charge card or any similar article intended for use in obtaining cash, goods or services by means of loans, and includes any article of a kind commonly issued by persons carrying on business to customers or prospective customers of those persons for use in obtaining goods or services from those persons by means of loans.

credit enhancement, in relation to a loan, means:

(a) the process of insuring risk associated with purchasing or funding the loan by means of a securitisation arrangement; or

(b) any other similar process related to purchasing or funding the loan by those means.

credit information file, in relation to an individual, means any record that contains information relating to the individual and is kept by a credit reporting agency in the course of carrying on a credit reporting business (whether or not the record is a copy of the whole or part of, or was prepared using, a record kept by another credit reporting agency or any other person).

credit provider has the meaning given by section 11B, and, for the purposes of sections 7 and 8 and Parts III, IV and V, is taken to include a mortgage insurer and a trade insurer.

credit report means any record or information, whether in a written, oral or other form, that:

(a) is being or has been prepared by a credit reporting agency; and

(b) has any bearing on an individual’s:

(i) eligibility to be provided with credit; or

(ii) history in relation to credit; or

(iii) capacity to repay credit; and

(c) is used, has been used or has the capacity to be used for the purpose of serving as a factor in establishing an individual’s eligibility for credit.

credit reporting agency has the meaning given by section 11A.

credit reporting business means a business or undertaking (other than a business or undertaking of a kind in respect of which regulations made for the purposes of subsection (5C) are in force) that involves the preparation or maintenance of records containing personal information relating to individuals (other than records in which the only personal information relating to individuals is publicly available information), for the purpose of, or for purposes that include as the dominant purpose the purpose of, providing to other persons (whether for profit or reward or otherwise) information on an individual’s:

(a) eligibility to be provided with credit; or

(b) history in relation to credit; or

whether or not the information is provided or intended to be provided for the purposes of assessing applications for credit.

credit reporting complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because:

(a) it breached the Code of Conduct; or

(b) it breached a provision of Part IIIA.

credit reporting infringement means:

(a) a breach of the Code of Conduct; or

(b) a breach of a provision of Part IIIA.

current credit provider, in relation to an individual, means a credit provider who has given, to the individual, credit that has not yet been fully repaid or otherwise fully discharged.

Defence Force includes the Australian Navy Cadets, the Australian Army Cadets and the Australian Air Force Cadets.

Department means an Agency within the meaning of the Public Service Act 1999.

eligible case manager means an entity (within the meaning of the Employment Services Act 1994):

(a) that is, or has at any time been, a contracted case manager within the meaning of that Act; and

(b) that is not covered by paragraph (a), (b), (c), (d), (e), (f), (g) or (h) of the definition of agency.

eligible communications service means a postal, telegraphic, telephonic or other like service, within the meaning of paragraph 51(v) of the Constitution.

eligible hearing service provider means an entity (within the meaning of the Hearing Services Administration Act 1997):

(a) that is, or has at any time been, engaged under Part 3 of the Hearing Services Administration Act 1997 to provide hearing services; and

(b) that is not covered by paragraph (a), (b), (c), (d), (e), (f), (g), (h) or (j) of the definition of agency.

employee record, in relation to an employee, means a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:

(a) the engagement, training, disciplining or resignation of the employee;

(b) the termination of the employment of the employee;

(d) the employee’s personal and emergency contact details;

(e) the employee’s performance or conduct;

(f) the employee’s hours of employment;

(g) the employee’s salary or wages;

(h) the employee’s membership of a professional or trade association;

(i) the employee’s trade union membership;

(j) the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

(k) the employee’s taxation, banking or superannuation affairs.

enforcement body means:

(a) the Australian Federal Police; or

(b) the ACC; or

(d) the Australian Prudential Regulation Authority; or

(e) the Australian Securities and Investments Commission; or

(f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or

(g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or

(h) a police force or service of a State or a Territory; or

(i) the New South Wales Crime Commission; or

(j) the Independent Commission Against Corruption of New South Wales; or

(k) the Police Integrity Commission of New South Wales; or

(l) the Crime and Misconduct Commission of Queensland; or

(m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or

(n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or

(o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.

Federal Court means the Federal Court of Australia.

file number complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant:

(a) because it breached a guideline issued under section 17; or

(b) because it involved an unauthorised requirement or request for disclosure of a tax file number.

financial corporation means a financial corporation within the meaning of paragraph 51(xx) of the Constitution.

foreign corporation means a foreign corporation within the meaning of paragraph 51(xx) of the Constitution.

Freedom of Information Act means the Freedom of Information Act 1982.

generally available publication means a magazine, book, newspaper or other publication (however published) that is or will be generally available to members of the public.

government contract means a Commonwealth contract or a State contract.

guarantee includes an indemnity given against the default of a borrower in making a payment in respect of a loan.

health information means:

(a) information or an opinion about:

(i) the health or a disability (at any time) of an individual; or

(ii) an individual’s expressed wishes about the future provision of health services to him or her; or

(iii) a health service provided, or to be provided, to an individual;

that is also personal information; or

(b) other personal information collected to provide, or in providing, a health service; or

(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

health service means:

(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(i) to assess, record, maintain or improve the individual’s health; or

(ii) to diagnose the individual’s illness or disability; or

(iii) to treat the individual’s illness or disability or suspected illness or disability; or

(b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

hearing services has the same meaning as in the Hearing Services Administration Act 1997.

individual means a natural person.

individual concerned, in relation to personal information or a record of personal information, means the individual to whom the information relates.

Information Privacy Principle means any of the Information Privacy Principles set out in section 14.

intelligence agency means:

(a) the Australian Security Intelligence Organisation;

(b) the Australian Secret Intelligence Service; or

IPP complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because it breached an Information Privacy Principle.

loan means a contract, arrangement or understanding under which a person is permitted to defer payment of a debt, or to incur a debt and defer its payment, and includes:

(a) a hire‑purchase agreement; and

(b) such a contract, arrangement or understanding for the hire, lease or renting of goods or services, other than a contract, arrangement or understanding under which:

(i) full payment is made before, or at the same time as, the goods or services are provided; and

(ii) in the case of a hiring, leasing or renting of goods—an amount greater than or equal to the value of the goods is paid as a deposit for the return of the goods.

media organisation means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:

(a) material having the character of news, current affairs, information or a documentary;

(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.

medical research includes epidemiological research.

mortgage credit means credit provided in connection with the acquisition, maintenance or improvement of real property, being credit in respect of which the real property is security.

mortgage insurer means a corporation that carries on a business or undertaking (whether for profit, reward or otherwise) that involves providing insurance to credit providers in respect of mortgage credit given by credit providers to other persons.

National Privacy Principle means a clause of Schedule 3. A reference in this Act to a National Privacy Principle by number is a reference to the clause of Schedule 3 with that number.

nominated AGHS company means a company that:

(a) is the nominated company (within the meaning of Part 2 of the Hearing Services and AGHS Reform Act 1997); and

(b) is either:

(i) Commonwealth‑owned (within the meaning of that Part); or

(ii) a corporation.

NPP complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because it breached a National Privacy Principle.

Ombudsman means the Commonwealth Ombudsman.

organisation has the meaning given by section 6C.

personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

principal executive, of an agency, has a meaning affected by section 37.

privacy code means a written code regulating acts and practices that affect privacy.

record means:

(a) a document; or

(b) a database (however kept); or

but does not include:

(d) a generally available publication; or

(e) anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or

(f) Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or

(fa) records (as defined in the Archives Act 1983) in the custody of the Archives (as defined in that Act) in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or

(g) documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or

(h) letters or other articles in the course of transmission by post.

registered political party means a political party registered under Part XI of the Commonwealth Electoral Act 1918.

representative complaint means a complaint where the persons on whose behalf the complaint was made include persons other than the complainant, but does not include a complaint that the Commissioner has determined should no longer be continued as a representative complaint.

Secretary means an Agency Head within the meaning of the Public Service Act 1999.

securitisation arrangement means an arrangement:

(a) involving the funding, or proposed funding, of:

(i) loans that have been, or are to be, provided by a credit provider; or

(ii) the purchase of loans by a credit provider;

by issuing instruments or entitlements to investors; and

(b) under which payments to investors in respect of such instruments or entitlements are principally derived, directly or indirectly, from such loans.

sensitive information means:

(a) information or an opinion about an individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) membership of a professional or trade association; or

(vii) membership of a trade union; or

(viii) sexual preferences or practices; or

(ix) criminal record;

that is also personal information; or

(b) health information about an individual.

serious credit infringement means an act done by a person:

(a) that involves fraudulently obtaining credit, or attempting fraudulently to obtain credit; or

(b) that involves fraudulently evading the person’s obligations in relation to credit, or attempting fraudulently to evade those obligations; or

(c) that a reasonable person would consider indicates an intention, on the part of the first‑mentioned person, no longer to comply with the first‑mentioned person’s obligations in relation to credit.

small business has the meaning given by section 6D.

small business operator has the meaning given by section 6D.

solicit, in relation to personal information, means request a person to provide that information, or a kind of information in which that information is included.

staff of the Ombudsman means the persons appointed or employed for the purposes of section 31 of the Ombudsman Act 1976.

State includes the Australian Capital Territory and the Northern Territory.

State contract means a contract, to which a State or Territory or State or Territory authority is or was a party, under which services are to be, or were to be, provided to a State or Territory authority.

Note: See also subsection (9) about provision of services to a State or Territory authority.

State or Territory authority has the meaning given by section 6C.

subcontractor, for a government contract, means an organisation:

(a) that is or was a party to a contract (the subcontract):

(i) with a contracted service provider for the government contract (within the meaning of paragraph (a) of the definition of contracted service provider); or

(ii) with a subcontractor for the government contract (under a previous application of this definition); and

(b) that is or was responsible under the subcontract for the provision of services to an agency or a State or Territory authority, or to a contracted service provider for the government contract, for the purposes (whether direct or indirect) of the government contract.

tax file number means a tax file number as defined in Part VA of the Income Tax Assessment Act 1936.

tax file number information means information (including information forming part of a database), whether compiled lawfully or unlawfully, and whether recorded in a material form or not, that records the tax file number of a person in a manner connecting it with the person’s identity.

temporary public interest determination means a determination made under section 80A.

trade insurer means a corporation that carries on a business or undertaking (whether for profit, reward or otherwise) that involves providing insurance to credit providers in respect of commercial credit given by credit providers to other persons.

trading corporation means a trading corporation within the meaning of paragraph 51(xx) of the Constitution.

use, in relation to information, does not include mere disclosure of the information, but does include the inclusion of the information in a publication.

(1A) In order to avoid doubt, it is declared that an ACT enactment is not a Commonwealth enactment for the purposes of this Act.

(2) For the purposes of this Act, an act or practice breaches an Information Privacy Principle if, and only if, it is contrary to, or inconsistent with, that Information Privacy Principle.

(3) For the purposes of this Act, an act or practice breaches a guideline issued under section 17 if, and only if, it is contrary to, or inconsistent with, the guideline.

(3A) For the purposes of this Act, an act or practice breaches the Code of Conduct if, and only if, it is contrary to, or inconsistent with, the Code of Conduct.

(4) The definition of individual in subsection (1) shall not be taken to imply that references to persons do not include persons other than natural persons.

(5) For the purposes of this Act, a person shall not be taken to be an agency merely because the person is the holder of, or performs the duties of:

(a) a prescribed office;

(b) an office prescribed by regulations made for the purposes of subparagraph 4(3)(b)(i) of the Freedom of Information Act 1982;

(d) a judicial office or of an office of magistrate; or

(e) an office of member of a tribunal that is established by or under a law of the Commonwealth and that is prescribed for the purposes of this paragraph.

(5A) For the purposes of the definition of credit reporting business in subsection (1), information concerning commercial transactions engaged in by or on behalf of an individual is not to be taken to be information relating to an individual’s:

(a) eligibility to be provided with credit; or

(b) history in relation to credit; or

(5B) In considering whether a business or undertaking, carried on by a credit provider that is a corporation, is a credit reporting business within the meaning of this Act, the provision of information by the credit provider to corporations related to it is to be disregarded.

(5C) The regulations may provide that businesses or undertakings of a specified kind are not credit reporting businesses within the meaning of this Act.

(5D) A reference in this Act to the purchase of a loan includes a reference to the purchase of rights to receive payments under the loan.

(6) For the purposes of this Act, the Department of Defence shall be taken to include the Defence Force.

(7) Nothing in this Act prevents a complaint from:

(a) being both a file number complaint and an IPP complaint; or

(b) being both a file number complaint and a credit reporting complaint; or

(d) being both a file number complaint and an NPP complaint; or

(e) being both a code complaint and a credit reporting complaint; or

(f) being both an NPP complaint and a credit reporting complaint.

(8) For the purposes of this Act, the question whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Act 2001.

(9) To avoid doubt, for the purposes of this Act, services provided to an agency or a State or Territory authority include services that consist of the provision of services to other persons in connection with the performance of the functions of the agency or State or Territory authority.

6A Breach of a National Privacy Principle

Breach if contrary to, or inconsistent with, Principle

(1) For the purposes of this Act, an act or practice breaches a National Privacy Principle if, and only if, it is contrary to, or inconsistent with, that National Privacy Principle.

No breach—contracted service provider

(2) An act or practice does not breach a National Privacy Principle if:

(a) the act is done, or the practice is engaged in:

(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

(ii) for the purposes of meeting (directly or indirectly) an obligation under the contract; and

(b) the act or practice is authorised by a provision of the contract that is inconsistent with the Principle.

No breach—disclosure to the Archives

(3) An act or practice does not breach a National Privacy Principle if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the Archives (as defined in that Act) to decide whether to accept, or to arrange, custody of the record.

No breach—act or practice outside Australia

(4) An act or practice does not breach a National Privacy Principle if:

(a) the act is done, or the practice is engaged in, outside Australia and the external Territories; and

(b) the act or practice is required by an applicable law of a foreign country.

Effect despite subsection (1)

(5) Subsections (2), (3) and (4) have effect despite subsection (1).

6B Breach of an approved privacy code

Breach if contrary to, or inconsistent with, code

(1) For the purposes of this Act, an act or practice breaches an approved privacy code if, and only if, it is contrary to, or inconsistent with, the code.

No breach—contracted service provider

(2) An act or practice does not breach an approved privacy code if:

(a) the act is done, or the practice is engaged in:

(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

(ii) for the purposes of meeting (directly or indirectly) an obligation under the contract; and

(b) the act or practice is authorised by a provision of the contract that is inconsistent with the code.

No breach—disclosure to the Archives

(3) An act or practice does not breach an approved privacy code if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the Archives (as defined in that Act) to decide whether to accept, or to arrange, custody of the record.

No breach—act or practice outside Australia

(4) An act or practice does not breach an approved privacy code if:

(a) the act is done, or the practice is engaged in, outside Australia and the external Territories; and

(b) the act or practice is required by an applicable law of a foreign country.

Effect despite subsection (1)

(5) Subsections (2), (3) and (4) have effect despite subsection (1).

6C Organisations

What is an organisation?

(1) In this Act:

organisation means:

(a) an individual; or

(b) a body corporate; or

(d) any other unincorporated association; or

(e) a trust;

that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.

Note: Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 46(2) of the Acts Interpretation Act 1901.

Example: Regulations may prescribe an instrumentality of a State or Territory that is an incorporated company, society or association and therefore not a State or Territory authority.

Legal person treated as different organisations in different capacities

(2) A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a different organisation.

Example: In addition to his or her personal capacity, an individual may be the trustee of one or more trusts. In his or her personal capacity, he or she is one organisation. As trustee of each trust, he or she is a different organisation.

What is a State or Territory authority?

(3) In this Act:

State or Territory authority means:

(a) a State or Territory Minister; or

(b) a Department of State of a State or Territory; or

(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a law of a State or Territory, other than:

(i) an incorporated company, society or association; or

(ii) an association of employers or employees that is registered or recognised under a law of a State or Territory dealing with the resolution of industrial disputes; or

(d) a body established or appointed, otherwise than by or under a law of a State or Territory, by:

(i) a Governor of a State; or

(ii) the Australian Capital Territory Executive; or

(iii) the Administrator of the Northern Territory; or

(iv) the Administrator of Norfolk Island; or

(v) a State or Territory Minister; or

(vi) a person holding an executive office mentioned in section 12 of the Norfolk Island Act 1979; or

(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory, other than the office of head of a State or Territory Department (however described); or

(f) a person holding or performing the duties of an appointment made, otherwise than under a law of a State or Territory, by:

(i) a Governor of a State; or

(ii) the Australian Capital Territory Executive; or

(iii) the Administrator of the Northern Territory; or

(iv) the Administrator of Norfolk Island; or

(v) a State or Territory Minister; or

(vi) a person holding an executive office mentioned in section 12 of the Norfolk Island Act 1979; or

(g) a State or Territory court.

Making regulations to stop instrumentalities being organisations

(4) Before the Governor‑General makes regulations prescribing an instrumentality of a State or Territory for the purposes of the definition of organisation in subsection (1), the Minister must:

(a) be satisfied that the State or Territory has requested that the instrumentality be prescribed for those purposes; and

(b) consider:

(i) whether treating the instrumentality as an organisation for the purposes of this Act adversely affects the government of the State or Territory; and

(ii) the desirability of regulating under this Act the collection, holding, use, correction, disclosure and transfer of personal information by the instrumentality; and

(iii) whether the law of the State or Territory regulates the collection, holding, use, correction, disclosure and transfer of personal information by the instrumentality to a standard that is at least equivalent to the standard that would otherwise apply to the instrumentality under this Act; and

State does not include Territory

(5) In this section:

State does not include the Australian Capital Territory or the Northern Territory (despite subsection 6(1)).

6D Small business and small business operators

What is a small business?

(1) A business is a small business at a time (the test time) in a financial year (the current year) if its annual turnover for the previous financial year is $3,000,000 or less.

Test for new business

(2) However, if there was no time in the previous financial year when the business was carried on, the business is a small business at the test time only if its annual turnover for the current year is $3,00 0,0 00 or less.

What is a small business operator?

(3) A small business operator is an individual, body corporate, partnership, unincorporated association or trust that:

(a) carries on one or more small businesses; and

(b) does not carry on a business that is not a small business.

Entities that are not small business operators

(4) However, an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if he, she or it:

(a) carries on a business that has had an annual turnover of more than $3,000,000 for a financial year that has ended after the later of the following:

(i) the time he, she or it started to carry on the business;

(ii) the commencement of this section; or

(b) provides a health service to another individual and holds any health information except in an employee record; or

(d) provides a benefit, service or advantage to collect personal information about another individual from anyone else; or

(e) is a contracted service provider for a Commonwealth contract (whether or not a party to the contract).

Private affairs of small business operators who are individuals

(5) Subsection (4) does not prevent an individual from being a small business operator merely because he or she does something described in paragraph (4)(b), (c) or (d):

(a) otherwise than in the course of a business he or she carries on; and

(b) only for the purposes of, or in connection with, his or her personal, family or household affairs.

Non‑business affairs of other small business operators

(6) Subsection (4) does not prevent a body corporate, partnership, unincorporated association or trust from being a small business operator merely because it does something described in paragraph (4)(b), (c) or (d) otherwise than in the course of a business it carries on.

Disclosure compelled or made with consent

(7) Paragraph (4)(c) does not prevent an individual, body corporate, partnership, unincorporated association or trust from being a small business operator only because he, she or it discloses personal information about another individual:

(a) with the consent of the other individual; or

(b) as required or authorised by or under legislation.

Collection with consent or under legislation

(8) Paragraph (4)(d) does not prevent an individual, body corporate, partnership, unincorporated association or trust from being a small business operator only because he, she or it:

(a) collects personal information about another individual from someone else:

(i) with the consent of the other individual; or

(ii) as required or authorised by or under legislation; and

(b) provides a benefit, service or advantage to be allowed to collect the information.

Related bodies corporate

(9) Despite subsection (3), a body corporate is not a small business operator if it is related to a body corporate that carries on a business that is not a small business.

6DA What is the annual turnover of a business?

What is the annual turnover of a business for a financial year?

(1) The annual turnover of a business for a financial year is the total of the following that is earned in the year in the course of the business:

(a) the proceeds of sales of goods and/or services;

(b) commission income;

(d) rent, leasing and hiring income;

(e) government bounties and subsidies;

(f) interest, royalties and dividends;

(g) other operating income.

Note: The annual turnover for a financial year of a business carried on by an entity that does not carry on another business will often be similar to the total of the instalment income the entity notifies to the Commissioner of Taxation for the 4 quarters in the year (or for the year, if the entity pays tax in annual instalments).

(2) However, if a business has been carried on for only part of a financial year, its annual turnover for the financial year is the amount worked out using the formula:

6E Small business operator treated as organisation

Regulations treating a small business operator as an organisation

(1) This Act applies, with the prescribed modifications (if any), in relation to a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.

Note 1: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2: Regulations may prescribe a small business operator by reference to one or more classes of small business operator. See subsection 46(2) of the Acts Interpretation Act 1901.

Regulations treating a small business operator as an organisation for particular acts or practices

(2) This Act also applies, with the prescribed modifications (if any), in relation to the prescribed acts or practices of a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.

Note 1: The regulations may prescribe different modifications of the Act for different acts, practices or small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2: Regulations may prescribe an act, practice or small business operator by reference to one or more classes of acts, practices or small business operators. See subsection 46(2) of the Acts Interpretation Act 1901.

What are modifications?

(3) In this section:

modifications includes additions, omissions and substitutions.

Making regulations

(4) Before the Governor‑General makes regulations prescribing a small business operator, act or practice for the purposes of subsection (1) or (2), the Minister must:

(a) be satisfied that it is desirable in the public interest to regulate under this Act the small business operator, act or practice; and

(b) consult the Commissioner about the desirability of regulating under this Act the matters described in paragraph (a).

6EA Small business operators choosing to be treated as organisations

(1) This Act (except section 16D) applies in relation to a small business operator as if the operator were an organisation while a choice by the operator to be treated as an organisation is registered under this section.

(2) A small business operator may make a choice in writing given to the Commissioner to be treated as an organisation.

Note: A small business operator may revoke such a choice by writing given to the Commissioner. See subsection 33(3) of the Acts Interpretation Act 1901.

(3) If the Commissioner is satisfied that a small business operator has made the choice to be treated as an organisation, the Commissioner must enter in a register of operators who have made such a choice:

(a) the name or names under which the operator carries on business; and

(b) the operator’s ABN, if the operator has one under the A New Tax System (Australian Business Number) Act 1999.

(4) If a small business operator revokes a choice to be treated as an organisation, the Commissioner must remove from the register the material relating to the operator.

(5) The Commissioner may decide the form of the register and how it is to be kept.

(6) The Commissioner must make the register available to the public in the way that the Commissioner determines. However, the Commissioner must not make available to the public in the register information other than that described in subsection (3).

6F State instrumentalities etc. treated as organisations

Regulations treating a State instrumentality etc. as an organisation

(1) This Act applies, with the prescribed modifications (if any), in relation to a prescribed State or Territory authority or a prescribed instrumentality of a State or Territory (except an instrumentality that is an organisation because of section 6C) as if the authority or instrumentality were an organisation.

Note 1: The regulations may prescribe different modifications of the Act for different authorities or instrumentalities. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2: Regulations may prescribe an authority or instrumentality by reference to one or more classes of authority or instrumentality. See subsection 46(2) of the Acts Interpretation Act 1901.

What are modifications?

(2) In this section:

modifications includes additions, omissions and substitutions.

Making regulations to treat instrumentality etc. as organisation

(3) Before the Governor‑General makes regulations prescribing a State or Territory authority or instrumentality of a State or Territory for the purposes of subsection (1), the Minister must:

(a) be satisfied that the relevant State or Territory has requested that the authority or instrumentality be prescribed for those purposes; and

(b) consult the Commissioner about the desirability of regulating under this Act the collection, holding, use, correction, disclosure and transfer of personal information by the authority or instrumentality.

7 Acts and practices of agencies, organisations etc.

(1) Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice is a reference to:

(a) an act done, or a practice engaged in, as the case may be, by an agency (other than an eligible case manager or an eligible hearing service provider), a file number recipient, a credit reporting agency or a credit provider other than:

(i) an agency specified in any of the following provisions of the Freedom of Information Act 1982:

(A) Schedule 1;

(B) Division 1 of Part I of Schedule 2;

(ii) a federal court;

(iii) a Minister;

(iv) the ACC; or

(v) a Royal Commission; or

(b) an act done, or a practice engaged in, as the case may be, by a federal court or by an agency specified in Schedule 1 to the Freedom of Information Act 1982, being an act done, or a practice engaged in, in respect of a matter of an administrative nature; or

(c) an act done, or a practice engaged in, as the case may be, by an agency specified in Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982, other than an act done, or a practice engaged in, in relation to a record in relation to which the agency is exempt from the operation of that Act; or

(ca) an act done, or a practice engaged in, as the case may be, by a part of the Department of Defence specified in Division 2 of Part I of Schedule 2 to the Freedom of Information Act 1982, other than an act done, or a practice engaged in, in relation to the activities of that part of the Department; or

(cb) an act done, or a practice engaged in, as the case may be, by an eligible case manager in connection with:

(i) the provision of case management services (within the meaning of the Employment Services Act 1994) to persons referred to the eligible case manager under Part 4.3 of that Act; or

(ii) the performance of functions conferred on the eligible case manager under that Act; or

(cc) an act done, or a practice engaged in, as the case may be, by an eligible hearing service provider in connection with the provision of hearing services under an agreement made under Part 3 of the Hearing Services Administration Act 1997; or

(d) an act done, or a practice engaged in, as the case may be, by a Minister in relation to the affairs of an agency (other than an eligible hearing service provider or an eligible case manager), not being an act done, or a practice engaged in, in relation to an existing record; or

(e) an act done, or a practice engaged in, as the case may be, by a Minister in relation to a record that is in the Minister’s possession in his or her capacity as a Minister and relates to the affairs of an agency (other than an eligible hearing service provider or an eligible case manager); or

(ea) an act done, or a practice engaged in, as the case may be, by a Minister in relation to the affairs of an eligible case manager, being affairs in connection with:

(i) the provision of case management services (within the meaning of the Employment Services Act 1994) to persons referred to the eligible case manager under Part 4.3 of that Act; or

(ii) the performance of functions conferred on the eligible case manager under that Act; or

(eb) an act done, or a practice engaged in, as the case may be, by a Minister in relation to a record that is in the Minister’s possession in his or her capacity as a Minister and relates to the affairs of an eligible case manager, being affairs in connection with:

(i) the provision of case management services (within the meaning of the Employment Services Act 1994) to persons referred to the eligible case manager under Part 4.3 of that Act; or

(ii) the performance of functions conferred on the eligible case manager under that Act; or

(ec) an act done, or a practice engaged in, as the case may be, by a Minister in relation to the affairs of an eligible hearing service provider, being affairs in connection with the provision of hearing services under an agreement made under Part 3 of the Hearing Services Administration Act 1997; or

(ed) an act done, or a practice engaged in, as the case may be, by a Minister in relation to a record that is in the Minister’s possession in his or her capacity as a Minister and relates to the affairs of an eligible hearing service provider, being affairs in connection with the provision of hearing services under an agreement made under Part 3 of the Hearing Services Administration Act 1997; or

(ee) an act done, or a practice engaged in, by an organisation, other than an exempt act or exempt practice (see sections 7B and 7C);

but does not include a reference to an act done, or a practice engaged in, in relation to a record that has originated with, or has been received from:

(f) an intelligence agency;

(g) the Defence Intelligence Organisation, the Defence Imagery and Geospatial Organisation or the Defence Signals Directorate of the Department of Defence; or

(h) the ACC or the Board of the ACC.

(1A) Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to:

(a) the Australian Security Intelligence Organisation; or

(b) the Australian Secret Intelligence Service; or

(2) Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice includes, in the application of this Act otherwise than in respect of the Information Privacy Principles, the National Privacy Principles, an approved privacy code and the performance of the Commissioner’s functions under section 27, a reference to an act done, or a practice engaged in, as the case may be, by an agency specified in Part I of Schedule 2 to the Freedom of Information Act 1982 or in Division 1 of Part II of that Schedule other than:

(a) an intelligence agency;

(b) the Defence Intelligence Organisation, the Defence Imagery and Geospatial Organisation or the Defence Signals Directorate of the Department of Defence; or

(3) Except so far as the contrary intention appears, a reference in this Act to doing an act includes a reference to:

(a) doing an act in accordance with a practice; or

(b) refusing or failing to do an act.

(3A) For the purposes of this Act, an act is only to be taken to have been done, and a practice is only to be taken to have been engaged in, by a credit provider that is not a corporation if the act is done, or the practice is engaged in, in the course of, or for the purposes of, banking (other than State banking not extending beyond the limits of the State concerned) carried on by the credit provider.

(4) For the purposes of paragraphs 27(1)(b), (c), (d), (e), (g), (k) and (m), of subsection 31(2) and of Part VI, this section has effect as if a reference in subsection (1) of this section to an act done, or to a practice engaged in, included a reference to an act that is proposed to be done, or to a practice that is proposed to be engaged in, as the case may be.

7A Acts of certain agencies treated as acts of organisation

(1) This Act applies, with the prescribed modifications (if any), in relation to an act or practice described in subsection (2) or (3) as if:

(a) the act or practice were an act done, or practice engaged in, by an organisation; and

(b) the agency mentioned in that subsection were the organisation.

(2) Subsection (1) applies to acts done, and practices engaged in, by a prescribed agency. Regulations for this purpose may prescribe an agency only if it is specified in Part I of Schedule 2 to the Freedom of Information Act 1982.

(3) Subsection (1) also applies to acts and practices that:

(a) are done or engaged in by an agency specified in Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982 in relation to documents in respect of its commercial activities or the commercial activities of another entity; and

(b) relate to those commercial activities.

(4) This section has effect despite subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2).

(5) In this section:

modifications includes additions, omissions and substitutions.

7B Exempt acts and exempt practices of organisations

Individuals in non‑business capacity

(1) An act done, or practice engaged in, by an organisation that is an individual is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, other than in the course of a business carried on by the individual.

Note: See also section 16E which provides that the National Privacy Principles do not apply for the purposes of, or in connection with, an individual’s personal, family or household affairs.

Organisation acting under Commonwealth contract

(2) An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:

(a) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

(b) the organisation would be a small business operator if it were not a contracted service provider for a Commonwealth contract; and

(c) the act is done, or the practice is engaged in, otherwise than for the purposes of meeting (directly or indirectly) an obligation under a Commonwealth contract for which the organisation is the contracted service provider.

Note: This puts the organisation in the same position as a small business operator as far as its activities that are not for the purposes of a Commonwealth contract are concerned, so the organisation need not comply with the National Privacy Principles or a binding approved privacy code in relation to those activities.

Employee records

(3) An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

(a) a current or former employment relationship between the employer and the individual; and

(b) an employee record held by the organisation and relating to the individual.

Journalism

(4) An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:

(a) by the organisation in the course of journalism; and

(b) at a time when the organisation is publicly committed to observe standards that:

(i) deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and

(ii) have been published in writing by the organisation or a person or body representing a class of media organisations.

Organisation acting under State contract

(5) An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:

(a) the organisation is a contracted service provider for a State contract (whether or not the organisation is a party to the contract); and

(b) the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.

7C Political acts and practices are exempt

Members of a Parliament etc.

(1) An act done, or practice engaged in, by an organisation (the political representative) consisting of a member of a Parliament, or a councillor (however described) of a local government authority, is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, for any purpose in connection with:

(a) an election under an electoral law; or

(b) a referendum under a law of the Commonwealth or a law of a State or Territory; or

Contractors for political representatives etc.

(2) An act done, or practice engaged in, by an organisation (the contractor) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:

(a) for the purposes of meeting an obligation under a contract between the contractor and a registered political party or a political representative described in subsection (1); and

(b) for any purpose in connection with one or more of the following:

(i) an election under an electoral law;

(ii) a referendum under a law of the Commonwealth or a law of a State or Territory;

(iii) the participation in another aspect of the political process by the registered political party or political representative;

(iv) facilitating acts or practices of the registered political party or political representative for a purpose mentioned in subparagraph (i), (ii) or (iii) of this paragraph.

Subcontractors for organisations covered by subsection (1) etc.

(3) An act done, or practice engaged in, by an organisation (the subcontractor) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:

(a) for the purposes of meeting an obligation under a contract between the subcontractor and a contractor described in subsection (2); and

(b) for a purpose described in paragraph (2)(b).

Volunteers for registered political parties

(4) An act done voluntarily, or practice engaged in voluntarily, by an organisation for or on behalf of a registered political party and with the authority of the party is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in for any purpose in connection with one or more of the following:

(a) an election under an electoral law;

(b) a referendum under a law of the Commonwealth or a law of a State or Territory;

(d) facilitating acts or practices of the registered political party for a purpose mentioned in paragraph (a), (b) or (c).

Effect of subsection (4) on other operation of Act

(5) Subsection (4) does not otherwise affect the operation of the Act in relation to agents or principals.

Meaning of electoral law and Parliament

(6) In this section:

electoral law means a law of the Commonwealth, or a law of a State or Territory, relating to elections to a Parliament or to a local government authority.

Parliament means:

(a) the Parliament of the Commonwealth; or

(b) a State Parliament; or

Note: To avoid doubt, this section does not make exempt for the purposes of paragraph 7(1)(ee) an act or practice of the political representative, contractor, subcontractor or volunteer for a registered political party involving the use or disclosure (by way of sale or otherwise) of personal information in a way not covered by subsection (1), (2), (3) or (4) (as appropriate). The rest of this Act operates normally in relation to that act or practice.

8 Acts and practices of, and disclosure of information to, staff of agency, organisation etc.

(1) For the purposes of this Act:

(a) an act done or practice engaged in by, or information disclosed to, a person employed by, or in the service of, an agency, organisation, file number recipient, credit reporting agency or credit provider in the performance of the duties of the person’s employment shall be treated as having been done or engaged in by, or disclosed to, the agency, organisation, recipient, credit reporting agency or credit provider;

(b) an act done or practice engaged in by, or information disclosed to, a person on behalf of, or for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub‑committee or other body established by or under a Commonwealth enactment for the purpose of assisting, or performing functions in connection with, an agency or organisation, shall be treated as having been done or engaged in by, or disclosed to, the agency or organisation; and

(c) an act done or practice engaged in by, or information disclosed to, a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member shall be treated as having been done or engaged in by, or disclosed to, the Australian Federal Police.

(2) Where:

(a) an act done or a practice engaged in by a person, in relation to a record, is to be treated, under subsection (1), as having been done or engaged in by an agency; and

(b) that agency is not the record‑keeper in relation to that record;

that act or practice shall be treated as the act or the practice of the record‑keeper in relation to that record.

(3) For the purposes of the application of this Act in relation to an organisation that is a partnership:

(a) an act done or practice engaged in by a partner is taken to have been done or engaged in by the organisation; and

(b) a communication (including a complaint, notice, request or disclosure of information) made to a partner is taken to have been made to the organisation.

(4) For the purposes of the application of this Act in relation to an organisation that is an unincorporated association:

(a) an act done or practice engaged in by a member of the committee of management of the association is taken to have been done or engaged in by the organisation; and

(b) a communication (including a complaint, notice, request or disclosure of information) made to a member of the committee of management of the association is taken to have been made to the organisation.

(5) For the purposes of the application of this Act in relation to an organisation that is a trust:

(a) an act done or practice engaged in by a trustee is taken to have been done or engaged in by the organisation; and

(b) a communication (including a complaint, notice or request or disclosure of information) made to a trustee is taken to have been made to the organisation.

9 Collectors

(1) An agency that collects personal information shall be treated, for the purposes of this Act, as a collector in relation to that information.

(2) Subject to subsection (3), where personal information is collected by a person:

(a) in the course of the person’s employment by, or in the service of, an agency other than the Australian Federal Police; or

(b) as a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member;

then, for the purposes of this Act:

(d) if paragraph (b) applies—the Australian Federal Police;

shall be treated as a collector in relation to that information.

(3) Where personal information is collected by a person for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub‑committee or other body established by or under a Commonwealth enactment for the purpose of assisting, or performing functions connected with, an agency, that agency shall be treated, for the purposes of this Act, as a collector in relation to that information.

10 Record‑keepers

(1) Subject to subsections (4) and (5), an agency that is in possession or control of a record of personal information shall be regarded, for the purposes of this Act, as the record‑keeper in relation to that record.

(2) Subject to subsections (3), (4) and (5), where a record of personal information is in the possession or under the control of a person:

(a) in the course of the person’s employment in the service of or by an agency other than the Australian Federal Police; or

(b) as a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member;

then, for the purposes of this Act, the record‑keeper in relation to that record shall be taken to be:

(d) if paragraph (b) applies—the Australian Federal Police.

(3) Where a record of personal information is in the possession or under the control of a person for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub‑committee or other body established by or under a Commonwealth enactment for the purpose of assisting, or performing functions connected with, an agency, that agency shall be regarded, for the purposes of this Act, as the record‑keeper in relation to that record.

(4) Where:

(a) a record of personal information (not being a record relating to the administration of the Australian Archives) is in the custody of the Australian Archives; or

(b) a record of personal information (not being a record relating to the administration of the Australian War Memorial) is in the custody of the Australian War Memorial;

the agency by or on behalf of which the record was placed in that custody or, if that agency no longer exists, the agency to whose functions the contents of the record are most closely related, shall be regarded, for the purposes of this Act, as the record‑keeper in relation to that record.

(5) Where a record of personal information was placed by or on behalf of an agency in the memorial collection within the meaning of the Australian War Memorial Act 1980, that agency or, if that agency no longer exists, the agency to whose functions the contents of the record are most closely related, shall be regarded, for the purposes of this Act, as the record‑keeper in relation to that record.

11 File number recipients

(1) A person who is (whether lawfully or unlawfully) in possession or control of a record that contains tax file number information shall be regarded, for the purposes of this Act, as a file number recipient.

(2) Subject to subsection (3), where a record that contains tax file number information is in the possession or under the control of a person:

(a) in the course of the person’s employment in the service of or by a person or body other than an agency;

(b) in the course of the person’s employment in the service of or by an agency other than the Australian Federal Police; or

(c) as a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member;

then, for the purposes of this Act, the file number recipient in relation to that record shall be taken to be:

(d) if paragraph (a) applies—the person’s employer;

(e) if paragraph (b) applies—the agency first referred to in that paragraph; and

(f) if paragraph (c) applies—the Australian Federal Police.

(3) Where a record that contains tax file number information is in the possession or under the control of a person for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub‑committee or other body established by or under a Commonwealth enactment for the purpose of assisting, or performing functions connected with, an agency, that agency shall be treated, for the purposes of this Act, as the file number recipient in relation to that record.

11A Credit reporting agencies

For the purposes of this Act, a person is a credit reporting agency if the person is a corporation that carries on a credit reporting business.

11B Credit providers

(1) For the purposes of this Act, but subject to subsection (2), a person is a credit provider if the person is:

(a) a bank; or

(b) a corporation (other than an agency):

(iii) a substantial part of whose business or undertaking is the provision of loans (including the provision of loans by issuing credit cards); or

(iv) that carries on a retail business in the course of which it issues credit cards to members of the public in connection with the sale of goods, or the supply of services, by the corporation; or

(v) that:

(A) carries on a business or undertaking involving the provision of loans (including the provision of loans by issuing credit cards); and

(B) is included in a class of corporations determined by the Commissioner to be credit providers for the purposes of this Act; or

(i) who is not a corporation; and

(ii) in relation to whom paragraph (b) would apply if the person were a corporation; or

(d) an agency that:

(i) carries on a business or undertaking that involves the making of loans; and

(ii) is determined by the Commissioner to be a credit provider for the purposes of this Act.

(1A) If an agency is a credit provider because of paragraph (1)(d), Part IIIA has effect in relation to the carrying on by the agency of a business or undertaking involving the making of loans despite anything in Part III or in the Freedom of Information Act 1982.

(2) For the purposes of this Act, a corporation that would, but for this section, be a credit provider is not to be regarded as a credit provider if it is included in a class of corporations declared by the regulations not to be credit providers.

(3) A determination under sub-subparagraph (1)(b)(v)(B) or subparagraph (1)(d)(ii) is to be made by notice in writing published in the Gazette.

(4) A notice so published is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

(4A) Subsection (4B) applies to a person who carries on a business that is involved in one or both of the following:

(a) a securitisation arrangement;

(b) managing loans that are the subject of a securitisation arrangement.

(4B) While a person to whom this subsection applies is performing a task that is reasonably necessary for purchasing, funding or managing, or processing an application for, a loan by means of a securitisation arrangement (being a loan that has been provided by, or in respect of which application has been made to, a credit provider):

(a) the person:

(i) is taken, for the purposes of this Act, to be another credit provider; and

(ii) is subject to the same obligations under this Act as any other credit provider; and

(b) for the purposes of this Act, the loan is taken to have been provided by, or the application for the loan is taken to have been made to, both the person and the first‑mentioned credit provider.

(4C) Nothing in this Act prevents a report (within the meaning of subsection 18N(9)) to which section 18N applies being disclosed if:

(a) the disclosure is reasonably necessary for purchasing, funding or managing, or processing an application for, a loan by means of a securitisation arrangement (being a loan that has been provided by, or in respect of which an application has been made to, a credit provider); and

(b) the disclosure takes place between a person to whom subsection (4B) applies in relation to that loan and:

(i) the credit provider; or

(ii) another person to whom that subsection applies in relation to that loan.

(4D) A reference in subsection (4B) or (4C) to purchasing or funding a loan by means of a securitisation arrangement includes a reference to credit enhancement of the loan.

(4E) A reference in subsection (4B) or (4C) to managing a loan does not include a reference to an act relating to the collection of overdue payments in respect of the loan if the act is undertaken by a person whose primary function in relation to the loan is the collection of overdue payments.

(5) Subject to subsection (6), while a person is acting as an agent of a credit provider in performing, on behalf of the credit provider, a task that is necessary:

(a) in processing an application for a loan; or

(b) in managing:

(i) a loan given by the credit provider; or

(ii) an account maintained by any person with the credit provider;

the first‑mentioned person:

(d) is subject to the same obligations under this Act as any other credit provider.

(6) Nothing in this Act prevents such an agent of a credit provider disclosing to the credit provider, in the agent’s capacity as such an agent, a report (within the meaning of subsection 18N(9)) to which section 18N applies.

(7) The reference in subsection (5) to the management of a loan does not include a reference to any act relating to the collection of payments that are overdue in respect of the loan.

12 Application of Information Privacy Principles to agency in possession

For the purposes of this Act, where an agency has possession but not control of a record of personal information, the Information Privacy Principles apply in relation to that agency to the extent only of the obligations or duties to which that agency is subject, otherwise than by virtue of the operation of this Act, because it is in possession of that particular record.

12A Act not to apply in relation to State banking or insurance within that State

Where, but for this section, a provision of this Act:

(a) would have a particular application; and

(b) by virtue of having that application, would be a law with respect to, or with respect to matters including:

(i) State banking not extending beyond the limits of the State concerned; or

(ii) State insurance not extending beyond the limits of the State concerned;

the provision is not to have that application.

12B Severability: additional effect of Act in relation to organisations

(1) Without limiting its effect apart from each of the following subsections of this section, this Act also has effect in relation to organisations as provided by that subsection.

(2) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to an operation to give effect to the International Covenant on Civil and Political Rights, and in particular Article 17 of the Covenant.

Note: The text of the International Covenant on Civil and Political Rights is set out in Australian Treaty Series 1980 No. 23. In 2000, this was available in the Australian Treaties Library of the Department of Foreign Affairs and Trade, accessible on the Internet through that Department’s world‑wide web site.

(3) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices covered by subsection 5B(1) (which deals with acts and practices outside Australia and the external Territories by organisations).

(4) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to organisations that are corporations.

(5) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place in the course of, or in relation to, trade or commerce:

(a) between Australia and places outside Australia; or

(b) among the States; or

(6) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place using a postal, telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution.

(7) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place in a Territory.

(8) This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place in a place acquired by the Commonwealth for public purposes.

Part III—Information privacy

Division 1—Interferences with privacy

13 Interferences with privacy

For the purposes of this Act, an act or practice is an interference with the privacy of an individual if the act or practice:

(a) in the case of an act or practice engaged in by an agency (whether or not the agency is also a file number recipient, credit reporting agency or credit provider)—breaches an Information Privacy Principle in relation to personal information that relates to the individual;

(b) in the case of an act or practice engaged in by a file number recipient (whether or not the file number recipient is also an agency, organisation, credit reporting agency or credit provider)—breaches a guideline under section 17 in relation to tax file number information that relates to the individual;

(ba) constitutes a breach of Part 2 of the Data‑matching Program (Assistance and Tax) Act 1990 or the guidelines in force under that Act;

(bb) constitutes a breach of the guidelines in force under section 135AA of the National Health Act 1953;

(d) in the case of an act or practice engaged in by a credit reporting agency or credit provider (whether or not the credit reporting agency or credit provider is also an agency, organisation or file number recipient)—constitutes a credit reporting infringement in relation to personal information that relates to the individual.

13A Interferences with privacy by organisations

General rule

(1) For the purposes of this Act, an act or practice of an organisation is an interference with the privacy of an individual if:

(a) the act or practice breaches an approved privacy code that binds the organisation in relation to personal information that relates to the individual; or

(b) both of the following apply:

(i) the act or practice breaches a National Privacy Principle in relation to personal information that relates to the individual;

(ii) the organisation is not bound by an approved privacy code in relation to the personal information; or

(i) the act or practice relates to personal information that relates to the individual;

(ii) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract);

(iii) because of a provision of the contract that is inconsistent with an approved privacy code or a National Privacy Principle that applies to the organisation in relation to the personal information, the act or practice does not breach the code or Principle (see subsections 6A(2) and 6B(2));

(iv) the act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision; or

(d) the act or practice involves the organisation in a contravention of section 16F (which limits direct marketing using information collected under a Commonwealth contract) involving personal information that relates to the individual.

Note: Sections 13B, 13C and 13D contain exceptions to this rule.

Rule applies even if other rules also apply

(2) It does not matter whether the organisation is also a credit reporting agency, a credit provider or a file number recipient.

13B Related bodies corporate

Acts or practices that are not interferences with privacy

(1) Despite paragraphs 13A(1)(a) and (b), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual:

(a) the collection of personal information (other than sensitive information) about the individual by the body corporate from a related body corporate;

(b) the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate.

Note: Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the National Privacy Principles or a binding approved privacy code. For example, there is an interference with privacy if:

(a) a body corporate uses personal information it has collected from a related body corporate; and

(b) the use breaches National Privacy Principle 2 (noting that the collecting body’s primary purpose of collection will be taken to be the same as that of the related body) or a corresponding provision in a binding approved privacy code.

(1A) However, paragraph (1)(a) does not apply to the collection by a body corporate of personal information (other than sensitive information) from:

(a) a related body corporate that is not an organisation; or

(b) a related body corporate whose disclosure of the information to the body corporate is an exempt act or exempt practice for the purposes of paragraph 7(1)(ee); or

(c) a related body corporate whose disclosure of the information to the body corporate is not an interference with privacy because of section 13D.

Note: The effect of subsection (1A) is that a body corporate’s failure to comply with the National Privacy Principles, or a binding approved privacy code, in collecting personal information about an individual from a related body corporate covered by that subsection is an interference with the privacy of the individual.

Relationship with paragraphs 13A(1)(c) and (d)

(2) Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under paragraph 13A(1)(c) or (d).

13C Change in partnership because of change in partners

Acts or practices that are not interferences with privacy

(1) If:

(a) an organisation (the new partnership) that is a partnership forms at the same time as, or immediately after, the dissolution of another partnership (the old partnership); and

(b) at least one person who was a partner in the old partnership is a partner in the new partnership; and

(c) the new partnership carries on a business that is the same as, or similar to, a business carried on by the old partnership; and

(d) the new partnership holds, immediately after its formation, personal information about an individual that the old partnership held immediately before its dissolution;

neither the disclosure (if any) by the old partnership, nor the collection (if any) by the new partnership, of the information that was necessary for the new partnership to hold the information immediately after its formation constitutes an interference with the privacy of the individual.

Note: Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the National Privacy Principles or a binding approved privacy code. For example, the new partnership’s use of personal information collected from the old partnership may constitute an interference with privacy if it breaches National Privacy Principle 2 or a corresponding provision in a binding approved privacy code.

Effect despite section 13A

(2) Subsection (1) has effect despite section 13A.

13D Overseas act required by foreign law

Acts or practices that are not interferences with privacy

(1) An act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country.

Effect despite section 13A

(2) Subsection (1) has effect despite section 13A.

13E Effect on section 13 of sections 13B, 13C and 13D

Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under section 13.

13F Act or practice not covered by section 13 or section 13A is not an interference with privacy

An act or practice that is not covered by section 13 or section 13A is not an interference with the privacy of an individual.

Division 2—Information Privacy Principles

14 Information Privacy Principles

The Information Privacy Principles are as follows:

Information Privacy Principles

Principle 1

Manner and purpose of collection of personal information

1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:

(a) the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and

(b) the collection of the information is necessary for or directly related to that purpose.

2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2

Solicitation of personal information from individual concerned

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector from the individual concerned;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

(d) if the collection of the information is authorised or required by or under law—the fact that the collection of the information is so authorised or required; and

(e) any person to whom, or any body or agency to which, it is the collector’s usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first‑mentioned person, body or agency to pass on that information.

Principle 3

Solicitation of personal information generally

Where:

(a) a collector collects personal information for inclusion in a record or in a generally available publication; and

(b) the information is solicited by the collector;

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

(d) the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4

Storage and security of personal information

A record‑keeper who has possession or control of a record that contains personal information shall ensure:

(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record‑keeper, everything reasonably within the power of the record‑keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5

Information relating to records kept by record‑keeper

1. A record‑keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:

(a) whether the record‑keeper has possession or control of any records that contain personal information; and

(b) if the record‑keeper has possession or control of a record that contains such information:

(i) the nature of that information;

(ii) the main purposes for which that information is used; and

(iii) the steps that the person should take if the person wishes to obtain access to the record.

2. A record‑keeper is not required under clause 1 of this Principle to give a person information if the record‑keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

3. A record‑keeper shall maintain a record setting out:

(a) the nature of the records of personal information kept by or on behalf of the record‑keeper;

(b) the purpose for which each type of record is kept;

(d) the period for which each type of record is kept;

(e) the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and

(f) the steps that should be taken by persons wishing to obtain access to that information.

4. A record‑keeper shall:

(a) make the record maintained under clause 3 of this Principle available for inspection by members of the public; and

(b) give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6

Access to records containing personal information

Where a record‑keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record‑keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7

Alteration of records containing personal information

1. A record‑keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:

(a) is accurate; and

(b) is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.

2. The obligation imposed on a record‑keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.

3. Where:

(a) the record‑keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

(b) no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

the record‑keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8

Record‑keeper to check accuracy etc. of personal information before use

A record‑keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9

Personal information to be used only for relevant purposes

A record‑keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10

Limits on use of personal information

1. A record‑keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:

(a) the individual concerned has consented to use of the information for that other purpose;

(b) the record‑keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person;

(d) use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or

(e) the purpose for which the information is used is directly related to the purpose for which the information was obtained.

2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record‑keeper shall include in the record containing that information a note of that use.

Principle 11

Limits on disclosure of personal information

1. A record‑keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:

(a) the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency;

(b) the individual concerned has consented to the disclosure;

(c) the record‑keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

(d) the disclosure is required or authorised by or under law; or

(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record‑keeper shall include in the record containing that information a note of the disclosure.

3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

15 Application of Information Privacy Principles

(1) Information Privacy Principles 1, 2, 3, 10 and 11 apply only in relation to information collected after the commencement of this Act.

(2) Information Privacy Principles 4 to 9, inclusive, apply in relation to information contained in a record in the possession or under the control of an agency, whether the information was collected before, or is collected after, the commencement of this Act.

16 Agencies to comply with Information Privacy Principles

An agency shall not do an act, or engage in a practice, that breaches an Information Privacy Principle.

Division 3—Approved privacy codes and the National Privacy Principles

16A Organisations to comply with approved privacy codes or National Privacy Principles

(1) An organisation must not do an act, or engage in a practice, that breaches an approved privacy code that binds the organisation.

(2) To the extent (if any) that an organisation is not bound by an approved privacy code, the organisation must not do an act, or engage in a practice, that breaches a National Privacy Principle.

(3) This section, approved privacy codes and the National Privacy Principles have effect in addition to sections 18 and 18A and Part IIIA, and do not derogate from them.

(4) To avoid doubt, an act done, or practice engaged in, by an organisation without breaching an approved privacy code or the National Privacy Principles is not authorised by law (or by this Act) for the purposes of Part IIIA merely because it does not breach the code or the Principles.

Note: If an act or practice is otherwise authorised by law, exceptions to the prohibitions in the National Privacy Principles and Part IIIA may mean that the act or practice does not breach the Principles or certain provisions of that Part.

16B Personal information in records

(1) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to the collection of personal information by an organisation only if the information is collected for inclusion in a record or a generally available publication.

(2) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to personal information that has been collected by an organisation only if the information is held by the organisation in a record.

16C Application of National Privacy Principles

(1) National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information after the commencement of this section.

(1A) National Privacy Principle 2 applies only in relation to personal information collected after the commencement of this section.

(2) National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to personal information held by an organisation regardless of whether the organisation holds the personal information as a result of collection occurring before or after the commencement of this section.

(3) National Privacy Principle 6 applies in relation to personal information collected after the commencement of this section. That Principle also applies to personal information collected by an organisation before that commencement and used or disclosed by the organisation after that commencement, except to the extent that compliance by the organisation with the Principle in relation to the information would:

(a) place an unreasonable administrative burden on the organisation; or

(b) cause the organisation unreasonable expense.

(4) National Privacy Principle 8 applies only to transactions entered into after the commencement of this section.

16D Delayed application of National Privacy Principles to small business

(1) This section deals with the application of the National Privacy Principles to an organisation that carries on one or more small businesses throughout the delayed application period for the organisation. This section has effect despite section 16C.

(2) National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information by the organisation after the delayed application period.

(3) National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to the organisation only after the delayed application period. Those Principles then apply in relation to personal information held by the organisation as a result of collection occurring before, during or after that period.

(4) National Privacy Principles 2 and 6 apply only in relation to personal information collected by the organisation after the delayed application period.

(5) National Privacy Principle 8 applies only to transactions entered into with the organisation after the delayed application period.

(6) In this section:

delayed application period, for an organisation, means the period:

(a) starting at the later of the following times:

(i) the start of the day when this section commences;

(ii) when the organisation became an organisation; and

(b) ending at the earlier of the following times:

(i) immediately before the first anniversary of the day when this section commences;

(ii) when the organisation carries on either a business that is not a small business or a business that involves the provision of health services.

16E Personal, family or household affairs

Nothing in the National Privacy Principles applies to:

(a) the collection, holding, use, disclosure or transfer of personal information by an individual; or

(b) personal information held by an individual;

only for the purposes of, or in connection with, his or her personal, family or household affairs.

16F Information under Commonwealth contract not to be used for direct marketing

(1) This section limits the use and disclosure of personal information collected:

(a) for the purpose of meeting (directly or indirectly) an obligation under a Commonwealth contract; and

(b) by an organisation that is a contracted service provider for the contract.

Note: An organisation may be a contracted service provider for a Commonwealth contract whether or not the organisation is a party to the contract.

(2) An organisation that is a contracted service provider for the contract must not use or disclose the personal information for direct marketing, unless the use or disclosure is necessary to meet (directly or indirectly) an obligation under the contract.

(3) Subsection (2) has effect despite:

(a) an approved privacy code (if any) binding the organisation in relation to the personal information; and

(b) the National Privacy Principles.

Division 4—Tax file number information

17 Guidelines relating to tax file number information

(1) The Commissioner shall, by notice in writing, issue guidelines concerning the collection, storage, use and security of tax file number information.

(2) A guideline issued under subsection (1) is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

(3) In its application under subsection (2) of this section, section 48 of the Acts Interpretation Act 1901 applies to guidelines issued under subsection (1) as if paragraph (1)(b) of section 48 were omitted and the following paragraph substituted:

“(b) shall, subject to this section, take effect:

(i) on the first day on which the guidelines are no longer liable to be disallowed, or to be deemed to be disallowed, under this section; or

(ii) if the guidelines make provision for their commencement after the day referred to in subparagraph (i), in accordance with that provision; and”.

(4) Until the first guidelines take effect for the purposes of subsection (1), the interim guidelines set out in Schedule 2 have effect, for the purposes of any provision of this Act other than subsection (1), (2) or (3), as if they were guidelines issued under subsection (1).

18 File number recipients to comply with guidelines

A file number recipient shall not do an act, or engage in a practice, that breaches a guideline issued under section 17.

Division 5—Credit information

18A Code of Conduct relating to credit information files and credit reports

(1) The Commissioner must, by notice published in the Gazette, issue a Code of Conduct concerning:

(a) the collection of personal information for inclusion in individuals’ credit information files; and

(b) the storage of, security of, access to, correction of, use of and disclosure of personal information included in individuals’ credit information files or in credit reports; and

(c) the manner in which credit reporting agencies and credit providers are to handle disputes relating to credit reporting; and

(d) any other activities, engaged in by credit reporting agencies or credit providers, that are connected with credit reporting.

(2) Before issuing the Code of Conduct, the Commissioner must, to the extent that it is appropriate and practicable to do so, consult with government, commercial, consumer and other relevant bodies and organisations.

(3) In preparing the Code of Conduct, the Commissioner must have regard to:

(a) the Information Privacy Principles and the provisions of Part IIIA; and

(aa) the National Privacy Principles and the provisions of Part IIIAA; and

(b) the likely costs to credit reporting agencies and credit providers of complying with the Code of Conduct.

(4) The Code of Conduct is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

18B Credit reporting agencies and credit providers to comply with Code of Conduct

A credit reporting agency or credit provider must not do an act, or engage in a practice, that breaches the Code of Conduct.

Part IIIAA—Privacy codes

18BA Application for approval of privacy code

An organisation may apply in writing to the Commissioner for approval of a privacy code.

18BAA Privacy codes may cover exempt acts or practices

(1) Despite paragraph 7(1)(ee), a privacy code may be approved even if it covers exempt acts or practices.

(2) If an approved privacy code covers exempt acts or practices, this Act applies in relation to the code as if those acts or practices were not exempt acts or practices.

Note: Because of subsection (2), if an approved privacy code covers an act or practice that would usually be exempt:

(a) the act or practice, if done or engaged in by an organisation bound by the code, may constitute an interference with the privacy of an individual as defined in section 13A; and

(b) section 16A obliges an organisation bound by the code not to breach the code by doing or engaging in the act or practice; and

(c) the act or practice, if done or engaged in by an organisation bound by the code, may be the subject of a complaint and investigation under Part V.

18BB Commissioner may approve privacy code

(1) Before deciding whether to approve a privacy code, the Commissioner may consult any person the Commissioner considers appropriate.

(2) The Commissioner may approve a privacy code if, and only if, the Commissioner is satisfied:

(a) that the code incorporates all the National Privacy Principles or sets out obligations that, overall, are at least the equivalent of all the obligations set out in those Principles; and

(b) that the code specifies the organisations bound by the code or a way of determining the organisations that are, or will be, bound by the code; and

(d) that the code sets out a procedure by which an organisation may cease to be bound by the code and when the cessation takes effect; and

(e) of the matters mentioned in subsection (3), if the code sets out procedures for making and dealing with complaints in relation to acts or practices of an organisation bound by the code that may be an interference with the privacy of an individual; and

(f) that members of the public have been given an adequate opportunity to comment on a draft of the code.

(3) If the code sets out procedures for making and dealing with complaints, the Commissioner must be satisfied that:

(a) the procedures meet:

(i) the prescribed standards; and

(ii) the Commissioner’s guidelines (if any) in relation to making and dealing with complaints; and

(b) the code provides for the appointment of an independent adjudicator to whom complaints may be made; and

(c) the code provides that, in performing his or her functions, and exercising his or her powers, under the code, an adjudicator for the code must have due regard to the matters that paragraph 29(a) requires the Commissioner to have due regard to; and

(d) the determinations, findings, declarations, orders and directions that the adjudicator may make under the code after investigating a complaint are the same as those that the Commissioner may make under section 52 after investigating a complaint under this Act; and

(e) the code obliges an organisation bound by the code not to repeat or continue conduct of the organisation declared by the adjudicator (after investigating a complaint) to constitute an interference with the privacy of the complainant; and

(f) the code obliges an organisation bound by the code to perform an act or course of conduct that the adjudicator has declared (after investigating a complaint) that the organisation should perform to redress loss or damage suffered by the complainant; and

(g) the code requires organisations bound by the code to co‑operate with the adjudicator when the adjudicator is performing functions or exercising powers under the code; and

(h) the code requires a report (in a form satisfactory to the Commissioner) to be prepared as soon as practicable after 30 June each year on the operation of the code during the financial year that ended on that 30 June; and

(i) the code requires that a copy of each report is to be given to the Commissioner within a timetable that is satisfactory to the Commissioner; and

(j) the code requires that a copy of each report is to be made available to anyone who asks for it; and

(k) the code requires the report prepared for each year to include the number and nature of complaints made to an adjudicator under the code during the relevant financial year; and

(ka) the code requires the report prepared for each year to include, for each complaint finally dealt with by an adjudicator under the code during the relevant financial year, a summary identifying:

(i) the nature of the complaint; and

(ii) the provisions of the code applied in dealing with the complaint; and

(iii) the outcome of the dealing;

whether or not the adjudicator made a determination, finding, declaration, order or direction in dealing with the complaint; and

(l) the code identifies an adjudicator for the code or another person as the person responsible for the requirements in this subsection relating to the annual report for the code.

(4) In deciding whether to approve a privacy code, the Commissioner may consider the matters specified in guidelines issued by the Commissioner (if any).

(5) An approval must be in writing.

(6) This section does not prevent the Commissioner approving a privacy code if:

(a) the code also sets out:

(i) the period during which it will operate; or

(ii) the circumstances in which it will expire; and

(b) the Commissioner considers that the period or circumstances are appropriate.

(7) This section does not prevent the Commissioner approving a privacy code if the code is expressed to apply to:

(a) all personal information or a specified type of personal information; or

(b) a specified activity or class of activities of an organisation; or

(d) a specified class of industry sectors and/or professions.

18BC When approval takes effect

(1) The approval of a privacy code takes effect on the day specified in the approval.

(2) The day specified must not be before the day on which the approval is given.

18BD Varying an approved privacy code

(1) An organisation may apply in writing to the Commissioner for approval of a variation of an approved privacy code by giving the Commissioner a copy of the code that incorporates the variations.

(2) The Commissioner may approve in writing the variation.

(3) In deciding whether to approve the variation, the Commissioner must consider all of the matters that the Commissioner would consider in deciding whether to approve under section 18BB a privacy code identical to the approved privacy code with the variation.

(4) However, if the Commissioner thinks that a variation is minor, he or she need not be satisfied that members of the public have been given an adequate opportunity to comment on a draft variation of the code (as would otherwise be required by paragraph 18BB(2)(f)). Instead, the Commissioner may consult any person he or she thinks appropriate about the draft variation.

(5) The approval of the variation takes effect on the day specified in the approval.

(6) The day specified must not be before the day on which the approval is given.

18BE Revoking the approval of an approved privacy code

(1) The Commissioner may revoke his or her approval of an approved privacy code or a variation of an approved privacy code:

(a) on his or her own initiative; or

(b) on application by an organisation that is bound by the code.

(2) Before deciding whether to revoke the approval of a code or variation, the Commissioner must:

(a) if practicable, consult the organisation that originally sought approval of the code or variation; and

(b) consult any other person the Commissioner considers appropriate; and

(c) consider the extent to which members of the public have been given an opportunity to comment on the proposed revocation.

(3) A revocation must be in writing.

(4) A revocation comes into effect on the day specified in the revocation.

(5) The day specified must not be before the day on which the revocation is made.

18BF Guidelines about privacy codes

(1) The Commissioner may make:

(a) written guidelines to assist organisations to develop privacy codes or to apply approved privacy codes; and

(b) written guidelines relating to making and dealing with complaints under approved privacy codes; and

(c) written guidelines about matters the Commissioner may consider in deciding whether to approve a privacy code or a variation of an approved privacy code.

(1A) Before making guidelines for the purposes of paragraph (1)(b), the Commissioner must give everyone the Commissioner considers has a real and substantial interest in the matters covered by the proposed guidelines an opportunity to comment on them.

(2) The Commissioner may publish guidelines made under subsection (1) in any way the Commissioner considers appropriate.

18BG Register of approved privacy codes

(1) The Commissioner must keep a register of approved privacy codes.

(2) The Commissioner may decide the form of the register and how it is to be kept.

(3) The Commissioner must make the register available to the public in the way that the Commissioner determines.

(4) The Commissioner may charge fees for:

(a) making the register available to the public; or

(b) providing copies of, or extracts from, the register.

18BH Review of operation of approved privacy code

(1) The Commissioner may review the operation of an approved privacy code.

Note: The review may inform a decision by the Commissioner under section 18BE to revoke the approved privacy code.

(2) The Commissioner may do one or more of the following for the purposes of the review:

(a) consider the process under the code for making and dealing with complaints;

(b) inspect the records of an adjudicator for the code;

(d) interview an adjudicator for the code.

18BI Review of adjudicator’s decision under approved privacy code

(1) A person who is aggrieved by a determination made by an adjudicator (other than the Commissioner) under an approved privacy code after investigating a complaint may apply to the Commissioner for review of the determination.

Note: The review of the adjudicator’s determination will include review of any finding, declaration, order or direction that is included in the determination.

(2) Divisions 1 and 2 of Part V apply in relation to the complaint covered by the application as if the complaint had been made to the Commissioner and subsection 36(1A) did not prevent the Commissioner from investigating it.

Note: Divisions 1 and 2 of Part V provide for the investigation and determination of complaints made to the Commissioner.

(3) The adjudicator’s determination continues to have effect unless and until the Commissioner makes a determination under Division 2 of Part V relating to the complaint.

Part IIIA—Credit reporting

18C Certain credit reporting only to be undertaken by corporations

(1) A person must not use an eligible communications service in the course of carrying on a credit reporting business unless the person is a corporation.

(2) A person must not:

(a) in the course of trade or commerce:

(i) between Australia and places outside Australia; or

(ii) among the States; or

(iii) between a State and a Territory; or

(iv) among the Territories; or

(b) in the course of banking (other than State banking not extending beyond the limits of the State concerned); or

(c) in the course of insurance business (other than insurance business relating to State insurance not extending beyond the limits of the State concerned); or

(d) in a Territory;

carry on a credit reporting business unless the person is a corporation.

(3) A person must not act on a corporation’s behalf in the course of carrying on a credit reporting business unless the person is a corporation.

(4) A person who intentionally contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $30,000.

18D Personal information not to be given to certain persons carrying on credit reporting

(1) A person must not use an eligible communications service to give to a person carrying on a credit reporting business personal information in circumstances to which this section applies unless the last‑mentioned person is a corporation.

(2) A person must not:

(a) in the course of trade or commerce:

(i) between Australia and places outside Australia; or

(ii) among the States; or

(iii) between a State and a Territory; or

(iv) among the Territories; or

(b) in the course of banking (other than State banking not extending beyond the limits of the State concerned); or

(c) in the course of insurance business (other than insurance business relating to State insurance not extending beyond the limits of the State concerned); or

(d) in a Territory;

give to a person carrying on a credit reporting business personal information in circumstances to which this section applies unless the last‑mentioned person is a corporation.

(3) A corporation must not give to a person carrying on a credit reporting business personal information in circumstances to which this section applies unless the last‑mentioned person is a corporation.

(4) A person who intentionally contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $12,000.

(5) For the purposes of this section, personal information is to be taken to be given to a person in circumstances to which this section applies if the person to whom the information is given is likely to use the information in the course of carrying on a credit reporting business.

18E Permitted contents of credit information files

(1) A credit reporting agency must not include personal information in an individual’s credit information file unless:

(a) the inclusion of the information in the file is reasonably necessary in order to identify the individual; or

(b) the information is a record of:

(i) both:

(A) a credit provider having sought a credit report in relation to an individual in connection with an application for credit or commercial credit made by the individual to the credit provider; and

(B) the amount of credit or commercial credit sought in the application; or

(ia) a person who is a credit provider because of the application of subsection 11B(4B) having sought a credit report in relation to the individual for the purpose of assessing:

(A) the risk in purchasing a loan by means of a securitisation arrangement; or

(B) the risk in undertaking credit enhancement of a loan that is, or is proposed to be, purchased or funded by means of a securitisation arrangement;

being a loan given to, or applied for by, the individual or a person in relation to whom the individual is, or is proposing to be, a guarantor; or

(ii) a mortgage insurer having sought a credit report in connection with the provision of insurance to a credit provider in respect of mortgage credit given by the credit provider to the individual, or to a person in relation to whom the individual is, or is proposing to be, a guarantor; or

(iii) a trade insurer having sought a credit report in connection with the provision of insurance to a credit provider in respect of commercial credit given by the credit provider to the individual or another person; or

(iv) a credit provider having sought a credit report in connection with the individual having offered to act as guarantor in respect of a loan or an application for a loan; or

(v) a credit provider being a current credit provider in relation to the individual; or

(vi) credit provided by a credit provider to an individual, being credit in respect of which:

(A) the individual is at least 60 days overdue in making a payment, including a payment that is wholly or partly a payment of interest; and

(B) the credit provider has taken steps to recover the whole or any part of the amount of credit (including any amounts of interest) outstanding; or

(vii) a cheque, for an amount not less than $100, that:

(A) has been drawn by the individual; and

(B) has twice been presented and dishonoured; or

(viii) court judgments made against the individual; or

(ix) bankruptcy orders made against the individual; or

(x) the opinion of a credit provider that the individual has, in the circumstances specified, committed a serious credit infringement; or

(ba) the information is a record of an overdue payment by the individual as guarantor under a guarantee given against default by a person (the borrower) in repaying all or any of an amount of credit obtained by the borrower from a credit provider, and the following subparagraphs apply:

(i) the credit provider is not prevented under any law of the Commonwealth, a State or a Territory from bringing proceedings against the individual to recover the amount of the overdue payment;

(ii) the credit provider has given the individual notice of the borrower’s default that gave rise to the individual’s obligation to make the payment;

(iii) 60 days have elapsed since the day on which the notice was given;

(iv) the credit provider has, separately from and in addition to the giving of the notice referred to in subparagraph (ii), taken steps to recover the amount of the overdue payment from the individual.

(c) the information is included in a statement provided by the individual under subsection 18J(2) for inclusion in the file; or

(d) the information is included in a note included in the file under subsection 18F(4) or 18K(5).

(2) A credit reporting agency must not include in an individual’s credit information file personal information recording the individual’s:

(a) political, social or religious beliefs or affiliations; or

(b) criminal record; or

(d) race, ethnic origins or national origins; or

(e) sexual preferences or practices; or

(f) lifestyle, character or reputation.

(3) The Commissioner may determine, in writing, the kinds of information that are, for the purposes of paragraph (1)(a), reasonably necessary to be included in an individual’s credit information file in order to identify the individual.

(4) Where the Commissioner so determines, information that is not of a kind so determined is to be taken not to be information that is permitted to be included in an individual’s credit information file under paragraph (1)(a).

(5) A determination is to be made by notice published in the Gazette.

(6) A notice so published is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

(7) A credit reporting agency must not open a credit information file in relation to an individual unless it has information, concerning the individual, to include in the file that is information of a kind referred to in paragraph (1)(b) or (ba).

(8) A credit provider must not give to a credit reporting agency personal information relating to an individual if:

(a) a credit reporting agency is prohibited, under subsection (1), from including the information in the individual’s credit information file; or

(b) the credit provider does not have reasonable grounds for believing that the information is correct; or

(c) the credit provider did not, at the time of, or before, acquiring the information, inform the individual that the information might be disclosed to a credit reporting agency.

18F Deletion of information from credit information files

(1) A credit reporting agency must delete from an individual’s credit information file maintained by the credit reporting agency any personal information of a kind referred to in paragraph 18E(1)(b) or (ba) within 1 month after the end of the maximum permissible period for the keeping of personal information of that kind.

(2) For the purposes of subsection (1), the maximum permissible periods for the keeping of personal information of the kind referred to in paragraph 18E(1)(b) are as follows:

(a) in the case of information of a kind referred to in subparagraph (i), (ia), (ii), (iii) or (iv) of that paragraph—the period of 5 years commencing on the day on which the credit report concerned was sought;

(b) in the case of information of a kind referred to in subparagraph (v) of that paragraph—the period of 14 days commencing on the day on which the credit reporting agency is notified under subsection (5) that the credit provider concerned is no longer a current credit provider in relation to the individual concerned;

(c) in the case of information of a kind referred to in subparagraph (vi) of that paragraph—the period of 5 years commencing on the day on which the credit reporting agency was informed of the overdue payment concerned;

(d) in the case of information of a kind referred to in subparagraph (vii) of that paragraph—the period of 5 years commencing on the day on which the second dishonouring of the cheque occurred;

(e) in the case of information of a kind referred to in subparagraph (viii) of that paragraph—the period of 5 years commencing on the day on which the court judgment concerned was made;

(f) in the case of information of a kind referred to in subparagraph (ix) of that paragraph—the period of 7 years commencing on the day on which the bankruptcy order concerned was made;

(g) in the case of information of a kind referred to in subparagraph (x) of that paragraph—the period of 7 years commencing on the day on which the information was included in the credit information file concerned.

(2A) For the purposes of subsection (1), the maximum permissible period for the keeping of personal information of the kind referred to in paragraph 18E(1)(ba) is the period of 5 years beginning on the day when the credit reporting agency is informed of the overdue payment concerned.

(3) Where:

(a) a credit reporting agency has been given information that an individual is overdue in making a payment in respect of credit provided by a credit provider; and

(b) the individual ceases to be overdue in making the payment or contends that he or she is not overdue in making the payment;

the credit provider must, as soon as practicable, inform the credit reporting agency that the individual has ceased to be overdue in making the payment, or contends that he or she is not overdue in making the payment, as the case may be.

(4) On being informed that the individual is no longer overdue in making the payment, or that the individual contends that he or she is not overdue in making the payment, the credit reporting agency must include in the individual’s credit information file a note to that effect.

(5) Where a credit provider ceases to be a current credit provider in relation to an individual, the credit provider must, as soon as practicable, notify that fact to any credit reporting agency that was previously informed that the credit provider was a current credit provider in relation to the individual.

18G Accuracy and security of credit information files and credit reports

A credit reporting agency in possession or control of a credit information file, or a credit provider or credit reporting agency in possession or control of a credit report, must:

(a) take reasonable steps to ensure that personal information contained in the file or report is accurate, up‑to‑date, complete and not misleading; and

(b) ensure that the file or report is protected, by such security safeguards as are reasonable in the circumstances, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(c) if it is necessary for the file or report to be given to a person in connection with the provision of a service to the credit reporting agency or credit provider, ensure that everything reasonably within the power of the credit reporting agency or credit provider is done to prevent unauthorised use or disclosure of personal information contained in the file or report.

18H Access to credit information files and credit reports

(1) A credit reporting agency in possession or control of an individual’s credit information file must take reasonable steps to ensure that the individual can obtain access to that file.

(2) A credit provider, or a credit reporting agency, in possession or control of a credit report containing personal information concerning an individual must take all reasonable steps to ensure that the individual can obtain access to that report.

(3) An individual’s rights of access under this section may also be exercised by a person (other than a credit provider, mortgage insurer or trade insurer) authorised, in writing, by the individual to exercise those rights on the individual’s behalf in connection with:

(a) an application, or a proposed application, by the individual for a loan; or

(b) the individual having sought advice in relation to a loan.

18J Alteration of credit information files and credit reports

(1) A credit reporting agency in possession or control of a credit information file, or a credit provider or credit reporting agency in possession or control of a credit report, must take reasonable steps, by way of making appropriate corrections, deletions and additions, to ensure that the personal information contained in the file or report is accurate, up‑to‑date, complete and not misleading.

(2) Where:

(a) a credit reporting agency in possession or control of a credit information file, or a credit provider or credit reporting agency in possession or control of a credit report, does not amend personal information contained in that file or report, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and

(b) the individual requests the credit reporting agency or credit provider to include in that file or report a statement provided by the individual of the correction, deletion or addition sought;

the credit reporting agency or credit provider must take reasonable steps to include the statement in the file or report within 30 days after being requested to do so.

(3) Where the credit reporting agency or credit provider considers a statement included pursuant to subsection 18J(2) to be of undue length in the circumstances, the credit reporting agency or credit provider may refer the statement to the Commissioner for such reduction as is considered appropriate and, if the statement is altered, the statement as altered is to be included in the file or report.

18K Limits on disclosure of personal information by credit reporting agencies

(1) A credit reporting agency in possession or control of an individual’s credit information file must not disclose personal information contained in the file to a person, body or agency (other than the individual) unless:

(a) the information is contained in a credit report given to a credit provider who requested the report for the purpose of assessing an application for credit made by the individual to the credit provider; or

(ab) the information:

(i) is contained in a credit report given to a person who is a credit provider because of the application of subsection 11B(4B); and

(ii) the person requested the report for the purpose of assessing the risk in purchasing a loan by means of a securitisation arrangement, being a loan given to or applied for by:

(A) the individual; or

(B) a person in relation to whom the individual is, or is proposing to be, a guarantor; or

(ac) the information:

(i) is contained in a credit report given to a person who is a credit provider because of the application of subsection 11B(4B); and

(ii) the person requested the report for the purpose of assessing the risk in undertaking credit enhancement of a loan that is, or is proposed to be, purchased or funded by means of a securitisation arrangement, being a loan given to or applied for by:

(A) the individual; or

(B) a person in relation to whom the individual is, or is proposing to be, a guarantor; or

(b) the information is contained in a credit report given to a credit provider who requested the report for the purpose of assessing an application for commercial credit made by a person to the credit provider, and the individual to whom the report relates has specifically agreed to the report being given to the credit provider for that purpose; or

(c) the information is contained in a credit report given to a credit provider who requested the report for the purpose of assessing whether to accept the individual as a guarantor in respect of:

(i) a loan provided by the credit provider to a person other than the individual; or

(ii) a loan for which an application has been made by a person other than the individual to the credit provider;

and the first‑mentioned individual has specifically agreed, in writing, to the report being given to the credit provider for that purpose; or

(d) the information is contained in a credit report given to a mortgage insurer for the purpose of assessing:

(i) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of mortgage credit given by the credit provider to the individual; or

(ii) the risk of the individual defaulting on mortgage credit in respect of which the mortgage insurer has provided insurance to a credit provider; or

(iii) the risk of the individual being unable to meet a liability that might arise under a guarantee entered into, or proposed to be entered into, in respect of mortgage credit given by a credit provider to another person; or

(e) the information is contained in a credit report given to a trade insurer for the purpose of assessing:

(i) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of commercial credit given by the credit provider to the individual or another person; or

(ii) the risk of a person defaulting on commercial credit in respect of which the trade insurer has provided insurance to a credit provider;

and the individual to whom the report relates has specifically agreed, in writing, to the report being given to the trade insurer for that purpose; or

(f) the credit reporting agency has, at least 30 days before the disclosure, received information of a kind referred to in subparagraph 18E(1)(b)(vi), and the information is contained in a credit report given to a credit provider referred to in the credit information file as a credit provider who is a current credit provider in relation to the individual; or

(g) the information is contained in a credit report given to a credit provider who requested the report for the purpose of the collection of payments that are overdue in respect of credit provided to the individual by the credit provider; or

(h) the information is contained in a credit report given to a credit provider who requested the report for the purpose of the collection of payments that are overdue in respect of commercial credit provided to a person by the credit provider, and:

(i) the individual to whom the report relates has specifically agreed, in writing, to the report being given to the credit provider for that purpose; or

(ii) that individual had specifically agreed, in writing, to a credit report relating to the individual being given to the credit provider for the purpose of the credit provider assessing the application that the first‑mentioned person made to the credit provider for the provision of the commercial credit concerned; or

(iii) the credit provider provided the commercial credit concerned before the commencement of this section; or

(j) the information is contained in a credit report given to another credit reporting agency; or

(k) the information is contained in a record in which the only personal information relating to individuals is publicly available information; or

(m) the disclosure is required or authorised by or under law; or

(n) the credit reporting agency is satisfied that a credit provider or law enforcement authority believes on reasonable grounds that the individual has committed a serious credit infringement and the information is given to that credit provider or law enforcement authority or to any other credit provider or law enforcement authority.

(1A) For the purposes of paragraph (1)(b), the individual’s agreement to the report being given to the credit provider must be in writing unless:

(a) the report is requested for the purpose of assessing an application for commercial credit that was at first instance made orally; and

(b) the application has not yet been made in writing.

(2) A credit reporting agency must not disclose personal information contained in an individual’s credit information file, or in any other record containing information derived from the file, that is in the possession or control of the credit reporting agency if the file or other record contains personal information that the credit reporting agency would be:

(a) prohibited from including in an individual’s credit information file under section 18E; or

(b) required to delete from such a file under section 18F.

(3) Subsection (2) does not prohibit the credit reporting agency from disclosing personal information that it would be prohibited from including in an individual’s credit information file under section 18E if:

(a) the credit reporting agency included the information in a credit information file or other record before the commencement of this section; and

(b) the information is information of a kind that the Commissioner has determined, in writing, to be information that the credit reporting agency may disclose without contravening that subsection.

(4) A credit reporting agency that intentionally contravenes subsection (1) or (2) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

(5) Where a credit reporting agency discloses personal information contained in an individual’s credit information file, it must include in the file a note of that disclosure.

Note: A credit reporting agency must not include a note about the disclosure of information in a file if a notation has been made on a summons, or a notice, relating to the disclosure of the information and the notation has not been cancelled (see section 29A of the Australian Crime Commission Act 2002).

(6) A credit reporting agency must not include in a credit report given to a credit provider under paragraph (1)(a) any information relating to an individual’s commercial activities (other than information that the credit reporting agency is permitted under section 18E to include in the individual’s credit information file).

(7) A determination under paragraph (3)(b) is to be made by notice published in the Gazette.

(8) A notice so published is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

18L Limits on use by credit providers of personal information contained in credit reports etc.

(1) A credit provider that is or has been in possession or control of a credit report must not use the report or any personal information derived from the report for any purpose other than assessing an application for credit made to the credit provider by the individual concerned unless:

(aa) the report was obtained under paragraph 18K(1)(a) or (ab) and the credit provider uses the report or information for the purpose of assessing the risk in purchasing a loan by means of a securitisation arrangement, being a loan given to or applied for by:

(i) the individual; or

(ii) a person in relation to whom the individual is, or is proposing to be, a guarantor; or

(ab) the report was obtained under paragraph 18K(1)(a) or (ac) and the credit provider uses the report or information for the purpose of assessing the risk in undertaking credit enhancement of a loan that is, or is proposed to be, purchased or funded by means of a securitisation arrangement, being a loan given to or applied for by:

(i) the individual; or

(ii) a person in relation to whom the individual is, or is proposing to be, a guarantor; or

(a) the report was obtained under paragraph 18K(1)(b) and the credit provider uses the report or information for the purpose of assessing an application for commercial credit made by a person to the credit provider; or

(b) the report was obtained under paragraph 18K(1)(c) and the credit provider uses the report or information for the purpose of assessing whether to accept the individual as a guarantor in respect of:

(i) a loan provided by the credit provider to a person other than the individual; or

(ii) a loan for which an application has been made by a person other than the individual to the credit provider; or

(ba) the report was obtained under paragraph 18K(1)(a), (b) or (c) and the credit provider uses the report or information for the internal management purposes of the credit provider, being purposes directly related to the provision or management of loans by the credit provider; or

(c) the report was obtained under paragraph 18K(1)(f) and the credit provider uses the information for the purpose of assisting the individual to avoid defaulting on his or her credit obligations; or

(d) the credit provider uses the report or information for the purpose of the collection of payments that are overdue in respect of credit provided to the individual by the credit provider; or

(da) the report was obtained under paragraph 18K(1)(h) and the credit provider uses the report or information for the purpose of the collection of payments that are overdue in respect of commercial credit provided to a person by the credit provider; or

(e) use of the report or information for that other purpose is required or authorised by or under law; or

(f) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement, and the report or information is used in connection with that infringement.

(2) A credit provider that intentionally contravenes subsection (1) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

(3) A credit provider that is or has been in possession or control of a credit report must not:

(a) use the report unless all personal information concerning individuals that is not information of a kind referred to in subsection 18E(1) has been deleted from the report; or

(b) use any personal information derived from the report if the information is not information of a kind referred to in subsection 18E(1).

(4) Where a credit provider has received a credit report for the purpose of assessing an application for credit made to the credit provider by an individual, the credit provider must not, in assessing the application, use information that:

(a) concerns the individual’s commercial activities or commercial credit worthiness; and

(b) was obtained from a person or body carrying on a business or undertaking involving the provision of information about the commercial credit worthiness of persons;

unless the individual has specifically agreed to the information being obtained by the credit provider for that purpose.

(4A) For the purposes of subsection (4), the individual’s agreement to the information being obtained by the credit provider must be in writing unless:

(a) the information is obtained for the purpose of assessing an application for credit that was at first instance made orally; and

(b) the application has not yet been made in writing.

(5) References in subsection (3) to information that is not information of a kind referred to in subsection 18E(1) do not include references to information the disclosure of which is taken, because of the application of subsection 18K(3), not to be in contravention of subsection 18K(2).

(6) The Commissioner may determine, in writing, the manner in which information of a kind referred to in subsection (4) may, under that subsection, be used (including the manner in which an individual’s agreement may be obtained for the purposes of that subsection).

(7) A determination is to be made by notice published in the Gazette.

(8) A notice so published is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

18M Information to be given if an individual’s application for credit is refused

(1) If:

(a) a credit provider refuses an application by an individual for credit (including an application made jointly by that individual and one or more other persons); and

(b) the refusal is based wholly or partly on information derived from a credit report relating to that individual that a credit reporting agency has given to the credit provider for the purpose of assessing the application;

the credit provider must give the individual a written notice:

(i) that the application has been refused; and

(ii) that the refusal was based wholly or partly, as the case requires, on information derived from a credit report relating to that individual that a credit reporting agency has given to the credit provider; and

(iii) the name and address of the credit reporting agency; and

(d) notifying that individual of his or her right under this Act to obtain access to his or her credit information file maintained by the credit reporting agency.

(2) If:

(a) a credit provider refuses an application by an individual for credit, being an application made jointly by that individual and one or more other persons; and

(b) the refusal is based wholly or partly on information derived from a credit report relating to one of those other persons that a credit reporting agency has given to the credit provider for the purpose of assessing the application;

the credit provider must give to that individual a written notice stating:

(d) that the refusal was based wholly or partly, as the case requires, on information derived from a credit report relating to that person that a credit reporting agency has given to the credit provider.

(3) If:

(a) a credit provider refuses an application by an individual for credit (including an application made jointly by that individual and one or more other persons); and

(b) the refusal is based wholly or partly on information derived from a credit report relating to another person who was proposing to be a guarantor in respect of the credit;

the credit provider must give that individual a written notice stating:

18N Limits on disclosure by credit providers of personal information contained in reports relating to credit worthiness etc.

(1) A credit provider that is or has been in possession or control of a report must not disclose the report or any personal information derived from the report to another person for any purpose unless:

(a) the report or information is disclosed to a credit reporting agency for the purpose of being used:

(i) to create a credit information file in relation to the individual concerned; or

(ii) to include information in a credit information file, maintained by the credit reporting agency, in relation to the individual concerned; or

(b) the individual concerned has specifically agreed to the disclosure of the report or information to another credit provider for the particular purpose; or

(ba) the report or information is disclosed:

(i) to the guarantor of a loan provided by the credit provider to the individual concerned; and

(ii) for any purpose related to the enforcement or proposed enforcement of the guarantee; or

(bb) the report or information is disclosed to a mortgage insurer:

(i) for the purpose of assessing whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of mortgage credit given by the credit provider to the individual concerned or applied for by the individual concerned to the credit provider; or

(ii) for the purpose of assessing the risk of the individual defaulting on mortgage credit in respect of which the mortgage insurer has provided insurance to the credit provider; or

(iii) for any purpose arising under a contract for mortgage insurance that has been entered into between the credit provider and the mortgage insurer; or

(bc) the report or information is disclosed:

(i) to a person or body generally recognised and accepted in the community as being a person appointed, or a body established, for the purpose of settling disputes between credit providers, acting in their capacity as credit providers, and their customers; and

(ii) for the purpose of settling a dispute between the credit provider and the individual concerned; or

(bd) the report or information is disclosed:

(i) to a Minister, Department or authority, of a State or Territory whose functions or responsibilities include giving assistance (directly or indirectly) that facilitates the giving of mortgage credit to individuals; and

(ii) for the purpose of enabling the Minister, Department or authority to determine the extent of assistance (if any) it will give in relation to the giving of mortgage credit to the individual concerned; or

(bda) the report or information is disclosed:

(i) to a Minister, Department or authority, of a State or Territory whose functions or responsibilities include the management or supervision of schemes or arrangements under which assistance is given (directly or indirectly) that facilitates the giving of mortgage credit to individuals; and

(ii) for the purpose of enabling the Minister, Department or authority to manage or supervise any such scheme or arrangement; or

(be) the report or information:

(i) is disclosed to a person or body carrying on a business of supplying goods or services; and

(ii) is disclosed for the purpose of enabling that person or body to decide whether to accept, as payment for goods or services supplied to the individual concerned, payment by means of credit card or electronic transfer of funds; and

(iii) does not contain or include any personal information derived from a credit report, other than:

(A) information of a kind referred to in paragraph 18E(1)(a); and

(B) information as to whether the individual has a line of credit with the credit provider, or funds deposited with the credit provider, sufficient to meet the payment concerned; or

(bf) the report or information:

(i) is disclosed to a person or body that is considering taking an assignment of, or discharging on the individual’s behalf, a debt owed by the individual to the credit provider; and

(ii) does not contain or include any personal information derived from a credit report, other than:

(A) information of a kind referred to in paragraph 18E(1)(a); and

(B) information as to the amount of the debt, or the amount required to be paid in order to discharge the debt; or

(bg) the report or information is disclosed to a person who is a guarantor in respect of, or who has provided property as security for, a loan given by the credit provider to the individual concerned, and:

(i) the individual has specifically agreed to the disclosure of the report or information to any such person; or

(ii) the following circumstances apply:

(A) the guarantee or security was given before the commencement of this paragraph;

(B) the report or information is disclosed for the purpose of giving to the person information that is relevant to the amount or possible amount of the person’s liability under the contract of guarantee or security;

(bh) the report or information is disclosed to a person for the purpose of that person considering whether to offer to act as guarantor in respect of, or to offer property as security for:

(i) a loan given by the credit provider to the individual concerned; or

(ii) a loan for which the individual concerned has applied to the credit provider;

and the individual has specifically agreed to the disclosure of the report or information to any such person for that purpose; or

(i) is disclosed to a person or body carrying on a business or undertaking that involves the collection of debts on behalf of others; and

(ii) is disclosed for the purpose of the collection of payments that are overdue in respect of credit provided to the individual concerned by the credit provider; and

(iii) does not contain or include any personal information derived from a credit report, other than:

(A) information of a kind referred to in paragraph 18E(1)(a); and

(B) information of a kind referred to in subparagraph 18E(1)(b)(vi), not being information that relates to an overdue payment in respect of which a note to the effect that the individual is no longer overdue in making the payment has been included, under subsection 18F(4), in the credit information file from which the credit report was prepared; and

(ca) the report (not being a credit report) or information:

(i) is disclosed to a person or body carrying on a business or undertaking that involves the collection of debts on behalf of others; and

(ii) is disclosed for the purpose of the collection of payments that are overdue in respect of commercial credit provided to a person by the credit provider; and

(iii) does not contain or include any personal information derived from a credit report, other than information of a kind referred to in paragraph 18E(1)(a) or subparagraph 18E(1)(b)(viii) or (ix); or

(d) where the credit provider is a corporation—the report or information is disclosed to a corporation that is related to the credit provider; or

(e) the report or information is disclosed to a corporation (including the professional legal advisers or professional financial advisers of that corporation) that proposes to use the report or information:

(i) in the process of considering whether to:

(A) accept an assignment of a debt owed to the credit provider; or

(B) accept a debt owed to the credit provider as security for a loan to the credit provider; or

(C) purchase an interest in the credit provider (including, in a case where the credit provider is a corporation, a corporation that is related to the credit provider); or

(ii) in connection with exercising rights arising from any acceptance or purchase of a kind referred to in subparagraph (i); or

(f) the report or information is disclosed to a person who manages loans made by the credit provider, for use in managing those loans; or

(fa) the report or information is disclosed to another credit provider in the following circumstances:

(i) the credit provider and the other credit provider have each provided to the individual concerned mortgage credit in respect of which the same real property forms all or part of the security;

(ii) the individual is at least 60 days overdue in making a payment in respect of the mortgage credit provided by either credit provider;

(iii) the disclosure is for the purpose of either credit provider deciding what action to take in relation to the overdue payment; or

(g) disclosure of the report or information to that other person for the particular purpose is required or authorised by or under law; or

(ga) the report or information is disclosed to:

(i) the individual; or

(ii) a person (other than a credit provider, mortgage insurer or trade insurer) authorised, in writing, by the individual to seek access to the report or information; or

(gb) the report or information is disclosed in the following circumstances:

(i) the individual concerned maintains an account with the credit provider;

(ii) the report or information relates to the operation of the account;

(iii) the report or information is disclosed to another person who is authorised by the individual to operate the account;

(iv) either:

(A) the report or information contains no information about the credit worthiness, credit standing, credit history or credit capacity of the individual concerned, other than basic transaction information; or

(B) the disclosure takes place in the ordinary course of the other person operating the account in the way authorised by the individual concerned; or

(h) the credit provider believes on reasonable grounds that the individual concerned has committed a serious credit infringement and the report or information is given to another credit provider or a law enforcement authority.

(1A) For the purposes of paragraph (1)(b), the individual’s agreement to the disclosure of the report or information to another credit provider:

(a) must be in writing unless:

(i) the disclosure is sought for the purpose of assessing an application for credit or commercial credit that was initially made orally; and

(ii) the application has not yet been made in writing; and

(b) must be given to:

(i) the credit provider with possession or control of the report or information; or

(ii) the other credit provider.

(1B) For the purposes of paragraphs (1)(bg) and (bh), the individual’s agreement to the disclosure of the report or information must be in writing unless:

(a) the disclosure relates to an application for a loan that was initially made orally; and

(b) the application has not yet been made in writing.

(1C) Paragraph (1)(ga) does not affect the operation of paragraph (1)(g) in relation to an individual obtaining access to credit report under section 18H.

(1D) For the purposes of paragraph (1)(gb), basic transaction information is any one or more of the following:

(a) the account balance;

(b) the amount of available credit in relation to the account;

(d) information relating to transactions on the account by the other person.

(2) A credit provider that intentionally contravenes subsection (1) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

(3) A credit provider that is or has been in possession or control of a credit report, or a report containing personal information derived from a credit report, must not:

(a) disclose the report to another person unless all personal information concerning individuals that is not information of a kind referred to in subsection 18E(1) has been deleted from the report; or

(b) disclose to another person any personal information derived from the report if the information is not information of a kind referred to in subsection 18E(1).

(4) References in subsection (3) to information that is not information of a kind referred to in subsection 18E(1) do not include references to information the disclosure of which is taken, because of the application of subsection 18K(3), not to be in contravention of subsection 18K(2).

(5) The Commissioner may determine, in writing, the manner in which a report or personal information derived from a report may, under subsection (1), be disclosed (including the manner in which an individual’s agreement may be obtained for the purposes of paragraph (1)(b)).

(6) Where the Commissioner so determines, a report or information that is disclosed in a manner contrary to the determination is to be taken, except for the purposes of subsection (2), to have been disclosed contrary to subsection (1).

(7) A determination is to be made by notice published in the Gazette.

(8) A notice so published is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

(9) In this section, unless the contrary intention appears:

report means:

(a) a credit report; or

(b) subject to subsection (10), any other record or information, whether in a written, oral or other form, that has any bearing on an individual’s credit worthiness, credit standing, credit history or credit capacity;

but does not include a credit report or any other record or information in which the only personal information relating to individuals is publicly available information.

(10) For the purposes of the application of this section to a credit provider that is not a corporation, a record or information (other than a credit report) is not taken to be a report for the purposes of this section unless it is being or has been prepared by or for a corporation.

18NA Disclosure by credit providers to certain persons who gave indemnities

In respect of a disclosure by a credit provider of a report or information to a person who, on or after 7 December 1992 and before the commencement of this section, gave an indemnity against the default of a borrower in making a payment in respect of a loan given by the credit provider, subparagraph 18N(1)(bg)(ii) has effect as if the reference in sub‑subparagraph 18N(1)(bg)(ii)(A) to the commencement of paragraph 18N(1)(bg) were a reference to the commencement of this section.

18P Limits on use or disclosure by mortgage insurers or trade insurers of personal information contained in credit reports

(1) A mortgage insurer that is or has been in possession or control of a credit report must not use the report or any personal information derived from the report for any purpose other than:

(a) assessing whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of mortgage credit given by the credit provider to the individual concerned or applied for by the individual concerned to the credit provider; or

(b) assessing the risk of the individual concerned defaulting on mortgage credit in respect of which the mortgage insurer has provided insurance to a credit provider; or

(ba) assessing the risk of the individual concerned being unable to meet a liability that might arise under a guarantee entered into, or proposed to be entered into, in respect of mortgage credit given by the credit provider to another person; or

(c) any purpose arising under the contract for mortgage insurance that has been entered into between a credit provider and the mortgage insurer;

unless use of the report or information for that other purpose is required or authorised by or under law.

(2) A trade insurer that is or has been in possession or control of a credit report must not use the report or any personal information derived from the report for any purpose other than assessing:

(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in respect of commercial credit given by the credit provider to another person; or

(b) the risk of a person defaulting on commercial credit in respect of which the trade insurer has provided insurance to a credit provider;

unless use of the report or information for that other purpose is required or authorised by or under law.

(3) A mortgage insurer or trade insurer that is or has been in possession or control of a credit report must not:

(a) use the report unless all personal information concerning individuals that is not information of a kind referred to in subsection 18E(1) has been deleted from the report; or

(b) use any personal information derived from the report if the information is not information of a kind referred to in subsection 18E(1).

(5) A mortgage insurer or trade insurer that is or has been in possession or control of a credit report must not disclose the report or any personal information derived from the report to another person for any purpose unless disclosure of the report or information to that other person for that purpose is required or authorised by or under law.

(6) A mortgage insurer or trade insurer that knowingly or recklessly contravenes subsection (1), (2) or (5) is guilty of an offence punishable, on conviction, by a fine not exceeding $150,000.

(7) A reference in this section (other than subsection (3)) to a credit report is taken to include a reference to a report or information disclosed to a mortgage insurer under paragraph 18N(1)(bb).

18Q Limits on use by certain persons of personal information obtained from credit providers

(1) A corporation that has obtained a report or information under paragraph 18N(1)(d) must not:

(a) use the report or information, or any personal information derived from the report or information, otherwise than for a purpose for which, or in circumstances under which, a credit provider would be permitted under section 18L to use the report or information; or

(b) disclose the report or information, or any personal information derived from the report or information, to another person otherwise than for a purpose for which, or in circumstances under which, a credit provider would be permitted under section 18N to disclose the report or information to another person.

(2) A corporation that has obtained a report or information under paragraph 18N(1)(e) must not use the report or information, or any personal information derived from the report or information, for any purpose other than:

(a) for use in the process of considering whether to:

(i) accept an assignment of a debt owed to the credit provider from whom the report or information was obtained; or

(ii) accept a debt owed to the credit provider as security for a loan to the credit provider; or

(iii) purchase an interest in the credit provider (including, where the credit provider is a corporation, a corporation that is related to the credit provider); or

(b) for use in connection with exercising rights arising from any acceptance or purchase of a kind referred to in paragraph (a).

(3) A professional legal adviser or professional financial adviser of a corporation who has obtained a report or information under paragraph 18N(1)(e) must not use the report or information, or any personal information derived from the report or information, for any purpose other than use by the person, in his or her capacity as such a professional legal or financial adviser, in connection with advising the corporation:

(a) whether to accept an assignment of a debt owed to the credit provider from whom the report or information was obtained; or

(b) whether to accept a debt owed to the credit provider as a security for a loan to the credit provider; or

(c) whether to purchase an interest in the credit provider (including, in a case where the credit provider is a corporation, a corporation that is related to the credit provider);

(d) in connection with exercising rights arising from any acceptance or purchase of a kind referred to in paragraph (a), (b) or (c);

unless use of the report or information, or the information so derived, is required or authorised by or under law.

(4) A person who has obtained a report or information under paragraph 18N(1)(f) must not use the report or information, or any personal information derived from the report or information, for any purpose other than use by the person in managing loans made by the credit provider from whom the person obtained the report or information, unless use of the report or information, or the information so derived, for that other purpose is required or authorised by or under law.

(5) A person who has obtained a report or information under paragraph 18N(1)(e) or (f) must not disclose the report or information, or any personal information derived from the report or information, to another person unless disclosure of the report or information, or the information so derived, is required or authorised by or under law.

(6) If:

(a) a person was, because of the application of subsection 11B(4B), a credit provider in relation to a loan; and

(b) the person has ceased to be such a credit provider in relation to the loan; and

(c) the person had, while such a credit provider in relation to the loan, obtained possession or control of a credit report;

the person must not use the report, or any personal information derived from the report, otherwise than for a purpose for which, or in circumstances under which, a credit provider would be permitted under section 18L to use the report or information.

(7) Subject to subsection (7A), if:

(a) a person was, because of the application of subsection 11B(4B), a credit provider in relation to a loan; and

(b) the person has ceased to be such a credit provider in relation to the loan; and

(c) the person had, while such a credit provider in relation to the loan, obtained possession or control of a report (within the meaning of subsection 18N(9));

the person must not disclose the report, or any personal information derived from the report, to another person otherwise than for the purposes for which, or in circumstances under which, a credit provider would be permitted under section 18N to disclose the report or information to another person.

(7A) For the purposes of the application of subsection (7) to a person other than a corporation, a record or information (other than a credit report) is not taken to be a report for the purposes of that subsection unless it is being or has been prepared by or for a corporation.

(8) In spite of anything in this section to the contrary, this section does not impose any obligations on a person in relation to a report or information obtained under paragraph 18N(1)(e) or (f), or in relation to any personal information derived from such a report or information, unless:

(a) the person is a corporation; or

(b) the credit provider from whom the person obtained the report or information is a corporation.

(9) A person who intentionally contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $30,000.

18R False or misleading credit reports

(1) A credit reporting agency or credit provider must not give to any other person or body (whether or not the other person or body is a credit reporting agency or credit provider) a credit report that contains false or misleading information.

(2) A credit reporting agency or credit provider that intentionally contravenes subsection (1) is guilty of an offence punishable, on conviction, by a fine not exceeding $75,000.

18S Unauthorised access to credit information files or credit reports

(1) A person must not obtain access to an individual’s credit information file in the possession or control of a credit reporting agency unless the access is authorised by this Act.

(2) A person must not obtain access to a credit report in the possession or control of a credit provider or credit reporting agency unless:

(a) the person is given the report in accordance with this Act; or

(b) the access is otherwise authorised by this Act.

(3) A person who intentionally contravenes this section is guilty of an offence punishable, on conviction, by a fine not exceeding $30,000.

18T Obtaining access to credit information files or credit reports by false pretences

(1) A person must not, by a false pretence, obtain access to an individual’s credit information file in the possession or control of a credit reporting agency.

Penalty: $30,000.

(2) A person must not, by a false pretence, obtain access to a credit report in the possession or control of a credit provider or credit reporting agency.

Penalty: $30,000.

18U Application of section 4B of Crimes Act

Subsection 4B(3) of the Crimes Act 1914 does not apply in relation to an offence against subsection 18K(4), 18L(2), 18N(2) or 18R(2) or section 18P.

18V Application of this Part

(1) Subject to this section, this Part applies in relation to any credit information file, any credit report or any report of a kind referred to in section 18N, in existence on or after the commencement of this section, whether or not it was in existence before that commencement.

(2) Paragraph 18E(8)(c) does not apply in relation to information acquired by a credit provider before 25 February 1992.

(3) Section 18F applies in relation to personal information that was, immediately before 25 February 1992, contained in an individual’s credit information file as if the references to the days mentioned in the paragraphs of subsection 18F(2) were all references to 25 February 1992.

Part IV—Office of the Privacy Commissioner

Division 1—Office of the Privacy Commissioner

19 Establishment of the Office of the Privacy Commissioner

(1) The Office of the Privacy Commissioner is established by this section.

(2) The Office of the Privacy Commissioner consists of the Privacy Commissioner and the staff as mentioned in section 26A.

19A Privacy Commissioner

(1) There shall be a Privacy Commissioner, who shall be appointed by the Governor‑General.

(2) A person is not qualified to be appointed as the Privacy Commissioner unless the Governor‑General is satisfied that the person has appropriate qualifications, knowledge or experience.

20 Terms and conditions of appointment

(1) The Commissioner holds office for such period, not exceeding 7 years, as is specified in the instrument of the person’s appointment, but is eligible for re‑appointment.

(3) The Commissioner holds office on such terms and conditions (if any) in respect of matters not provided for by this Act as are determined by the Governor‑General.

21 Remuneration of Commissioner

(1) The Commissioner shall be paid such remuneration as is determined by the Remuneration Tribunal, but, if no determination of that remuneration by the Tribunal is in operation, the Commissioner shall be paid such remuneration as is prescribed.

(2) The Commissioner shall be paid such allowances as are prescribed.

(3) This section has effect subject to the Remuneration Tribunal Act 1973.

22 Leave of absence

(1) The Commissioner has such recreation leave entitlements as are determined by the Remuneration Tribunal.

(2) The Minister may grant the Commissioner leave of absence, other than recreation leave, on such terms and conditions as to remuneration or otherwise as the Minister determines.

23 Outside employment

Except with the approval of the Minister, the Commissioner shall not engage in paid employment outside the duties of the office of Commissioner.

24 Resignation

The Commissioner may resign from the office of Commissioner by delivering to the Governor‑General a signed notice of resignation.

25 Termination of appointment

(1) The Governor‑General may terminate the appointment of the Commissioner by reason of misbehaviour or physical or mental incapacity.

(2) The Governor‑General shall terminate the appointment of the Commissioner if the Commissioner:

(a) becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of remuneration for their benefit;

(b) is absent from duty, except on leave of absence, for 14 consecutive days or for 28 days in any period of 12 months; or

26 Acting Commissioner

The Minister may appoint a person to act as Commissioner:

(a) during a vacancy in the office of Commissioner, whether or not an appointment has previously been made to the office; or

(b) during any period, or during all periods, when the Commissioner is absent from duty or from Australia, or is, for any other reason, unable to perform the functions of the office of Commissioner;

but a person appointed to act during a vacancy shall not continue so to act for more than 12 months.

26A Staff and consultants

(1) The staff necessary to assist the Commissioner must be persons appointed or employed under the Public Service Act 1999.

(2) For the purposes of the Public Service Act 1999:

(a) the Commissioner and the APS employees assisting the Commissioner together constitute a Statutory Agency; and

(b) the Commissioner is the Head of that Statutory Agency.

(3) The Commissioner may engage as consultants persons with suitable qualifications and experience. The terms and conditions on which a consultant is engaged are as determined by the Commissioner.

Division 2—Functions of Commissioner

27 Functions of Commissioner in relation to interferences with privacy

(1) Subject to this Part, the Commissioner has the following functions:

(a) to investigate an act or practice of an agency that may breach an Information Privacy Principle and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation;

(aa) to approve privacy codes and variations of approved privacy codes and to revoke those approvals;

(ab) subject to Part V—to investigate an act or practice of an organisation that may be an interference with the privacy of an individual because of section 13A and, if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation;

(ac) to perform functions, and exercise powers, conferred on an adjudicator by an approved privacy code under which the Commissioner has been appointed as an independent adjudicator to whom complaints may be made;

(ad) to review the operation of approved privacy codes under section 18BH;

(ae) on application under section 18BI for review of the determination of an adjudicator (other than the Commissioner) in relation to a complaint—to deal with the complaint in accordance with that section;

(b) to examine (with or without a request from a Minister) a proposed enactment that would require or authorise acts or practices of an agency or organisation that might, in the absence of the enactment, be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals and to ensure that any adverse effects of such proposed enactment on the privacy of individuals are minimised;

(c) to undertake research into, and to monitor developments in, data processing and computer technology (including data‑matching and data‑linkage) to ensure that any adverse effects of such developments on the privacy of individuals are minimised, and to report to the Minister the results of such research and monitoring;

(d) to promote an understanding and acceptance of the Information Privacy Principles and of the objects of those Principles and of the National Privacy Principles;

(e) to prepare, and to publish in such manner as the Commissioner considers appropriate, guidelines for the avoidance of acts or practices of an agency or an organisation that may or might be interferences with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals;

(ea) to prepare, and to publish in the way that the Commissioner considers appropriate, guidelines:

(i) to assist organisations to develop privacy codes or to apply approved privacy codes; or

(ii) relating to making and dealing with complaints under approved privacy codes; or

(iii) about matters the Commissioner may consider in deciding whether to approve a privacy code or a variation of an approved privacy code;

(f) to provide (on request or on the Commissioner’s own initiative) advice to a Minister, agency or organisation on any matter relevant to the operation of this Act;

(fa) to provide advice to an adjudicator for an approved privacy code on any matter relevant to the operation of this Act or the code, on request by the adjudicator;

(g) to maintain, and to publish annually, a record (to be known as the Personal Information Digest) of the matters set out in records maintained by record‑keepers in accordance with clause 3 of Information Privacy Principle 5;

(h) to conduct audits of records of personal information maintained by agencies for the purpose of ascertaining whether the records are maintained according to the Information Privacy Principles;

(ha) to conduct audits of particular acts done, and particular practices engaged in, by agencies in relation to personal information, if those acts and practices, and those agencies, are prescribed by regulations made for the purposes of this paragraph;

(j) whenever the Commissioner thinks it necessary, to inform the Minister of action that needs to be taken by an agency in order to achieve compliance by the agency with the Information Privacy Principles;

(k) to examine (with or without a request from a Minister) a proposal for data matching or data linkage that may involve an interference with the privacy of individuals or which may otherwise have any adverse effects on the privacy of individuals and to ensure that any adverse effects of such proposal on the privacy of individuals are minimised;

(m) for the purpose of promoting the protection of individual privacy, to undertake educational programs on the Commissioner’s own behalf or in co‑operation with other persons or authorities acting on behalf of the Commissioner;

(p) to issue guidelines under the Data‑matching Program (Assistance and Tax) Act 1990;

(pa) to issue guidelines under section 135AA of the National Health Act 1953;

(q) to monitor and report on the adequacy of equipment and user safeguards;

(r) may, and if requested to do so, shall make reports and recommendations to the Minister in relation to any matter that concerns the need for or the desirability of legislative or administrative action in the interests of the privacy of individuals;

(s) to do anything incidental or conducive to the performance of any of the Commissioner’s other functions.

(1A) To avoid doubt, the Commissioner is not subject to Part V in performing functions, and exercising powers, conferred on an adjudicator by an approved privacy code under which the Commissioner has been appointed as an independent adjudicator to whom complaints may be made.

(2) The Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (1).

(3) Without limiting subsection (2), the Commissioner may, at the request of an organisation, examine the records of personal information maintained by the organisation, for the purpose of ascertaining whether the records are maintained according to:

(a) an approved privacy code that binds the organisation; or

(b) to the extent (if any) that the organisation is not bound by an approved privacy code—the National Privacy Principles.

28 Functions of Commissioner in relation to tax file numbers

(1) In addition to the functions under sections 27 and 28A, the Commissioner has the following functions in relation to tax file numbers:

(a) to issue guidelines under section 17;

(b) to investigate acts or practices of file number recipients that may breach guidelines issued under section 17;

(c) to investigate acts or practices that may involve unauthorised requests or requirements for the disclosure of tax file numbers;

(d) to examine the records of the Commissioner of Taxation to ensure that:

(i) he or she is not using tax file number information for purposes beyond his or her powers; and

(ii) he or she is taking adequate measures to prevent the unlawful disclosure of the tax file number information that he or she holds;

(e) to conduct audits of records of tax file number information maintained by file number recipients for the purpose of ascertaining whether the records are maintained according to any relevant guidelines issued under section 17;

(f) to evaluate compliance with guidelines issued under section 17;

(g) to provide advice (with or without a request) to file number recipients on their obligations under the Taxation Administration Act 1953 with regard to the confidentiality of tax file number information and on any matter relevant to the operation of this Act;

(h) to monitor the security and accuracy of tax file number information kept by file number recipients;

(j) to do anything incidental or conducive to the performance of any of the preceding functions.

(2) The Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (1).

28A Functions of Commissioner in relation to credit reporting

(1) In addition to the functions under sections 27 and 28, the Commissioner has the following functions in relation to credit reporting:

(a) to develop the Code of Conduct in consultation with government, commercial, consumer and other relevant bodies and organisations;

(b) to investigate an act or practice of a credit reporting agency or credit provider that may constitute a credit reporting infringement and, where the Commissioner considers it appropriate to do so, to endeavour, by conciliation, to effect a settlement of the matters that gave rise to the investigation;

(i) the Code of Conduct and the provisions of Part IIIA; and

(ii) the objects of those provisions;

(d) to make such determinations as the Commissioner is empowered to make under section 11B or Part IIIA; and

(e) to prepare, and to publish in such manner as the Commissioner considers appropriate, guidelines for the avoidance of acts or practices of a credit reporting agency or credit provider that may or might be interferences with the privacy of individuals;

(f) to provide advice (with or without a request) to a Minister, a credit reporting agency or a credit provider on any matter relevant to the operation of this Act;

(g) to conduct audits of credit information files maintained by credit reporting agencies, and credit reports in the possession, or under the control, of credit providers or credit reporting agencies, for the purpose of ascertaining whether the files or reports are maintained in accordance with the Code of Conduct and the provisions of Part IIIA;

(h) to monitor the security and accuracy of personal information contained in credit information files maintained by credit reporting agencies and in credit reports in the possession, or under the control, of credit providers or credit reporting agencies;

(j) to examine the records of credit reporting agencies and credit providers to ensure that:

(i) credit reporting agencies and credit providers are not using personal information contained in credit information files and credit reports for unauthorised purposes; and

(ii) credit reporting agencies and credit providers are taking adequate measures to prevent the unlawful disclosure of personal information contained in credit information files and credit reports;

(k) for the purpose of promoting the protection of individual privacy, to undertake educational programs on the Commissioner’s own behalf or in co‑operation with other persons or authorities on the Commissioner’s behalf;

(m) to do anything incidental or conducive to the performance of any of the preceding functions.

(2) The Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (1).

29 Commissioner to have regard to certain matters

In the performance of his or her functions, and the exercise of his or her powers, under this Act, the Commissioner shall:

(a) have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way;

(b) take account of:

(i) international obligations accepted by Australia, including those concerning the international technology of communications; and

(ii) developing general international guidelines relevant to the better protection of individual privacy;

(c) ensure that his or her recommendations and guidelines are, within the limitations of the powers of the Commonwealth, capable of acceptance, adaptation and extension throughout Australia; and

(d) ensure that his or her directions and guidelines are consistent with whichever of the following (if any) are relevant:

(i) the Information Privacy Principles;

(ii) the National Privacy Principles;

(iii) the Code of Conduct and Part IIIA.

Division 3—Reports by Commissioner

30 Reports following investigation of act or practice

(1) Where the Commissioner has investigated an act or practice without a complaint having been made under section 36, the Commissioner may report to the Minister about the act or practice, and shall do so:

(a) if so directed by the Minister; or

(b) if the Commissioner:

(i) thinks that the act or practice is an interference with the privacy of an individual; and

(ii) has not considered it appropriate to endeavour to effect a settlement of the matters that gave rise to the investigation or has endeavoured without success to effect such a settlement.

(2) Where the Commissioner reports under subsection (1) about an act done in accordance with a practice, the Commissioner shall also report to the Minister about the practice.

(3) Where, after an investigation under paragraph 27(1)(a), 28(1)(b) or (c) or 28A(1)(b) of an act or practice of an agency, file number recipient, credit reporting agency or credit provider, the Commissioner is required by virtue of paragraph (1)(b) of this section to report to the Minister about the act or practice, the Commissioner:

(a) shall set out in the report his or her findings and the reasons for those findings;

(b) may include in the report any recommendations by the Commissioner for preventing a repetition of the act or a continuation of the practice;

(i) the payment of compensation in respect of a person who has suffered loss or damage as a result of the act or practice;

(ii) the taking of other action to remedy or reduce loss or damage suffered by a person as a result of the act or practice;

(d) shall serve a copy of the report on the agency, file number recipient, credit reporting agency or credit provider concerned and the Minister (if any) responsible for the agency, recipient, credit reporting agency or credit provider; and

(e) may serve a copy of the report on any person affected by the act or practice.

(4) Where, at the end of 60 days after a copy of a report about an act or practice of an agency, file number recipient, credit reporting agency or credit provider was served under subsection (3), the Commissioner:

(a) still thinks that the act or practice is an interference with the privacy of an individual; and

(b) is not satisfied that reasonable steps have been taken to prevent a repetition of the act or a continuation of the practice;

the Commissioner shall give to the Minister a further report that:

(c) incorporates the first‑mentioned report and any document that the Commissioner has received, in response to the first‑mentioned report, from the agency, file number recipient, credit reporting agency or credit provider;

(d) states whether, to the knowledge of the Commissioner, any action has been taken as a result of the findings, and recommendations (if any), set out in the first‑mentioned report and, if so, the nature of that action; and

(e) states why the Commissioner is not satisfied that reasonable steps have been taken to prevent a repetition of the act or a continuation of the practice;

and shall serve a copy of the report on the Minister (if any) responsible for the agency, recipient, credit reporting agency or credit provider.

(5) The Minister shall cause a copy of a report given to the Minister under subsection (4) to be laid before each House of the Parliament within 15 sitting days of that House after the report is received by the Minister.

(6) This section does not apply to:

(a) a complaint made under section 36 in relation to an act or practice of an organisation; or

(b) a complaint the Commissioner accepts under subsection 40(1B).

31 Report following examination of proposed enactment

(1) Where the Commissioner has examined a proposed enactment under paragraph 27(1)(b), subsections (2) and (3) of this section have effect.

(2) If the Commissioner thinks that the proposed enactment would require or authorise acts or practices of an agency or organisation that would be interferences with the privacy of individuals, the Commissioner shall:

(a) report to the Minister about the proposed enactment; and

(b) include in the report any recommendations he or she wishes to make for amendment of the proposed enactment to ensure that it would not require or authorise such acts or practices.

(3) Otherwise, the Commissioner may report to the Minister about the proposed enactment, and shall do so if so directed by the Minister.

(4) Where the Privacy Commissioner is of the belief that it is in the public interest that the proposed enactment should be the subject of a further report, the Commissioner may give to the Minister a further report setting out the Commissioner’s reasons for so doing.

(5) The Minister shall cause a copy of a report given under subsection (4) to be laid before each House of the Parliament as soon as practicable, and no later than 15 sitting days of that House, after the report is received by the Minister.

32 Report following monitoring of certain activities

(1) Where the Commissioner, in the performance of the function referred to in paragraph 27(1)(c), (h), (ha), (j), (k), (m) or (r), 28(1)(e), (f) or (h) or 28A(1)(g), (h), (j) or (k), has monitored an activity or conducted an audit, the Commissioner may report to the Minister about that activity or audit, and shall do so if so directed by the Minister.

(2) Where the Privacy Commissioner is of the belief that it is in the public interest that the activity should be the subject of a further report, the Commissioner may give to the Minister a further report setting out the Commissioner’s reasons for so doing.

(3) The Minister shall cause a copy of a report given under subsection (2) to be laid before each House of the Parliament as soon as practicable, and no later than 15 sitting days of that House, after the report is received by the Minister.

33 Exclusion of certain matters from reports

(1) In setting out findings, opinions and reasons in a report to be given under section 30, 31 or 32, the Commissioner may exclude a matter if the Commissioner considers it desirable to do so having regard to the obligations of the Commissioner under subsections (2) and (3).

(2) In deciding under subsection (1) whether or not to exclude matter from a report, the Commissioner shall have regard to the need to prevent:

(a) prejudice to the security, defence or international relations of Australia;

(b) prejudice to relations between the Commonwealth Government and the Government of a State or between the Government of a State and the Government of another State;

(c) the disclosure of deliberations or decisions of the Cabinet, or of a Committee of the Cabinet, of the Commonwealth or of a State;

(d) the disclosure of deliberations or advice of the Federal Executive Council or the Executive Council of a State;

(da) the disclosure of the deliberations or decisions of the Australian Capital Territory Executive or of a committee of that Executive;

(e) the disclosure, or the ascertaining by a person, of the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;

(f) the endangering of the life or safety of any person;

(g) prejudice to the proper enforcement of the law or the protection of public safety;

(h) the disclosure of information the disclosure of which is prohibited, absolutely or subject to qualifications, by or under another enactment;

(j) the unreasonable disclosure of the personal affairs of any person; and

(k) the unreasonable disclosure of confidential commercial information.

(3) The Commissioner shall try to achieve an appropriate balance between meeting the need referred to in subsection (2) and the desirability of ensuring that interested persons are sufficiently informed of the results of the Commissioner’s investigation, examination or monitoring.

(4) Where the Commissioner excludes a matter from a report, he or she shall give to the Minister a report setting out the excluded matter and his or her reasons for excluding the matter.

Division 4—Miscellaneous

34 Provisions relating to documents exempt under the Freedom of Information Act 1982

(1) The Commissioner shall not, in connection with the performance of the functions referred to in section 27, give to a person information as to the existence or non‑existence of a document where information as to the existence or non‑existence of that document would, if included in a document of an agency, cause the last‑mentioned document to be an exempt document by virtue of section 33 or 33A, or subsection 37(1), of the Freedom of Information Act 1982.

(2) The Commissioner shall not, in connection with the performance of the functions referred to in section 27, give to a person information:

(a) about the contents of a document of an agency, or the contents of an official document of a Minister, being a document that is an exempt document; or

(b) about exempt matter contained in a document of an agency or in an official document of a Minister.

(3) An expression used in this section and in the Freedom of Information Act 1982 has the same meaning in this section as in that Act.

35 Direction where refusal or failure to amend exempt document

(1) Where:

(a) an application made under subsection 55(1) of the Freedom of Information Act 1982 for review of a decision under that Act refusing access to a document has been finally determined or otherwise disposed of;

(b) the period within which an appeal may be made to the Federal Court has expired or, if such an appeal has been instituted, the appeal has been determined;

(d) the applicant has requested the agency concerned to amend the document;

(e) the applicant has complained to the Commissioner under this Act about the refusal or failure of the agency to amend the document;

(f) the Commissioner has, as a result of the complaint, recommended under subsection 30(3) of this Act that the agency amend the document, or amend a part of the document, to which the applicant has been refused access; and

(g) as at the end of 60 days after a copy of the report containing the recommendation was served on the agency, the Commissioner:

(i) still thinks that the agency should amend the document in a particular manner; and

(ii) is not satisfied that the agency has amended the document in that manner;

the Commissioner may direct the agency to add to the document an appropriate notation setting out particulars of the amendments of the document that the Commissioner thinks should be made.

(2) An agency shall comply with a direction given in accordance with subsection (1).

(3) In subsection (1), amend, in relation to a document, means amend by making a correction, deletion or addition.

(4) An expression used in this section and in the Freedom of Information Act 1982 has the same meaning in this section as in that Act.

Part V—Investigations

Division 1—Investigation of complaints and investigations on the Commissioner’s initiative

36 Complaints

(1) Subject to subsection (1A), an individual may complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of the individual.

(1A) Subsection (1) does not apply to a complaint by an individual about an act or practice of an organisation that is bound by an approved privacy code that:

(a) contains a procedure for making and dealing with complaints to an adjudicator in relation to acts or practices that may be an interference with the privacy of an individual; and

(b) is relevant to the act or practice complained of.

(1B) Subsection (1A) does not prevent an individual from making a complaint under an approved privacy code to the adjudicator for the code if the adjudicator is the Commissioner.

(1C) Subsection (1A) does not prevent an individual from complaining under this Part to the Commissioner about an act done, or practice engaged in, by an organisation purportedly for the purpose of meeting (directly or indirectly) an obligation under a Commonwealth contract (whether or not the organisation is a party to the contract).

Note: Section 40A requires an adjudicator for an approved privacy code to refer a code complaint to the Commissioner if the complaint is about an act or practice of a contracted service provider for a Commonwealth contract.

(2) In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any one of those individuals may make a complaint under subsection (1) on behalf of all of the individuals.

(2A) In the case of a representative complaint, this section has effect subject to section 38.

(3) A complaint shall be in writing.

(4) It is the duty of:

(a) members of the staff of the Commissioner; and

(b) members of the staff of the Ombudsman who have had powers of the Commissioner delegated to them under section 99;

to provide appropriate assistance to a person who wishes to make a complaint and requires assistance to formulate the complaint.

(5) The complaint shall specify the respondent to the complaint.

(6) In the case of a complaint about an act or practice of an agency:

(a) if the agency is an individual or a body corporate, the agency shall be the respondent; and

(b) if the agency is an unincorporated body, the principal executive of the agency shall be the respondent.

(7) In the case of a complaint about an act or practice of an organisation, the organisation is the respondent.

Note: Section 70A contains further rules about how this Part operates in relation to respondent organisations that are not legal persons.

(8) The respondent to a complaint about an act or practice described in one of paragraphs 13(b) to (d) (inclusive), other than an act or practice of an agency or organisation, is the person who engaged in the act or practice.

37 Principal executive of agency

The principal executive of an agency of a kind specified in column 1 of an item in the following table is the person specified in column 2 of the item:

Item	Column 1 Agency	Column 2 Principal executive
1	Department	The Secretary of the Department
2	An unincorporated body, or a tribunal, referred to in paragraph (c) of the definition of agency in subsection 6(1)	The chief executive officer of the body or tribunal
3	A body referred to in paragraph (d) of the definition of agency in subsection 6(1)	The chief executive officer of the body
4	A federal court	The registrar or principal registrar of the court or the person occupying an equivalent office
5	The Australian Federal Police	The Commissioner of Police
6	An eligible case manager that is an individual	The individual
7	An eligible case manager that is not an individual	The individual primarily responsible for the management of the eligible case manager
8	The nominated AGHS company	The chief executive officer of the company
9	An eligible hearing service provider that is an individual	The individual
10	An eligible hearing service provider that is not an individual	The individual primarily responsible for the management of the eligible hearing service provider

38 Conditions for making a representative complaint

(1) A representative complaint may be lodged under section 36 or accepted under subsection 40(1B) only if:

(a) the class members have complaints against the same person; and

(b) all the complaints are in respect of, or arise out of, the same, similar or related circumstances; and

(2) A representative complaint made under section 36 or accepted under subsection 40(1B) must:

(a) describe or otherwise identify the class members; and

(b) specify the nature of the complaints made on behalf of the class members; and

(d) specify the questions of law or fact that are common to the complaints of the class members.

In describing or otherwise identifying the class members, it is not necessary to name them or specify how many there are.

(3) A representative complaint may be lodged without the consent of class members.

38A Commissioner may determine that a complaint is not to continue as a representative complaint

(1) The Commissioner may, on application by the respondent or on his or her own initiative, determine that a complaint should no longer continue as a representative complaint.

(2) The Commissioner may only make such a determination if the Commissioner is satisfied that it is in the interests of justice to do so for any of the following reasons:

(a) the costs that would be incurred if the complaint were to continue as a representative complaint are likely to exceed the costs that would be incurred if each class member lodged a separate complaint;

(b) the representative complaint will not provide an efficient and effective means of dealing with the complaints of the class members;

(d) it is otherwise inappropriate that the complaints be pursued by means of a representative complaint.

(3) If the Commissioner makes such a determination:

(a) the complaint may be continued as a complaint by the complainant on his or her own behalf against the respondent; and

(b) on the application of a person who was a class member for the purposes of the former representative complaint, the Commissioner may join that person as a complainant to the complaint as continued under paragraph (a).

38B Additional rules applying to the determination of representative complaints

(1) The Commissioner may, on application by a class member, replace the complainant with another class member, where it appears to the Commissioner that the complainant is not able adequately to represent the interests of the class members.

(2) A class member may, by notice in writing to the Commissioner, withdraw from a representative complaint at any time before the Commissioner begins to hold an inquiry into the complaint.

(3) The Commissioner may at any stage direct that notice of any matter be given to a class member or class members.

38C Amendment of representative complaints

If the Commissioner is satisfied that a complaint could be dealt with as a representative complaint if the class of persons on whose behalf the complaint is lodged is increased, reduced or otherwise altered, the Commissioner may amend the complaint so that the complaint can be dealt with as a representative complaint.

39 Class member for representative complaint not entitled to lodge individual complaint

A person who is a class member for a representative complaint is not entitled to lodge a complaint in respect of the same subject matter.

40 Investigations

(1) Subject to subsection (1A), the Commissioner shall investigate an act or practice if:

(a) the act or practice may be an interference with the privacy of an individual; and

(b) a complaint about the act or practice has been made under section 36.

(1A) The Commissioner must not investigate a complaint if the complainant did not complain to the respondent before making the complaint to the Commissioner under section 36. However, the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.

(1B) The Commissioner must investigate under this Part a complaint about an act or practice of an organisation that is bound by a relevant approved privacy code that contains a procedure for making and dealing with complaints in relation to acts or practices that may be an interference with the privacy of an individual if:

(a) the act or practice occurred after the approval of the code came into effect; and

(b) the adjudicator for the code refers the complaint to the Commissioner; and

(d) the Commissioner consults the complainant before accepting the complaint.

(1C) If the Commissioner accepts a complaint mentioned in subsection (1B), the Commissioner must deal with it as if it were a complaint made under section 36 in relation to an act or practice of the organisation.

(2) The Commissioner may investigate an act or practice if:

(a) the act or practice may be an interference with the privacy of an individual; and

(b) the Commissioner thinks it is desirable that the act or practice be investigated.

(3) This section has effect subject to section 41.

40A Referring complaint about act under Commonwealth contract

(1) This section applies if:

(a) a complaint is made to an adjudicator for an approved privacy code; and

(b) the adjudicator forms the view that the complaint is about an act done or practice engaged in:

(i) by an organisation that is a contracted service provider for a Commonwealth contract; and

(ii) for the purposes of meeting (directly or indirectly) an obligation under the contract.

(2) Despite the code, the adjudicator must:

(a) stop investigating the complaint under the code (without making a determination under the code about the complaint); and

(b) refer the complaint to the Commissioner under subsection 40(1B) for investigation under this Part.

(3) The Commissioner must accept the complaint under subsection 40(1B).

Note: This means that the Commissioner must investigate the complaint (subject to section 41) as if the complaint had been made to the Commissioner under section 36. See subsections 40(1B) and (1C).

41 Circumstances in which Commissioner may decide not to investigate or may defer investigation

(1) The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36, or which the Commissioner has accepted under subsection 40(1B), if the Commissioner is satisfied that:

(a) the act or practice is not an interference with the privacy of an individual;

(d) the complaint is frivolous, vexatious, misconceived or lacking in substance;

(e) the act or practice is the subject of an application under another Commonwealth law, or a State or Territory law, and the subject‑matter of the complaint has been, or is being, dealt with adequately under that law; or

(f) another Commonwealth law, or a State or Territory law, provides a more appropriate remedy for the act or practice that is the subject of the complaint.

(2) The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36, or accepted by the Commissioner under subsection 40(1B), if the Commissioner is satisfied that the complainant has complained to the respondent about the act or practice and either:

(a) the respondent has dealt, or is dealing, adequately with the complaint; or

(b) the respondent has not yet had an adequate opportunity to deal with the complaint.

(3) The Commissioner may defer the investigation or further investigation of an act or practice about which a complaint has been made under section 36, or accepted by the Commissioner under subsection 40(1B), if:

(a) an application has been made by the respondent for a determination under section 72 in relation to the act or practice; and

(b) the Commissioner is satisfied that the interests of persons affected by the act or practice would not be unreasonably prejudiced if the investigation or further investigation were deferred until the application had been disposed of.

42 Preliminary inquiries

Where a complaint has been made to the Commissioner, or the Commissioner accepts a complaint under subsection 40(1B), the Commissioner may, for the purpose of determining:

(a) whether the Commissioner has power to investigate the matter to which the complaint relates; or

(b) whether the Commissioner may, in his or her discretion, decide not to investigate the matter;

make inquiries of the respondent.

43 Conduct of investigations

(1) Before commencing an investigation of a matter to which a complaint relates, the Commissioner shall inform the respondent that the matter is to be investigated.

(1A) Before starting to investigate an act done, or practice engaged in, by a contracted service provider for the purpose of providing (directly or indirectly) a service to an agency under a Commonwealth contract, the Commissioner must also inform the agency that the act or practice is to be investigated.

Note: See subsection 6(9) about provision of services to an agency.

(2) An investigation under this Division shall be conducted in private but otherwise in such manner as the Commissioner thinks fit.

(3) The Commissioner may, for the purposes of an investigation, obtain information from such persons, and make such inquiries, as he or she thinks fit.

(4) Subject to subsection (5), it is not necessary for a complainant or respondent to be afforded an opportunity to appear before the Commissioner in connection with an investigation under this Division.

(5) The Commissioner shall not make a finding under section 52 that is adverse to a complainant or respondent unless the Commissioner has afforded the complainant or respondent an opportunity to appear before the Commissioner and to make submissions, orally, in writing or both, in relation to the matter to which the investigation relates.

(6) Where the Commissioner affords an agency, organisation or person an opportunity to appear before the Commissioner under subsection (5), the agency, organisation or person may, with the approval of the Commissioner, be represented by another person.

(7) Where, in connection with an investigation of a matter under this Division, the Commissioner proposes to afford the complainant or respondent an opportunity to appear before the Commissioner and to make submissions under subsection (5), or proposes to make a requirement of a person under section 44, the Commissioner shall, if he or she has not previously informed the responsible Minister (if any) that the matter is being investigated, inform that Minister accordingly.

(8) The Commissioner may, either before or after the completion of an investigation under this Division, discuss any matter that is relevant to the investigation with a Minister concerned with the matter.

(8A) Subsection (8) does not allow the Commissioner to discuss a matter relevant to an investigation of a breach of an approved privacy code or the National Privacy Principles with a Minister, unless the investigation is of an act done, or practice engaged in:

(a) by a contracted service provider for a Commonwealth contract; and

(b) for the purpose of providing a service to an agency to meet (directly or indirectly) an obligation under the contract.

(9) Where the Commissioner forms the opinion, either before or after completing an investigation under this Division, that there is evidence that an officer of an agency has been guilty of a breach of duty or of misconduct and that the evidence is, in all the circumstances, of sufficient force to justify the Commissioner doing so, the Commissioner shall bring the evidence to the notice of:

(a) an appropriate officer of an agency; or

(b) if the Commissioner thinks that there is no officer of an agency to whose notice the evidence may appropriately be drawn—an appropriate Minister.

44 Power to obtain information and documents

(1) If the Commissioner has reason to believe that a person has information or a document relevant to an investigation under this Division, the Commissioner may give to the person a written notice requiring the person:

(a) to give the information to the Commissioner in writing signed by the person or, in the case of a body corporate, by an officer of the body corporate; or

(b) to produce the document to the Commissioner.

(2) A notice given by the Commissioner under subsection (1) shall state:

(a) the place at which the information or document is to be given or produced to the Commissioner; and

(b) the time at which, or the period within which, the information or document is to be given or produced.

(2A) If documents are produced to the Commissioner in accordance with a requirement under subsection (1), the Commissioner:

(a) may take possession of, and may make copies of, or take extracts from, the documents; and

(b) may retain possession of the documents for any period that is necessary for the purposes of the investigation to which the documents relate; and

(c) during that period must permit a person who would be entitled to inspect any one or more of the documents if they were not in the Commissioner’s possession to inspect at all reasonable times any of the documents that the person would be so entitled to inspect.

(3) If the Commissioner has reason to believe that a person has information relevant to an investigation under this Division, the Commissioner may give to the person a written notice requiring the person to attend before the Commissioner at a time and place specified in the notice to answer questions relevant to the investigation.

(4) This section is subject to sections 69 and 70 but it has effect regardless of any other enactment.

(5) A person is not liable to a penalty under the provisions of any other enactment because he or she gives information, produces a document or answers a question when required to do so under this Division.

45 Power to examine witnesses

(1) The Commissioner may administer an oath or affirmation to a person required under section 44 to attend before the Commissioner and may examine such a person on oath or affirmation.

(2) The oath or affirmation to be taken or made by a person for the purposes of this section is an oath or affirmation that the answers the person will give will be true.

46 Directions to persons to attend compulsory conference

(1) For the purposes of performing the Commissioner’s functions in relation to a complaint (except an NPP complaint or a code complaint accepted under subsection 40(1B)), the Commissioner may, by written notice, direct:

(a) the complainant;

(b) the respondent; and

(c) any other person who, in the opinion of the Commissioner, is likely to be able to provide information relevant to the matter to which the complaint relates or whose presence at the conference is, in the opinion of the Commissioner, likely to assist in connection with the performance of the Commissioner’s functions in relation to the complaint;

to attend, at a time and place specified in the notice, a conference presided over by the Commissioner.

(2) A person who has been directed to attend a conference and who:

(a) fails to attend as required by the direction; or

(b) fails to attend from day to day unless excused, or released from further attendance, by the Commissioner;

is guilty of an offence punishable on conviction:

(c) in the case of an individual—by a fine not exceeding $1,000 or imprisonment for a period not exceeding 6 months, or both; or

(d) in the case of a body corporate—by a fine not exceeding $5,000.

(2A) Subsection (2) does not apply if the person has a reasonable excuse.

Note: A defendant bears an evidential burden in relation to the matter in subsection (2A) (see subsection 13.3(3) of the Criminal Code).

(3) A person who has been directed under subsection (1) to attend a conference is entitled to be paid by the Commonwealth a reasonable sum for the person’s attendance at the conference.

(4) The Commissioner may, in a notice given to a person under subsection (1), require the person to produce such documents at the conference as are specified in the notice.

47 Conduct of compulsory conference

(1) The Commissioner may require a person attending a conference under this Division to produce a document.

(2) A conference under this Division shall be held in private and shall be conducted in such manner as the Commissioner thinks fit.

(3) A body of persons, whether corporate or unincorporate, that is directed under section 46 to attend a conference shall be deemed to attend if a member, officer or employee of that body attends on behalf of that body.

(4) Except with the consent of the Commissioner:

(a) an individual is not entitled to be represented at the conference by another person; and

(b) a body of persons, whether corporate or unincorporate, is not entitled to be represented at the conference by a person other than a member, officer or employee of that body.

48 Complainant and certain other persons to be informed of various matters

(1) Where the Commissioner decides not to investigate, or not to investigate further, a matter to which a complaint relates, the Commissioner shall, as soon as practicable and in such manner as the Commissioner thinks fit, inform the complainant and the respondent of the decision and of the reasons for the decision.

(2) If the Commissioner decides not to investigate (at all or further) an act done, or practice engaged in, by a contracted service provider for the purpose of providing (directly or indirectly) a service to an agency under a Commonwealth contract, the Commissioner must also inform the agency of the decision.

Note: See subsection 6(9) about provision of services to an agency.

49 Investigation under section 40 to cease if certain offences may have been committed

(1) Where, in the course of an investigation under section 40, the Commissioner forms the opinion that a tax file number offence or a credit reporting offence may have been committed, the Commissioner shall:

(a) inform the Commissioner of Police or the Director of Public Prosecutions of that opinion;

(b) in the case of an investigation under subsection 40(1), give a copy of the complaint to the Commissioner of Police or the Director of Public Prosecutions, as the case may be; and

(c) subject to subsection (3), discontinue the investigation except to the extent that it concerns matters unconnected with the offence that the Commissioner believes may have been committed.

(2) If, after having been informed of the Commissioner’s opinion under paragraph (1)(a), the Commissioner of Police or the Director of Public Prosecutions, as the case may be, decides that the matter will not be, or will no longer be, the subject of proceedings for an offence, he or she shall give a written notice to that effect to the Commissioner.

(3) Upon receiving such a notice the Commissioner may continue the investigation discontinued under paragraph (1)(c).

(4) In subsection (1):

credit reporting offence means:

(a) an offence against subsection 18C(4), 18D(4), 18K(4), 18L(2), 18N(2), 18R(2) or 18S(3) or section 18T; or

(b) an offence against section 6 of the Crimes Act 1914, or section 11.1, 11.4 or 11.5 of the Criminal Code, being an offence that relates to an offence referred to in paragraph (a) of this definition.

tax file number offence means:

(a) an offence against section 8WA or 8WB of the Taxation Administration Act 1953; or

50 Reference of matters to other authorities

(1) In this section:

Human Rights and Equal Opportunity Commission includes a person performing functions of that Commission.

Ombudsman means the Commonwealth Ombudsman.

(2) Where, before the Commissioner commences, or after the Commissioner has commenced, to investigate a matter to which a complaint relates, the Commissioner forms the opinion that:

(a) a complaint relating to that matter has been, or could have been, made by the complainant:

(i) to the Human Rights and Equal Opportunity Commission under Division 3 of Part II of the Human Rights and Equal Opportunity Commission Act 1986; or

(ii) to the Ombudsman under the Ombudsman Act 1976; or

(b) an application with respect to that matter has been, or could have been, made by the complainant to the Public Service Commissioner under the Public Service Act 1999;

and that that matter could be more conveniently or effectively dealt with by the Human Rights and Equal Opportunity Commission, the Ombudsman, or the Public Service Commissioner, as the case may be, the Commissioner may decide not to investigate the matter, or not to investigate the matter further, as the case may be, and, if the Commissioner so decides, he or she shall:

(c) transfer the complaint to the Human Rights and Equal Opportunity Commission, the Ombudsman or the Public Service Commissioner;

(d) give notice in writing to the complainant stating that the complaint has been so transferred; and

(e) give to the Human Rights and Equal Opportunity Commission, the Ombudsman or the Public Service Commissioner any information or documents that relate to the complaint and are in the possession, or under the control, of the Commissioner.

(3) A complaint transferred under subsection (2) shall be taken to be:

(a) a complaint made:

(i) to the Human Rights and Equal Opportunity Commission under Division 3 of Part II of the Human Rights and Equal Opportunity Commission Act 1986; or

(ii) to the Ombudsman under the Ombudsman Act 1976; or

(b) an application made to the Public Service Commissioner under the Public Service Act 1999;

as the case requires.

50A Substitution of respondent to complaint

(1) This section lets the Commissioner substitute an agency for an organisation as respondent to a complaint if:

(a) the organisation is a contracted service provider for a Commonwealth contract to provide services to the agency; and

(b) before the Commissioner makes a determination under section 52 in relation to the complaint, the organisation:

(i) dies or ceases to exist; or

(ii) becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors.

(2) The Commissioner may amend the complaint to specify as a respondent to the complaint the agency or its principal executive, instead of the organisation.

Note 1: The complaint still relates to the act or practice of the organisation.

Note 2: Section 53B lets the Commissioner treat an agency as a respondent to a determination if the organisation cannot comply with a determination to pay an amount to a complainant.

(3) Before amending the complaint, the Commissioner must:

(a) give the agency a notice stating that the Commissioner proposes to amend the complaint and stating the reasons for the proposal; and

(b) give the agency an opportunity to appear before the Commissioner and to make oral and/or written submissions relating to the proposed amendment.

(4) If the Commissioner amends the complaint after starting to investigate it, the Commissioner is taken to have satisfied subsection 43(1A) in relation to the agency.

51 Effect of investigation by Auditor‑General

Where the Commissioner becomes aware that a matter being investigated by the Commissioner is, or is related to, a matter that is under investigation by the Auditor‑General, the Commissioner shall not, unless the Commissioner and Auditor‑General agree to the contrary, continue to investigate the matter until the investigation by the Auditor‑General has been completed.

Division 2—Determinations following investigation of complaints

52 Determination of the Commissioner

(1) After investigating a complaint, the Commissioner may:

(a) make a determination dismissing the complaint; or

(b) find the complaint substantiated and make a determination that includes one or more of the following:

(i) a declaration:

(A) where the principal executive of an agency is the respondent—that the agency has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct; or

(B) in any other case—that the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;

(ii) a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;

(iii) a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;

(iv) a declaration that it would be inappropriate for any further action to be taken in the matter.

(1A) The loss or damage referred to in paragraph (1)(b) includes injury to the complainant’s feelings or humiliation suffered by the complainant.

(1B) A determination of the Commissioner under subsection (1) is not binding or conclusive between any of the parties to the determination.

(2) The Commissioner shall, in a determination, state any findings of fact upon which the determination is based.

(3) In a determination under paragraph (1)(a) or (b) (other than a determination made on a representative complaint), the Commissioner may include a declaration that the complainant is entitled to a specified amount to reimburse the complainant for expenses reasonably incurred by the complainant in connection with the making of the complaint and the investigation of the complaint.

(3A) The Commissioner may include an order mentioned in subsection (3B) in a determination under subparagraph (1)(b)(i) or (ii) that concerns a breach of:

(a) Information Privacy Principle 7; or

(b) National Privacy Principle 6, to the extent that it deals with the correction of personal information; or

(c) a provision of an approved privacy code that corresponds to National Privacy Principle 6, to the extent that it deals with the correction of personal information; or

(d) section 18J.

(3B) A determination may include an order that:

(a) an agency or respondent make an appropriate correction, deletion or addition to a record, or to a credit information file or credit report, as the case may be; or

(b) an agency or respondent attach to a record, or include in a credit information file or credit report, as the case may be, a statement provided by the complainant of a correction, deletion or addition sought by the complainant.

(4) A determination by the Commissioner under subparagraph (1)(b)(iii) on a representative complaint:

(a) may provide for payment of specified amounts or of amounts worked out in a manner specified by the Commissioner; and

(b) if the Commissioner provides for payment in accordance with paragraph (a), must make provision for the payment of the money to the complainants concerned.

(5) If the Commissioner makes a determination under subparagraph (1)(b)(iii) on a representative complaint, the Commissioner may give such directions (if any) as he or she thinks just in relation to:

(a) the manner in which a class member is to establish his or her entitlement to the payment of an amount under the determination; and

(b) the manner for determining any dispute regarding the entitlement of a class member to the payment.

(6) In this section:

complainant, in relation to a representative complaint, means the class members.

53 Determination must identify the class members who are to be affected by the determination

A determination under section 52 on a representative complaint must describe or otherwise identify those of the class members who are to be affected by the determination.

53A Notice to be given to outsourcing agency

(1) If the Commissioner makes a determination to which a contracted service provider for a Commonwealth contract is the respondent, the Commissioner:

(a) must give a copy of the determination to each agency:

(i) to which services are or were to be provided under the contract; and

(ii) to which the Commissioner considers it appropriate to give a copy; and

(b) may give such an agency a written recommendation of any measures that the Commissioner considers appropriate.

(2) The Commissioner may give an agency a recommendation only after consulting the agency.

(3) An agency that receives a recommendation from the Commissioner must tell the Commissioner in writing of any action the agency proposes to take in relation to the recommendation. The agency must do so within 60 days of receiving the recommendation.

53B Substituting respondent to determination

(1) This section applies if:

(a) the respondent to a determination under subsection 52(1) is a contracted service provider for a Commonwealth contract; and

(b) the determination includes:

(i) a declaration under subparagraph 52(1)(b)(iii) that the complainant is entitled to a specified amount by way of compensation; or

(ii) a declaration under subsection 52(3) that the complainant is entitled to a specified amount by way of reimbursement; and

(i) dies or ceases to exist; or

(d) at that time, the complainant had not been paid the whole or part of an amount referred to in subparagraph (b)(i) or (b)(ii).

(2) The Commissioner may determine in writing that a specified agency to which services were or were to be provided under the contract is the respondent to the determination under section 52. The determination has effect according to its terms for the purposes of section 60.

Note: This means that the amount owed by the contracted service provider will be a debt due by the agency to the complainant.

(3) Before making a determination, the Commissioner must give the agency:

(a) a notice stating that the Commissioner proposes to make the determination and stating the reasons for the proposal; and

(b) an opportunity to appear before the Commissioner and to make oral and/or written submissions relating to the proposed determination.

Division 3—Enforcement

54 Application of Division

(1) This Division applies to a determination made under section 52 after the commencement of this Division, except where the respondent to the determination is an agency or the principal executive of an agency.

(1A) This Division also applies to a determination made by an adjudicator for an approved privacy code under the code in relation to a complaint made under the code.

Note: The making of a determination by the Commissioner under this Act is subject to judicial review under the Administrative Decisions (Judicial Review) Act 1977.

(2) In this section:

agency does not include the nominated AGHS company, an eligible hearing service provider or an eligible case manager.

55 Obligations of respondent organisation

Determination under section 52

(1) An organisation that is the respondent to a determination made under section 52:

(a) must not repeat or continue conduct that is covered by a declaration that is included in the determination under sub‑subparagraph 52(1)(b)(i)(B); and

(b) must perform the act or course of conduct that is covered by a declaration that is included in the determination under subparagraph 52(1)(b)(ii).

Determination under approved privacy code

(2) An organisation that is the respondent to a determination made under an approved privacy code:

(a) must not repeat or continue conduct that is covered by a declaration that is included in the determination and that corresponds to a declaration mentioned in paragraph (1)(a); and

(b) must perform the act or course of conduct that is covered by a declaration that is included in the determination and that corresponds to a declaration mentioned in paragraph (1)(b).

55A Proceedings in the Federal Court or Federal Magistrates Court to enforce a determination

(1) Any of the following persons may commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination:

(a) the complainant;

(b) the Commissioner, if the determination was made under section 52;

(c) the adjudicator for the approved privacy code under which the determination was made, if it was made under an approved privacy code.

(2) If the court is satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court may make such orders (including a declaration of right) as it thinks fit.

(3) The court may, if it thinks fit, grant an interim injunction pending the determination of the proceedings.

(4) The court is not to require a person, as a condition of granting an interim injunction, to give an undertaking as to damages.

(5) The court is to deal by way of a hearing de novo with the question whether the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant.

(6) Despite subsection (5), the court may receive any of the following as evidence in proceedings about a determination made by the Commissioner under section 52:

(a) a copy of the Commissioner’s written reasons for the determination;

(b) a copy of any document that was before the Commissioner;

(c) a copy of a record (including any tape recording) of any appearance before the Commissioner (including any oral submissions made) under subsection 43(5).

(7) Despite subsection (5), the court may receive any of the following as evidence in proceedings about a determination made by an adjudicator under an approved privacy code:

(a) a copy of the adjudicator’s written reasons for the determination;

(b) a copy of any document that was before the adjudicator;

(c) a copy of a record (including any tape recording) of any appearance before the adjudicator (including any oral submissions made).

(7A) In conducting a hearing and making an order under this section, the court is to have due regard to the matters that paragraph 29(a) requires the Commissioner to have due regard to.

(8) In this section:

complainant, in relation to a representative complaint, means any of the class members.

55B Evidentiary certificate

(1) The Commissioner may issue a written certificate setting out the findings of fact upon which the Commissioner based his or her determination that:

(a) a specified agency had breached an Information Privacy Principle; or

(b) a specified organisation had breached an approved privacy code or a National Privacy Principle.

(2) An adjudicator for an approved privacy code may issue a written certificate setting out the findings of fact upon which the adjudicator based his or her determination that a specified organisation had breached an approved privacy code.

(3) In any proceedings under section 55A, a certificate under subsection (1) or (2) of this section is prima facie evidence of the facts found by the Commissioner or adjudicator and set out in the certificate. However, the certificate is not prima facie evidence of a finding that:

(a) a specified agency had breached an Information Privacy Principle; or

(b) a specified organisation had breached an approved privacy code or a National Privacy Principle.

(4) A document purporting to be a certificate under subsection (1) or (2) must, unless the contrary is established, be taken to be a certificate and to have been properly given.

Division 4—Review and enforcement of determinations involving Commonwealth agencies

57 Application of Division

(1) This Division applies to a determination that is made under section 52 and has an agency, or the principal executive of an agency, as the respondent.

(2) In this section:

agency does not include the nominated AGHS company, an eligible hearing service provider or an eligible case manager.

58 Obligations of respondent agency

If an agency is the respondent to a determination to which this Division applies:

(a) the agency must not repeat or continue conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(i); and

(b) the agency must perform the act or course of conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(ii).

59 Obligations of principal executive of agency

If the principal executive of an agency is the respondent to a determination to which this Division applies, the principal executive must take all such steps as are reasonably within his or her power to ensure:

(a) that the terms of the determination are brought to the notice of all members, officers and employees of the agency whose duties are such that they may engage in conduct of the kind to which the determination relates; and

(b) that no member, officer or employee of the agency repeats or continues conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(i); and

(c) the performance of any act or course of conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(ii).

60 Compensation and expenses

(1) If a determination to which this Division applies includes a declaration of the kind referred to in subparagraph 52(1)(b)(iii) or subsection 52(3), the complainant is entitled to be paid the amount specified in the declaration.

(2) If the respondent is an agency that has the capacity to sue and be sued, the amount is recoverable as a debt due by the agency to the complainant. In any other case, the amount is recoverable as a debt due by the Commonwealth to the complainant.

(3) In this section:

complainant, in relation to a representative complaint, means a class member.

61 Review of determinations regarding compensation and expenses

(1) Application may be made to the Administrative Appeals Tribunal for review of:

(a) a declaration of the kind referred to in subparagraph 52(1)(b)(iii) or subsection 52(3) that is included in a determination to which this Division applies; or

(b) a decision of the Commissioner refusing to include such a declaration in a determination to which this Division applies.

(2) An agency, or the principal executive of an agency, may not apply for review without the permission of the Minister.

62 Enforcement of determination against an agency

(1) If an agency fails to comply with section 58, an application may be made to the Federal Court or the Federal Magistrates Court for an order directing the agency to comply.

(2) If the principal executive of an agency fails to comply with section 59, an application may be made to the Federal Court or the Federal Magistrates Court for an order directing the principal executive to comply.

(3) The application may be made by the Commissioner or by the complainant. In the case of a representative complaint, complainant means a class member.

(4) On an application under this section, the court may make such other orders as it thinks fit with a view to securing compliance by the respondent.

(5) An application may not be made under this section in relation to a determination under section 52 until:

(a) the time has expired for making an application under section 61 for review of the determination; or

(b) if such an application is made, the decision of the Administrative Appeals Tribunal on the application has come into operation.

Division 5—Miscellaneous

63 Legal assistance

(1) If:

(a) the Commissioner has dismissed a file number complaint; and

(b) the respondent to the complaint is not an agency or the principal executive of an agency;

the respondent may apply to the Attorney‑General for assistance under this section.

(2) A person who:

(a) has commenced or proposes to commence proceedings in the Federal Court or the Federal Magistrates Court under section 55; or

(b) has engaged in conduct or is alleged to have engaged in conduct in respect of which proceedings have been commenced in the Federal Court or the Federal Magistrates Court under section 55;

may apply to the Attorney‑General for the provision of assistance under this section in respect of the proceedings.

(2A) Subsection (2) does not permit an application relating to proceedings under section 55A to enforce a determination relating to a code complaint or an NPP complaint.

(3) If the Attorney‑General is satisfied that in all the circumstances it is reasonable to grant an application made under this section, he or she may authorise the provision by the Commonwealth to the applicant of:

(a) in the case of an application under subsection (1)—such financial assistance in connection with the investigation of the complaint as the Attorney‑General determines; or

(b) in the case of an application under subsection (2)—such legal or financial assistance in respect of the proceeding as the Attorney‑General determines.

(4) An authorisation under subsection (3) may be made subject to such conditions (if any) as the Attorney‑General determines.

(5) In considering an application made under this section, the Attorney‑General must have regard to any hardship to the applicant that refusal of the application would involve.

64 Commissioner etc. not to be sued

(1) Neither the Commissioner nor a person acting under his or her direction or authority is liable to an action, suit or proceeding in relation to an act done or omitted to be done in good faith in the exercise or purported exercise of any power or authority conferred by this Act.

(2) Neither an adjudicator for an approved privacy code, nor a person acting under his or her direction or authority, is liable to an action, suit or proceeding in relation to an act done or omitted to be done in good faith in the exercise or purported exercise of any power or authority conferred by this Act or the code.

65 Failure to attend etc. before Commissioner

(1) A person shall not:

(a) refuse or fail to attend before the Commissioner; or

(b) refuse or fail to be sworn or make an affirmation;

when so required under this Act.

Penalty: $2,000 or imprisonment for 12 months, or both.

(2) Subsection (1) does not apply if the person has a reasonable excuse.

Note: A defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code).

Penalty: $2,000 or imprisonment for 12 months, or both.

(3) A person shall not furnish information or make a statement to the Commissioner knowing that it is false or misleading in a material particular.

Penalty: $2,000 or imprisonment for 12 months, or both.

66 Failure to give information etc.

(1) A person shall not refuse or fail:

(a) to give information; or

(b) to answer a question or produce a document or record;

when so required under this Act.

Penalty:

(a) in the case of an individual—$2,000 or imprisonment for 12 months, or both; or

(b) in the case of a body corporate—$10,000.

(1A) For the purposes of subsection (1B), a journalist has a reasonable excuse if giving the information, answering the question or producing the document or record would tend to reveal the identity of a person who gave information or a document or record to the journalist in confidence.

(1B) Subsection (1) does not apply if the person has a reasonable excuse.

Note: A defendant bears an evidential burden in relation to the matter in subsection (1B) (see subsection 13.3(3) of the Criminal Code).

(2) For the purposes of subsections (3) to (11) (inclusive):

document includes a record.

information includes an answer to a question.

(3) Subject to subsections (4), (7) and (10), it is a reasonable excuse for the purposes of subsection (1B) for an individual:

(a) to refuse or fail to give information when so required under this Act; or

(b) to refuse or fail to produce a document when so required under this Act;

that giving the information, or producing the document, as the case may be, might tend to incriminate the individual or make the individual liable to forfeiture or a penalty.

(4) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of the Commonwealth or of a Territory, if the Director of Public Prosecutions has given the individual a written undertaking under subsection (5).

(5) An undertaking by the Director of Public Prosecutions shall:

(a) be an undertaking that:

(i) information given, or a document produced, by the individual; or

(ii) any information or document obtained as a direct or indirect consequence of the giving of the information, or the production of the document;

will not be used in evidence in any proceedings for an offence against a law of the Commonwealth or of a Territory, or in any disciplinary proceedings, against the individual, other than proceedings in respect of the falsity of evidence given by the individual;

(b) state that, in the opinion of the Director of Public Prosecutions, there are special reasons why, in the public interest, the information or document should be available to the Commissioner; and

(6) The Commissioner may recommend to the Director of Public Prosecutions that an individual who has been, or is to be, required under this Act to give information or produce a document be given an undertaking under subsection (5).

(7) Subsection (3) does not apply in relation to a failure or refusal by an individual to give information, or to produce a document, on the ground that giving the information or producing the document might tend to prove his or her guilt of an offence against, or make him or her liable to forfeiture or a penalty under, a law of a State, if the Attorney‑General of the State, or a person authorised by that Attorney‑General (being the person holding the office of Director of Public Prosecutions, or a similar office, of the State) has given the individual a written undertaking under subsection (8).

(8) An undertaking by the Attorney‑General of the State, or authorised person, shall:

(a) be an undertaking that:

(i) information given, or a document produced, by the individual; or

(ii) any information or document obtained as a direct or indirect consequence of the giving of the information, or the production of the document;

will not be used in evidence in any proceedings for an offence against a law of the State, or in any disciplinary proceedings, against the individual, other than proceedings in respect of the falsity of evidence given by the individual;

(b) state that, in the opinion of the person giving the undertaking, there are special reasons why, in the public interest, the information or document should be available to the Commissioner; and

(9) The Commissioner may recommend to the Attorney‑General of a State that an individual who has been, or is to be, required under this Act to give information or produce a document be given an undertaking under subsection (8).

(10) For the purposes of subsection (1B):

(a) it is not a reasonable excuse for a body corporate to refuse or fail to produce a document that production of the document might tend to incriminate the body corporate or make it liable to forfeiture or a penalty; and

(b) it is not a reasonable excuse for an individual to refuse or fail to produce a document that is, or forms part of, a record of an existing or past business (not being, if the individual is or has been an employee, a document that sets out details of earnings received by the individual in respect of his or her employment and does not set out any other information) that production of the document might tend to incriminate the individual or make the individual liable to forfeiture or a penalty.

(11) Subsections (4), (7) and (10) do not apply where proceedings, in respect of which giving information or producing a document might tend to incriminate an individual or make an individual liable to forfeiture or a penalty, have been commenced against the individual and have not been finally dealt with by a court or otherwise disposed of.

67 Protection from civil actions

Civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person because of any of the following acts done in good faith:

(a) the making of a complaint under this Act;

(aa) the making of a complaint under an approved privacy code;

(ab) the acceptance of a complaint under subsection 40(1B);

(b) the making of a statement to, or the giving of a document or information to, the Commissioner, whether or not pursuant to a requirement under section 44.

68 Power to enter premises

(1) Subject to subsection (3), for the purposes of the performance by the Commissioner of his or her functions under this Act, a person authorised by the Commissioner in writing for the purposes of this section may, at any reasonable time of the day, enter premises occupied by an agency, an organisation, a file number recipient, a credit reporting agency or a credit provider and inspect any documents that are kept at those premises and that are relevant to the performance of those functions, other than documents in respect of which the Attorney‑General has furnished a certificate under subsection 70(1) or (2).

(1A) The Commissioner may authorise a person only while the person is a member of the staff assisting the Commissioner.

(2) The occupier or person in charge of the premises shall provide the authorised person with all reasonable facilities and assistance for the effective exercise of the authorised person’s powers under subsection (1).

(3) A person shall not enter under subsection (1) premises other than premises that are occupied by an agency unless:

(a) the occupier of the premises has consented to the person entering the premises; or

(b) the person is authorised, pursuant to a warrant issued under subsection (4), to enter the premises.

(3A) Before obtaining the consent, the authorised person must inform the occupier or person in charge that he or she may refuse to consent.

(3B) An entry by an authorised person with the consent of the occupier or person in charge is not lawful if the consent was not voluntary.

(3C) The authorised person may not enter premises (other than premises occupied by an agency) if:

(a) the occupant or person in charge asks the authorised person to produce his or her identity card; and

(b) the authorised person does not produce it.

(3D) If an authorised person is on premises with the consent of the occupier or person in charge, the authorised person must leave the premises if the occupier or person in charge asks the authorised person to do so.

(4) If, on an application made by a person authorised by the Commissioner under subsection (1), a Magistrate is satisfied, by information on oath, that it is reasonably necessary, for the purposes of the performance by the Commissioner of his or her functions under this Act, that the person be empowered to enter the premises, the Magistrate may issue a warrant authorising the person, with such assistance as the person thinks necessary, to enter the premises, if necessary by force, for the purpose of exercising those powers.

(5) A warrant issued under subsection (4) shall state:

(a) whether entry is authorised to be made at any time of the day or during specified hours of the day; and

(b) a day, not being later than one month after the day on which the warrant was issued, at the end of which the warrant ceases to have effect.

(6) Nothing in subsection (1) restricts the operation of any other provision of this Part.

68A Identity cards

(1) The Commissioner must issue to a person authorised for the purposes of section 68 an identity card in the form approved by the Commissioner. The identity card must contain a recent photograph of the authorised person.

(2) As soon as practicable after the person ceases to be authorised, he or she must return the identity card to the Commissioner.

(3) A person must not contravene subsection (2).

Penalty: 1 penalty unit.

69 Restrictions on Commissioner obtaining personal information and documents

(1) Information relating to an individual shall not be furnished, in connection with a complaint, in such a manner as to reveal the individual’s identity, unless the individual has made the complaint or has consented to the information being so furnished.

(2) A document that contains information relating to an individual and that reveals the individual’s identity shall not be produced, in connection with a complaint, unless:

(a) the person has made the complaint or has consented to the document being so produced; or

(b) the document is a copy of another document and has had deleted from it such information as reveals the identity of the person.

(3) A person shall not furnish, in connection with a complaint, prescribed information that relates to an individual other than the complainant and does not also relate to the complainant.

(4) A person shall not furnish, in connection with a complaint, prescribed information that relates both to the complainant and to another individual, unless the information is so furnished in such a manner as not to reveal the identity of the other person.

(5) A person shall not produce, in connection with a complaint, a prescribed document containing information that relates to an individual other than the complainant and does not also relate to the complainant, unless the document is a copy of another prescribed document and has had that information deleted from it.

(6) A person shall not produce, in connection with a complaint, a prescribed document containing information that relates both to the complainant and to another individual, unless the document is a copy of another prescribed document and has had deleted from it such information as reveals the identity of the other individual.

(7) This section has effect notwithstanding any other provision of this Part.

(8) A reference in this section to furnishing information, or to producing a document, in connection with a complaint is a reference to furnishing the information, or to producing the document, as the case may be, to the Commissioner in connection with the performance or exercise by the Commissioner, in relation to that complaint, of the Commissioner’s functions or powers.

(9) In this section:

complaint means:

(a) a complaint under section 36; or

(b) a complaint the Commissioner accepts under subsection 40(1B).

document includes any other record.

prescribed document means a document that was furnished or obtained under or for the purposes of a relevant law or a copy of such a document.

prescribed information means information that the person furnishing the information acquired by reason of holding or having held an office, or being or having been employed, under or for the purposes of a relevant law.

relevant law means a taxation law or a law of the Commonwealth relating to census and statistics.

taxation law means:

(a) an Act of which the Commissioner of Taxation has the general administration (other than an Act prescribed for the purposes of paragraph (b) of the definition of taxation law in section 2 of the Taxation Administration Act 1953); or

(b) regulations under an Act referred to in paragraph (a) of this definition.

70 Certain documents and information not required to be disclosed

(1) Where the Attorney‑General furnishes to the Commissioner a certificate certifying that the giving to the Commissioner of information concerning a specified matter (including the giving of information in answer to a question), or the production to the Commissioner of a specified document or other record, would be contrary to the public interest because it would:

(a) prejudice the security, defence or international relations of Australia;

(b) involve the disclosure of communications between a Minister of the Commonwealth and a Minister of a State, being a disclosure that would prejudice relations between the Commonwealth Government and the Government of a State;

(d) involve the disclosure of deliberations or advice of the Executive Council;

(e) prejudice the conduct of an investigation or inquiry into crime or criminal activity that is currently being pursued, or prejudice the fair trial of any person;

(f) disclose, or enable a person to ascertain, the existence or identity of a confidential source of information in relation to the enforcement of the criminal law;

(g) prejudice the effectiveness of the operational methods or investigative practices or techniques of agencies responsible for the enforcement of the criminal law; or

(h) endanger the life or physical safety of any person;

the Commissioner is not entitled to require a person to give any information concerning the matter or to produce the document or other record.

(2) Without limiting the operation of subsection (1), where the Attorney‑General furnishes to the Commissioner a certificate certifying that the giving to the Commissioner of information as to the existence or non‑existence of information concerning a specified matter (including the giving of information in answer to a question) or as to the existence or non‑existence of any document or other record required to be produced to the Commissioner would be contrary to the public interest:

(a) by reason that it would prejudice the security, defence or international relations of Australia; or

(b) by reason that it would prejudice the proper performance of the functions of the ACC;

the Commissioner is not entitled, pursuant to this Act, to require a person to give any information as to the existence or non‑existence of information concerning that matter or as to the existence of that document or other record.

70A Application of Part to organisations that are not legal persons

Partnerships

(1) If, apart from this subsection, this Part would impose an obligation to do something (or not to refuse or fail to do something) on an organisation that is a partnership, the obligation is imposed instead on each partner but may be discharged by any of the partners.

Unincorporated associations

(2) If, apart from this subsection, this Part would impose an obligation to do something (or not to refuse or fail to do something) on an organisation that is an unincorporated association, the obligation is imposed instead on each member of the committee of management of the association but may be discharged by any of the members of that committee.

Trusts

(3) If, apart from this subsection, this Part would impose an obligation to do something (or not to refuse or fail to do something) on an organisation that is a trust, the obligation is imposed instead on each trustee but may be discharged by any of the trustees.

70B Application of this Part to former organisations

If an individual, body corporate, partnership, unincorporated association or trust ceases to be an organisation but continues to exist, this Part operates in relation to:

(a) an act or practice of the organisation (while it was an organisation); and

(b) the individual, body corporate, partnership, unincorporated association or trust;

as if he, she or it were still (and had been at all relevant times) an organisation.

Example 1: If an individual carrying on a business was not a small business operator, but later became one and remained alive:

(a) a complaint may be made under this Part about an act or practice of the individual in carrying on the business before he or she became a small business operator; and

(b) the complaint may be investigated (and further proceedings taken) under this Part as though the individual were still an organisation.

Example 2: A small business operator chooses under section 6EA to be treated as an organisation, but later revokes the choice. A complaint about an act or practice the operator engaged in while the choice was registered under that section may be made and investigated under this Part as if the operator were an organisation.

Part VI—Public interest determinations and temporary public interest determinations

Division 1—Public interest determinations

71 Interpretation

For the purposes of this Part, a person is interested in an application made under section 73 if, and only if, the Commissioner is of the opinion that the person has a real and substantial interest in the application.

72 Power to make, and effect of, determinations

Determinations about an agency’s acts and practices

(1) Subject to this Division, where the Commissioner is satisfied that:

(a) an act or practice of an agency breaches, or may breach, an Information Privacy Principle; and

(b) the public interest in the agency doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to that Information Privacy Principle;

the Commissioner may make a written determination to that effect and, if the Commissioner does so, the fact that the act or practice breaches that Information Privacy Principle shall:

(d) in so far as the agency engages in the practice while the determination is in force;

as the case may be, be disregarded for the purpose of section 16.

Determinations about an organisation’s acts and practices

(2) Subject to this Division, if the Commissioner is satisfied that:

(a) an act or practice of an organisation breaches, or may breach, an approved privacy code, or a National Privacy Principle, that binds the organisation; but

(b) the public interest in the organisation doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that code or Principle;

the Commissioner may make a written determination to that effect.

Effect of determination under subsection (2)

(3) The organisation is taken not to contravene section 16A if the organisation does the act, or engages in the practice, while the determination is in force under subsection (2).

Giving a determination under subsection (2) general effect

(4) The Commissioner may make a written determination that no organisation is taken to contravene section 16A if, while that determination is in force, an organisation does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that organisation or any other organisation.

Effect of determination under subsection (4)

(5) A determination under subsection (4) has effect according to its terms.

73 Application by agency or organisation

(1) An agency or organisation may apply in accordance with the regulations for a determination under section 72 about an act or practice of the agency or organisation.

(2) The CEO of the National Health and Medical Research Council may make an application under subsection (1) on behalf of other agencies concerned with medical research or the provision of health services.

(3) Where an application is made by virtue of subsection (2), a reference in the succeeding provisions of this Part to the agency is a reference to the CEO of the National Health and Medical Research Council.

(4) Where the Commissioner makes a determination under section 72 on an application made by virtue of subsection (2), that section has effect, in relation to each of the agencies on whose behalf the application was made as if the determination had been made on an application by that agency.

74 Publication of application

(1) Subject to subsection (2), the Commissioner shall publish, in such manner as he or she thinks fit, notice of the receipt by the Commissioner of an application.

(2) The Commissioner shall not, except with the consent of the agency, permit the disclosure to another body or person of information contained in a document provided by an agency as part of, or in support of, an application if the agency has informed the Commissioner in writing that the agency claims that the document is an exempt document within the meaning of Part IV of the Freedom of Information Act 1982.

75 Draft determination

(1) The Commissioner shall prepare a draft of his or her proposed determination in relation to the application.

(2) If the applicant is an agency, the Commissioner must send to the agency, and to each other person (if any) who is interested in the application, a written invitation to notify the Commissioner, within the period specified in the invitation, whether or not the agency or other person wishes the Commissioner to hold a conference about the draft determination.

(2A) If the applicant is an organisation, the Commissioner must:

(a) send a written invitation to the organisation to notify the Commissioner, within the period specified in the invitation, whether or not the organisation wishes the Commissioner to hold a conference about the draft determination; and

(b) issue, in any way the Commissioner thinks appropriate, an invitation in corresponding terms to the other persons (if any) that the Commissioner thinks appropriate.

(3) An invitation under subsection (2) or subsection (2A) shall specify a period that begins on the day on which the invitation is sent and is not shorter than the prescribed period.

76 Conference

(1) If an agency, organisation or person notifies the Commissioner, within the period specified in an invitation sent to the agency, organisation or person, that the agency, organisation or person wishes a conference to be held about the draft determination, the Commissioner shall hold such a conference.

(2) The Commissioner shall fix a day, time and place for the holding of the conference.

(3) The day fixed shall not be more than 30 days after the latest day on which a period specified in any of the invitations sent in relation to the draft determination expires.

(4) The Commissioner shall give notice of the day, time and place of the conference to the agency or organisation and to each person to whom an invitation was sent.

77 Conduct of conference

(1) At the conference, the agency or organisation is entitled to be represented by a person who is, or persons each of whom is, an officer or employee of the agency or organisation.

(2) At the conference, a person to whom an invitation was sent, or any other person who is interested in the application and whose presence at the conference is considered by the Commissioner to be appropriate, is entitled to attend and participate personally or, in the case of a body corporate, to be represented by a person who is, or persons each of whom is, a director, officer or employee of the body corporate.

(3) The Commissioner may exclude from the conference a person who:

(a) is entitled neither to participate in the conference nor to represent a person who is entitled to be represented at the conference;

(b) uses insulting language at the conference;

(d) repeatedly disturbs the conference.

78 Determination of application

The Commissioner shall, after complying with this Part in relation to the application, make:

(a) such determination under section 72 as he or she considers appropriate; or

(b) a written determination dismissing the application.

79 Making of determination

(1) The Commissioner shall, in making a determination, take account of all matters raised at the conference.

(2) The Commissioner shall, in making a determination, take account of all submissions about the application that have been made, whether at a conference or not, by the agency, organisation or any other person.

(3) The Commissioner shall include in a determination a statement of the reasons for the determination.

80 Determinations disallowable

(1) A determination referred to in paragraph 78(a) is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

(2) Section 48 of the Acts Interpretation Act 1901 applies to a determination referred to in paragraph 78(a) as if paragraph (1)(b) of section 48 were omitted and the following paragraph substituted:

“(b) subject to this section, shall take effect on the first day on which the determination is no longer liable to be disallowed, or to be deemed to be disallowed, under this section; and”.

Division 2—Temporary public interest determinations

80A Temporary public interest determinations

(1) This section applies if the Commissioner is satisfied that:

(a) the act or practice of an agency or organisation that is the subject of an application under section 73 for a determination under section 72 breaches, or may breach:

(i) in the case of an agency—an Information Privacy Principle; and

(ii) in the case of an organisation—an approved privacy code, or a National Privacy Principle, that binds the organisation; and

(b) the public interest in the agency or organisation doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to that Principle or code; and

(2) The Commissioner may make a written temporary public interest determination that he or she is satisfied of the matters set out in subsection (1). The Commissioner may do so:

(a) on request by the agency or organisation; or

(b) on the Commissioner’s own initiative.

(3) The Commissioner must:

(a) specify in the determination a period of up to 12 months during which the determination is in force (subject to subsection 80D(2)); and

(b) include in the determination a statement of the reasons for the determination.

80B Effect of temporary public interest determination

Agency covered by a determination

(1) If an act or practice of an agency is the subject of a temporary public interest determination, the agency is taken not to breach section 16 if the agency does the act, or engages in the practice, while the determination is in force.

Organisation covered by a determination

(2) If an act or practice of an organisation is the subject of a temporary public interest determination, the organisation is taken not to contravene section 16A if the organisation does the act, or engages in the practice, while the determination is in force.

Giving a temporary public interest determination general effect

(3) The Commissioner may make a written determination that no organisation is taken to contravene section 16A if, while that determination is in force, an organisation does an act, or engages in a practice, that is the subject of a temporary public interest determination in relation to that organisation or another organisation.

Effect of determination under subsection (3)

(4) A determination under subsection (3) has effect according to its terms.

80C Determinations disallowable

A determination under this Division is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

80D Commissioner may continue to consider application

(1) The fact that the Commissioner has made a determination under this Division about an act or practice does not prevent the Commissioner from dealing under Division 1 with an application made under section 73 in relation to that act or practice.

(2) A determination under this Division about an act or practice ceases to be in effect when:

(a) a determination made under subsection 72(1) or (2) (as appropriate) about the act or practice comes into effect; or

(b) a determination is made under paragraph 78(b) to dismiss the application.

Division 3—Register of determinations

80E Register of determinations

(1) The Commissioner must keep a register of determinations made under Division 1 or 2.

(2) The Commissioner may decide the form of the register and how it is to be kept.

(3) The Commissioner must make the register available to the public in the way that the Commissioner determines.

(4) The Commissioner may charge fees for:

(a) making the register available to the public; or

(b) providing copies of, or extracts from, the register.

Part VII—Privacy Advisory Committee

81 Interpretation

In this Part, unless the contrary intention appears:

Advisory Committee means the Privacy Advisory Committee established by subsection 82(1).

member means a member of the Advisory Committee.

82 Establishment and membership

(1) A Privacy Advisory Committee is established.

(2) The Advisory Committee shall consist of:

(a) the Commissioner; and

(b) not more than 6 other members.

(3) A member other than the Commissioner:

(a) shall be appointed by the Governor‑General; and

(b) shall be appointed as a part‑time member.

(4) An appointed member holds office, subject to this Act, for such period, not exceeding 5 years, as is specified in the instrument of the member’s appointment, but is eligible for re‑appointment.

(5) The Commissioner shall be convenor of the Committee.

(6) The Governor‑General shall so exercise the power of appointment conferred by subsection (3) that a majority of the appointed members are persons who are neither officers nor employees, nor members of the staff of an authority or instrumentality, of the Commonwealth.

(7) Of the appointed members:

(a) at least one shall be a person who has had at least 5 years’ experience at a high level in industry, commerce, public administration or the service of a government or an authority of a government;

(b) at least one shall be a person who has had at least 5 years’ experience in the trade union movement;

(d) at least one shall be appointed to represent general community interests, including interests relating to social welfare; and

(e) at least one shall be a person who has had extensive experience in the promotion of civil liberties.

(10) An appointed member holds office on such terms and conditions (if any) in respect of matters not provided for by this Act as are determined, in writing, by the Governor‑General.

(11) The performance of a function of the Advisory Committee is not affected because of a vacancy or vacancies in the membership of the Advisory Committee.

83 Functions

The functions of the Advisory Committee are:

(a) on its own initiative, or when requested by the Commissioner, to advise the Commissioner on matters relevant to his or her functions;

(b) to recommend material to the Commissioner for inclusion in guidelines to be issued by the Commissioner pursuant to his or her functions; and

(c) subject to any direction given by the Commissioner, to engage in and promote community education, and community consultation, in relation to the protection of individual privacy.

84 Leave of absence

The convenor may, on such terms and conditions as the convenor thinks fit, grant to another member leave to be absent from a meeting of the Advisory Committee.

85 Removal and resignation of members

(1) The Governor‑General may terminate the appointment of an appointed member for misbehaviour or physical or mental incapacity.

(2) The Governor‑General shall terminate the appointment of an appointed member if the member:

(a) becomes bankrupt, applies to take the benefit of any law for the relief of bankrupt or insolvent debtors, compounds with the member’s creditors or makes an assignment of the member’s remuneration for their benefit;

(b) fails, without reasonable excuse, to comply with the member’s obligations under section 86; or

(3) An appointed member may resign from office by delivering a signed notice of resignation to the Governor‑General.

86 Disclosure of interests of members

(1) A member who has a direct or indirect pecuniary interest in a matter being considered or about to be considered by the Advisory Committee, being an interest that could conflict with the proper performance of that member’s functions in relation to the consideration of the matter, shall, as soon as practicable after the relevant facts have come to the knowledge of that member, disclose the nature of that interest at a meeting of the Advisory Committee.

(2) A disclosure under subsection (1) at a meeting of the Advisory Committee shall be recorded in the minutes of the meeting.

87 Meetings of Advisory Committee

(1) The convenor may convene such meetings of the Advisory Committee as the convenor considers necessary for the performance of the Committee’s functions.

(2) Meetings of the Advisory Committee shall be held at such places and at such times as the convenor determines.

(3) The convenor shall preside at all meetings of the Advisory Committee at which the convenor is present.

(4) If, at a meeting of the Advisory Committee, the convenor is not present, the members who are present shall elect one of their number to preside at the meeting.

(5) At a meeting of the Advisory Committee:

(a) 3 members constitute a quorum;

(b) all questions shall be decided by a majority of votes of the members present and voting; and

(6) The Advisory Committee shall keep a record of its proceedings.

88 Travel allowance

An appointed member is entitled to be paid travelling allowance in accordance with the regulations.

Part VIII—Obligations of confidence

89 Obligations of confidence to which Part applies

Unless the contrary intention appears, a reference in this Part to an obligation of confidence is a reference to an obligation of confidence:

(a) to which an agency or a Commonwealth officer is subject, however the obligation arose; or

(b) that arises under or by virtue of the law in force in the Australian Capital Territory.

90 Application of Part

(1) This Part applies where a person (in this Part called a confidant) is subject to an obligation of confidence to another person (in this Part called a confider) in respect of personal information, whether the information relates to the confider or to a third person, being an obligation in respect of a breach of which relief may be obtained (whether in the exercise of a discretion or not) in legal proceedings.

(2) This Part does not apply where a criminal penalty only may be imposed in respect of the breach.

91 Effect of Part on other laws

This Part does not, except to the extent that it does so expressly or by necessary implication, limit or restrict the operation of any other law or of any principle or rule of the common law or of equity, being a law, principle or rule:

(a) under or by virtue of which an obligation of confidence exists; or

(b) that has the effect of restricting or prohibiting, or imposing a liability (including a criminal liability) on a person in respect of, a disclosure or use of information.

92 Extension of certain obligations of confidence

Where a person has acquired personal information about another person and the first‑mentioned person knows or ought reasonably to know that the person from whom he or she acquired the information was subject to an obligation of confidence with respect to the information, the first‑mentioned person, whether he or she is in the Australian Capital Territory or not, is subject to a like obligation.

93 Relief for breach etc. of certain obligations of confidence

(1) A confider may recover damages from a confidant in respect of a breach of an obligation of confidence with respect to personal information.

(2) Subsection (1) does not limit or restrict any other right that the confider has to relief in respect of the breach.

(3) Where an obligation of confidence exists with respect to personal information about a person other than the confider, whether the obligation arose under a contract or otherwise, the person to whom the information relates has the same rights against the confidant in respect of a breach or threatened breach of the obligation as the confider has.

94 Jurisdiction of courts

(1) The jurisdiction of the courts of the Australian Capital Territory extends to matters arising under this Part.

(2) Subsection (1) does not deprive a court of a State or of another Territory of any jurisdiction that it has.

Part IX—Miscellaneous

95 Medical research guidelines

(1) The CEO of the National Health and Medical Research Council may, with the approval of the Commissioner, issue guidelines for the protection of privacy in the conduct of medical research.

(2) The Commissioner shall not approve the issue of guidelines unless he or she is satisfied that the public interest in the promotion of research of the kind to which the guidelines relate outweighs to a substantial degree the public interest in maintaining adherence to the Information Privacy Principles.

(3) Guidelines shall be issued by being published in the Gazette.

(4) Where:

(a) but for this subsection, an act done by an agency would breach an Information Privacy Principle; and

(b) the act is done in the course of medical research and in accordance with guidelines under subsection (1);

the act shall be regarded as not breaching that Information Privacy Principle.

(5) Where the Commissioner refuses to approve the issue of guidelines under subsection (1), an application may be made to the Administrative Appeals Tribunal for review of the Commissioner’s decision.

95A Guidelines for National Privacy Principles about health information

Overview

(1) This section allows the Commissioner to approve for the purposes of the CEO of the National Privacy Principles (the NPPs) guidelines that are issued by the National Health and Medical Research Council or a prescribed authority.

Approving guidelines for use and disclosure

(2) For the purposes of subparagraph 2.1(d)(ii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.

Public interest test

(3) The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 2.1(d)).

Approving guidelines for collection

(4) For the purposes of subparagraph 10.3(d)(iii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:

(a) research, or the compilation or analysis of statistics, relevant to public health or public safety; or

(b) the management, funding or monitoring of a health service.

Public interest test

(5) The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 10.3(d)).

Revocation of approval

(6) The Commissioner may, by notice in the Gazette, revoke an approval of guidelines under this section if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines.

Review by AAT

(7) Application may be made to the Administrative Appeals Tribunal for review of a decision of the Commissioner to refuse to approve guidelines or to revoke an approval of guidelines.

95B Requirements for Commonwealth contracts

(1) This section requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Information Privacy Principle if done or engaged in by the agency.

(2) The agency must ensure that the Commonwealth contract does not authorise a contracted service provider for the contract to do or engage in such an act or practice.

(3) The agency must also ensure that the Commonwealth contract contains provisions to ensure that such an act or practice is not authorised by a subcontract.

(4) For the purposes of subsection (3), a subcontract is a contract under which a contracted service provider for the Commonwealth contract is engaged to provide services to:

(a) another contracted service provider for the Commonwealth contract; or

(b) any agency;

for the purposes (whether direct or indirect) of the Commonwealth contract.

(5) This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency’s own right.

95C Disclosure of certain provisions of Commonwealth contracts

If a person asks a party to a Commonwealth contract to be informed of the content of provisions (if any) of the contract that are inconsistent with an approved privacy code binding a party to the contract or with a National Privacy Principle, the party requested must inform the person in writing of that content (if any).

96 Non‑disclosure of private information

(1) A person who is, or has at any time been, the Commissioner or a member of his or her staff or is acting, or has at any time acted, for or on behalf of the Commissioner shall not, either directly or indirectly, except in the performance of a duty under or in connection with this Act or in the course of acting for or on behalf of the Commissioner:

(a) make a record of, or divulge or communicate to any person, any information relating to the affairs of another person acquired by the first‑mentioned person because of that person’s office or employment under or for the purposes of this Act or because of that person acting, or having acted, for or on behalf of the Commissioner;

(b) make use of any such information; or

Penalty: $5,000 or imprisonment for 1 year, or both.

Note: This subsection and subsection (2) also apply to persons who were members of the staff of the Commission at any time before the separate Office of the Privacy Commissioner was established: see Part 3 of Schedule 1 to the Privacy Amendment (Office of the Privacy Commissioner) Act 2000.

(2) A person who is, or has at any time been, the Commissioner, or a member of his or her staff or is acting, or has at any time acted, for or on behalf of the Commissioner shall not be required:

(a) to divulge or communicate to a court any information relating to the affairs of another person acquired by the first‑mentioned person because of that person’s office or employment under or for the purposes of this Act or because of that person acting, or having acted, for or on behalf of the Commissioner; or

(b) to produce in a court a document relating to the affairs of another person of which the first‑mentioned person has custody, or to which that person has access, because of that person’s office or employment under or for the purposes of this Act or because of that person acting, or having acted, for or on behalf of the Commissioner;

except where it is necessary to do so for the purposes of this Act.

(3) Nothing in this section prohibits a person from:

(a) making a record of information that is, or is included in a class of information that is, required or permitted by an Act to be recorded, if the record is made for the purposes of or pursuant to that Act; or

(b) divulging or communicating information, or producing a document, that is, or is included in a class of information that is or class of documents that are, required or permitted by an Act to be divulged, communicated or produced, as the case may be, if the information is divulged or communicated, or the document is produced, for the purposes of or under that Act.

(4) Nothing in subsection (2) prevents a person being required, for the purposes of or under an Act, to divulge or communicate information, or to produce a document, that is, or is included in a class of information that is, or class of documents that are, required or permitted by that Act to be divulged, communicated or produced.

(5) In this section:

court includes any tribunal, authority or person having power to require the production of documents or the answering of questions.

produce includes permit access to.

97 Annual report

(1) The Commissioner shall, as soon as practicable after 30 June in each year, give to the Minister a report of the operation of this Act during that year.

(2) Without limiting the generality of subsection (1), the report shall include a statement of the performance of the Commissioner’s functions under paragraphs 28(1)(a) and (f).

(2A) The report must also include a statement about the operation of approved privacy codes that contain procedures for making and dealing with complaints in relation to acts or practices that may be an interference with the privacy of an individual, including:

(a) action taken by adjudicators to monitor compliance with the codes; and

(b) details about the number of complaints made under codes, their nature and outcome.

(3) The Minister shall cause a copy of the report to be laid before each House of the Parliament within 15 sitting days of that House after the day on which he or she receives the report.

98 Injunctions

(1) Where a person has engaged, is engaging or is proposing to engage in any conduct that constituted or would constitute a contravention of this Act, the Federal Court or the Federal Magistrates Court may, on the application of the Commissioner or any other person, grant an injunction restraining the person from engaging in the conduct and, if in the court’s opinion it is desirable to do so, requiring the person to do any act or thing.

(2) Where:

(a) a person has refused or failed, or is refusing or failing, or is proposing to refuse or fail, to do an act or thing; and

(b) the refusal or failure was, is, or would be a contravention of this Act;

the Federal Court or the Federal Magistrates Court may, on the application of the Commissioner or any other person, grant an injunction requiring the first‑mentioned person to do that act or thing.

(3) Where an application is made to the court for an injunction under this section, the court may, if in the court’s opinion it is desirable to do so, before considering the application, grant an interim injunction restraining a person from engaging in conduct of the kind referred to in that subsection pending the determination of the application.

(4) The court may discharge or vary an injunction granted under this section.

(5) The power of the court to grant an injunction restraining a person from engaging in conduct of a particular kind may be exercised:

(a) if the court is satisfied that the person has engaged in conduct of that kind—whether or not it appears to the court that the person intends to engage again, or to continue to engage, in conduct of that kind; or

(b) if it appears to the court that, in the event that an injunction is not granted, it is likely that the person will engage in conduct of that kind—whether or not the person has previously engaged in conduct of that kind and whether or not there is an imminent danger of substantial damage to any person if the first‑mentioned person engages in conduct of that kind.

(6) The power of the court to grant an injunction requiring a person to do a particular act or thing may be exercised:

(a) if the court is satisfied that the person has refused or failed to do that act or thing—whether or not it appears to the court that the person intends to refuse or fail again, or to continue to refuse or fail, to do that act or thing; or

(b) if it appears to the court that, in the event that an injunction is not granted, it is likely that the person will refuse or fail to do that act or thing—whether or not the person has previously refused or failed to do that act or thing and whether or not there is an imminent danger of substantial damage to any person if the first‑mentioned person refuses or fails to do that act or thing.

(7) Where the Commissioner makes an application to the court for the grant of an injunction under this section, the court shall not require the Commissioner or any other person, as a condition of the granting of an interim injunction, to give any undertakings as to damages.

(8) The powers conferred on the court under this section are in addition to, and not in derogation of, any powers of the court, whether conferred by this Act or otherwise.

99 Delegation

The Commissioner may delegate to either a member of his or her staff or a member of the staff of the Ombudsman all or any of the powers conferred on the Commissioner by this Act, other than a power conferred by section 52 or a power in connection with the performance of the function of the Commissioner set out in paragraph 28(1)(a).

99A Conduct of directors, employees and agents

(1) Where, in proceedings for an offence against this Act, it is necessary to establish the state of mind of a body corporate in relation to particular conduct, it is sufficient to show:

(a) that the conduct was engaged in by a director, employee or agent of the body corporate within the scope of his or her actual or apparent authority; and

(b) that the director, employee or agent had the state of mind.

(2) Any conduct engaged in on behalf of a body corporate by a director, employee or agent of the body corporate within the scope of his or her actual or apparent authority is to be taken, for the purposes of a prosecution for an offence against this Act, to have been engaged in also by the body corporate unless the body corporate establishes that the body corporate took reasonable precautions and exercised due diligence to avoid the conduct.

(3) Where, in proceedings for an offence against this Act, it is necessary to establish the state of mind of a person other than a body corporate in relation to particular conduct, it is sufficient to show:

(a) that the conduct was engaged in by an employee or agent of the person within the scope of his or her actual or apparent authority; and

(b) that the employee or agent had the state of mind.

(4) Any conduct engaged in on behalf of a person other than a body corporate by an employee or agent of a person within the scope of his or her actual or apparent authority is to be taken, for the purposes of a prosecution for an offence against this Act, to have been engaged in also by the first‑mentioned person unless the first‑mentioned person establishes that the first‑mentioned person took reasonable precautions and exercised due diligence to avoid the conduct.

(5) Where:

(a) a person other than a body corporate is convicted of an offence; and

(b) the person would not have been convicted of the offence if subsections (3) and (4) had not been enacted;

the person is not liable to be punished by imprisonment for that offence.

(6) A reference in subsection (1) or (3) to the state of mind of a person includes a reference to:

(a) the knowledge, intention, opinion, belief or purpose of the person; and

(b) the person’s reasons for the intention, opinion, belief or purpose.

(7) A reference in this section to a director of a body corporate includes a reference to a constituent member of a body corporate incorporated for a public purpose by a law of the Commonwealth, of a State or of a Territory.

(8) A reference in this section to engaging in conduct includes a reference to failing or refusing to engage in conduct.

(9) A reference in this section to an offence against this Act includes a reference to an offence created by section 6 of the Crimes Act 1914, or section 11.1, 11.2, 11.4 or 11.5 of the Criminal Code, being an offence that relates to this Act.

100 Regulations

(1) The Governor‑General may make regulations, not inconsistent with this Act, prescribing matters:

(a) required or permitted by this Act to be prescribed; or

(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.

(2) Subject to subsection (3), before the Governor‑General makes regulations for the purposes of subclause 7.1A or paragraph 7.2(c) of the National Privacy Principles prescribing an organisation, identifier and circumstances, the Minister must be satisfied that:

(a) the agency or the principal executive of the agency (if the agency has a principal executive) has agreed that adoption, use or disclosure by the organisation of the identifier in the circumstances is appropriate; and

(b) the agency or the principal executive of the agency (if the agency has a principal executive) has consulted the Commissioner about adoption, use or disclosure by the organisation of the identifier in the circumstances; and

(c) adoption, use or disclosure by the organisation of the identifier in the circumstances can only be for the benefit of the individual concerned.

(3) Subsection (2) does not apply to the making of regulations for the purposes of paragraph 7.2(c) of the National Privacy Principles if:

(a) the regulations prescribe an organisation, or class of organisations; and

(b) the regulations prescribe an identifier, or class of identifiers, of a kind commonly used in the processing of pay, or deductions from pay, of Commonwealth officers, or a class of Commonwealth officers; and

(c) the circumstances prescribed by the regulations for the use or disclosure by the organisation, or an organisation in the class, of the identifier, or an identifier in the class, relate to the provision by the organisation of superannuation services for the benefit of Commonwealth officers; and

(d) before the regulations are made, the Minister consults the Commissioner about the proposed regulations.

(4) In subsection (3):

superannuation services includes the management, processing, allocation and transfer of superannuation contributions.

Part X—Amendments of other Acts

101 Amendments of other Acts

(1) The Acts specified in Schedule 1 are amended as set out in Schedule 1.

(2) Section 27A of the Freedom of Information Act 1982 as amended by this Act applies in relation to:

(a) a request that is received after the commencement of this Act; and

(b) a request that was received before that commencement if a decision to grant access under the Freedom of Information Act 1982 to the document to which the request related had not been made before that commencement by the officer or Minister dealing with the request or a person reviewing, under section 54 of that Act, a decision refusing to grant that access.

Act	Number and year	Date of Assent	Date of commencement	Application, saving or transitional provisions
Privacy Act 1988	119, 1988	14 Dec 1988	1 Jan 1989 (see Gazette 1988, No. S399)
Law and Justice Legislation Amendment Act 1989	11, 1990	17 Jan 1990	Part 1 (ss. 1, 2) and Part 3 (ss. 6, 7): Royal Assent Ss. 8–10: 17 July 1990 Ss. 12, 13 and 51(1)(b), (2): 17 Jan 1990 (see s. 2(5)) Remainder: 14 Feb 1990		—
Defence Legislation Amendment Act 1990	75, 1990	22 Oct 1990	S. 5: Royal Assent (a)		—
Privacy Amendment Act 1990	116, 1990	24 Dec 1990	24 Sept 1991		S. 25 (ad. by 136, 1991, s. 21)
as amended by
Law and Justice Legislation Amendment Act 1991	136, 1991	12 Sept 1991	Part 4 (s. 21): 24 Sept 1991 (b)		—
Law and Justice Legislation Amendment Act (No. 3) 1992	165, 1992	11 Dec 1992	S. 4: (c)		—
Data‑matching Program (Assistance and Tax) Act 1990	20, 1991	23 Jan 1991	23 Jan 1991		—
Crimes Legislation Amendment Act 1991	28, 1991	4 Mar 1991	S. 74(1): Royal Assent (d)		—
Industrial Relations Legislation Amendment Act 1991	122, 1991	27 June 1991	Ss. 4(1), 10(b) and 15–20: 1 Dec 1988 Ss. 28(b)–(e), 30 and 31: 10 Dec 1991 (see Gazette 1991, No. S332) Remainder: Royal Assent		S. 31(2)
Law and Justice Legislation Amendment Act 1991	136, 1991	12 Sept 1991	Part 3 (ss. 10–20): (e)		—
Social Security Legislation Amendment Act (No. 4) 1991	194, 1991	13 Dec 1991	Schedule 5 (Part 2): (f)		—
Law and Justice Legislation Amendment Act (No. 4) 1992	143, 1992	7 Dec 1992	7 Dec 1992
National Health Amendment Act 1993	28, 1993	9 June 1993	9 June 1993		—
Law and Justice Legislation Amendment Act 1993	13, 1994	18 Jan 1994	S. 22: 13 Jan 1993 Part 6 (ss. 27–41): 11 Apr 1994 (see Gazette 1994, No. S126) Remainder: Royal Assent		S. 16
Law and Justice Legislation Amendment Act 1994	84, 1994	23 June 1994	S. 71: Royal Assent (g)		—
Australian Capital Territory Government Service (Consequential Provisions) Act 1994	92, 1994	29 June 1994	1 July 1994 (see Gazette 1994, No. S256)		—
Employment Services (Consequential Amendments) Act 1994	177, 1994	19 Dec 1994	Ss. 1, 2(1), (3) and Part 2 (ss. 3–8): 19 Dec 1994 (see s. 2(1)) S. 2(2) and Div. 4 of Part 6 (ss. 32–39): Royal Assent Remainder: 1 Jan 1995 (see s. 2(3) and Gazette 1994, No. S472)		S. 19
Human Rights Legislation Amendment Act 1995	59, 1995	28 June 1995	Schedule (item 25): 30 Oct 1992 Remainder: Royal Assent		Ss. 4 and 5
Statute Law Revision Act 1996	43, 1996	25 Oct 1996	Schedule 4 (item 122): Royal Assent (h)		—
Law and Justice Legislation Amendment Act 1997	34, 1997	17 Apr 1997	Schedule 13: Royal Assent (i)		—
Hearing Services and AGHS Reform Act 1997	82, 1997	18 June 1997	Schedule 4 (items 1, 2, 4–12): Royal Assent (j) Schedule 4 (item 3): (j)		Sch. 4 (item 12) [see Table A]
as amended by
Statute Law Revision Act 2005	100, 2005	6 July 2005	Schedule 2 (item 20): (ja)		—

Statute Law Revision Act 2006	9, 2006	23 Mar 2006	Schedule 2 (item 19): (r)	—
Financial Sector Reform (Consequential Amendments) Act 1998	48, 1998	29 June 1998	Schedule 1 (item 133): 1 July 1998 (see Gazette 1998, No. S316) (k)	—
Financial Sector Reform (Amendments and Transitional Provisions) Act (No. 1) 1999	44, 1999	17 June 1999	Schedule 7 (items 126–128): (l)	—
Public Employment (Consequential and Transitional) Amendment Act 1999	146, 1999	11 Nov 1999	Schedule 1 (items 738–747): 5 Dec 1999 (see Gazette 1999, No. S584) (m)	—
Australian Security Intelligence Organisation Legislation Amendment Act 1999	161, 1999	10 Dec 1999	Schedule 3 (items 1, 49): (n)	—
Privacy Amendment (Office of the Privacy Commissioner) Act 2000	2, 2000	29 Feb 2000	1 July 2000 (see Gazette 2000, No. S229)	Sch. 1 (item 15) [see Table A]
Australian Federal Police Legislation Amendment Act 2000	9, 2000	7 Mar 2000	2 July 2000 (see Gazette 2000, No. S328)	Sch. 3 (items 20, 29, 34, 35) [see Table A]
Privacy Amendment (Private Sector) Act 2000	155, 2000	21 Dec 2000	Schedule 3: Royal Assent Remainder: 21 Dec 2001	Sch. 1 (items 37, 53, 57, 76, 100, 124, 130) and Sch. 3 (item 4) [see Table A]
Law and Justice Legislation Amendment (Application of Criminal Code) Act 2001	24, 2001	6 Apr 2001	S. 4(1), (2) and Schedule 40 (items 1–9, 11–13): (o) Schedule 40 (item 10): (o)	S. 4(1) and (2) [see Table A]
Corporations (Repeals, Consequentials and Transitionals) Act 2001	55, 2001	28 June 2001	Ss. 4–14 and Schedule 3 (item 437): 15 July 2001 (see Gazette 2001, No. S285) (p) Schedule 3 (item 438): (p)	S. 2(8) (am. by 116, 2003, Sch. 4 [item 1]) Ss. 4–14
as amended by
Financial Sector Legislation Amendment Act (No. 1) 2003	116, 2003	27 Nov 2003	Schedule 4 (item 1): (q)	—
National Crime Authority Legislation Amendment Act 2001	135, 2001	1 Oct 2001	Schedules 1–7 and 9–12: 12 Oct 2001 (see Gazette 2001, No. S428) Schedule 8: 13 Oct 2001 (see Gazette 2001, No. S428) Remainder: Royal Assent	—

Abolition of Compulsory Age Retirement (Statutory Officeholders) Act 2001	159, 2001	1 Oct 2001	29 Oct 2001	Sch. 1 (item 97) [see Table A]
Australian Crime Commission Establishment Act 2002	125, 2002	10 Dec 2002	Schedule 2 (items 99–106): 1 Jan 2003	—
Defence Legislation Amendment Act 2003	135, 2003	17 Dec 2003	Schedule 2 (item 39): 17 June 2004	—
Privacy Amendment Act 2004	49, 2004	21 Apr 2004	21 Apr 2004	Sch. 1 (items 3, 5) [see Table A]
as amended by
Statute Law Revision Act 2006	9, 2006	23 Mar 2006	Schedule 2 (item 21): (r)	—
Administrative Appeals Tribunal Amendment Act 2005	38, 2005	1 Apr 2005	Schedule 1 (item 229): 16 May 2005	—
Statute Law Revision Act 2005	100, 2005	6 July 2005	Schedule 1 (item 38): Royal Assent	—
Intelligence Services Legislation Amendment Act 2005	128, 2005	4 Nov 2005	Schedules 1–8: 2 Dec 2005 Remainder: Royal Assent	—
Statute Law Revision Act 2006	9, 2006	23 Mar 2006	Schedule 1 (item 21): (r)	—
Postal Industry Ombudsman Act 2006	25, 2006	6 Apr 2006	Schedule 1 (items 17–19, 20(2)): [see Note 2 and Table A]	Sch. 1 (item 20(2)) [see Table A]
National Health and Medical Research Council Amendment Act 2006	50, 2006	9 June 2006	Schedule 1: 1 July 2006 Remainder: Royal Assent	—

Commencement information
Column 1	Column 2	Column 3
Provision(s)	Commencement	Date/Details
38. Schedule 2, item 20	Immediately after the time specified in the Hearing Services and AGHS Reform Act 1997 for the commencement of item 6 of Schedule 4 to that Act.	18 June 1997

Provision(s)	Commencement	Date/Details
5. Schedule 4, item 1	Immediately after the time specified in the Corporations (Repeals, Consequentials and Transitionals) Act 2001 for the commencement of subsection 2(8) of that Act	15 July 2001

ad. = added or inserted am. = amended rep. = repealed rs. = repealed and substituted
Provision affected	How affected
Part I
S. 3....................	am. No. 116, 1990; No. 155, 2000
Note to s. 3...............	ad. No. 155, 2000
S. 3A...................	ad. No. 24, 2001
S. 4....................	am. No. 92, 1994
S. 5A...................	ad. No. 116, 1990
S. 5B...................	ad. No. 155, 2000
	am. No. 49, 2004
Part II
S. 6....................	am. Nos. 11 and 116, 1990; Nos. 28 and 136, 1991; No. 143, 1992; Nos. 13, 92 and 177, 1994; Nos. 34 and 82, 1997; No. 48, 1998; Nos. 44, 146 and 161, 1999; No. 155, 2000; No. 55, 2001; No. 125, 2002; No. 135, 2003; No. 100, 2005
Ss. 6A–6D, 6DA, 6E, 6EA, 6F	ad. No. 155, 2000
Heading to s. 7............	am. No. 155, 2000
S. 7....................	am. Nos. 75 and 116, 1990; Nos. 13, 84, 92 and 177, 1994; No. 82, 1997 (as am. by No. 100, 2005 and No. 9, 2006); No. 155, 2000; No. 125, 2002; No. 128, 2005
Ss. 7A–7C...............	ad. No. 155, 2000
Heading to s. 8............	am. No. 155, 2000
S. 8....................	am. No. 116, 1990; No. 28, 1991; No. 155, 2000
Ss. 9–11................	am. No. 28, 1991
S. 11A..................	ad. No. 116, 1990
S. 11B..................	ad. No. 116, 1990
	am. No. 136, 1991; No. 143, 1992; No. 34, 1997; No. 44, 1999
S. 12A..................	ad. No. 116, 1990
S. 12B..................	ad. No. 155, 2000
Part III
Division 1
Heading to Div. 1 of Part III...	ad. No. 155, 2000
S. 13...................	am. No. 116, 1990; Nos. 20 and 194, 1991; No. 28, 1993; No. 155, 2000
Ss. 13A–13F.............	ad. No. 155, 2000
Division 2
Heading to Div. 2 of Part III...	ad. No. 155, 2000
Division 3
Div. 3 of Part III............	ad. No. 155, 2000
Ss. 16A–16F.............	ad. No. 155, 2000
Division 4
Heading to Div. 4 of Part III...	ad. No. 155, 2000
S. 17...................	am. No. 116, 1990
Division 5
Heading to Div. 5 of Part III...	ad. No. 155, 2000
S. 18A..................	ad. No. 116, 1990
	am. No. 155, 2000
S. 18B..................	ad. No. 116, 1990
Part IIIAA
Part IIIAA ...............	ad. No. 155, 2000
S. 18BA.................	ad. No. 155, 2000
S. 18BAA................	ad. No. 49, 2004
Ss. 18BB–18BI............	ad. No. 155, 2000
Part IIIA
Part IIIA .................	ad. No. 116, 1990
Ss. 18C, 18D.............	ad. No. 116, 1990
	am. No. 24, 2001
Ss. 18E, 18F.............	ad. No. 116, 1990
	am. No. 143, 1992; No. 34, 1997
S. 18G..................	ad. No. 116, 1990
S. 18H..................	ad. No. 116, 1990
	am. No. 136, 1991
S. 18J..................	ad. No. 116, 1990
S. 18K..................	ad. No. 116, 1990
	am. No. 136, 1991; No. 143, 1992; No. 24, 2001
Note to s. 18K(5)..........	ad. No. 135, 2001
	am. No. 125, 2002
S. 18L..................	ad. No. 116, 1990
	am. No. 136, 1991; No. 143, 1992; No. 24, 2001
S. 18M..................	ad. No. 116, 1990
	rs. No. 136, 1991
	am. No. 143, 1992
S. 18N..................	ad. No. 116, 1990
	am. No. 136, 1991; No. 143, 1992; No. 13, 1994; No. 24, 2001
S. 18NA.................	ad. No. 34, 1997
S. 18P..................	ad. No. 116, 1990
	am. No. 136, 1991; No. 143, 1992
S. 18Q..................	ad. No. 116, 1990
	am. No. 136, 1991; No. 143, 1992; No. 24, 2001
Ss. 18R, 18S.............	ad. No. 116, 1990
	am. No. 24, 2001
Ss. 18T, 18U.............	ad. No. 116, 1990
S. 18V..................	ad. No. 116, 1990
	am. No. 136, 1991
Part IV
Heading to Part IV.........	rs. No. 2, 2000
Division 1
Heading to Div. 1 of Part IV...	rs. No. 2, 2000
S. 19...................	ad. No. 2, 2000
S. 19...................	am. No. 59, 1995
Renumbered s. 19A ......	No. 2, 2000
S. 20...................	am. No. 159, 2001
S. 21...................	am. No. 59, 1995
S. 22...................	rs. No. 122, 1991
	am. No. 146, 1999
S. 25...................	am. No. 122, 1991
S. 26A..................	ad. No. 2, 2000
	am. No. 146, 1999
Division 2
S. 27...................	am. No. 20, 1991; No. 28, 1993; No. 155, 2000; No. 49, 2004
S. 28...................	am. No. 116, 1990
S. 28A..................	ad. No. 116, 1990
S. 29...................	am. No. 116, 1990; No. 155, 2000
Division 3
S. 30...................	am. No. 116, 1990; No. 155, 2000
S. 31...................	am. No. 20, 1991; No. 155, 2000
S. 32...................	am. No. 116, 1990 (as am. by No. 165, 1992); No. 20, 1991; No. 49, 2004 (as am. by No. 9, 2006)
S. 33...................	am. No. 92, 1994
Part V
Division 1
S. 36...................	am. No. 11, 1990; No. 13, 1994; Nos. 2 and 155, 2000
S. 37...................	am. Nos. 92 and 177, 1994; No. 82, 1997; No. 155, 2000
S. 38...................	rs. No. 13, 1994
	am. No. 155, 2000
Ss. 38A–38C.............	ad. No. 13, 1994
S. 39...................	rs. No. 13, 1994
S. 40...................	am. No. 155, 2000
S. 40A..................	ad. No. 155, 2000
S. 41...................	am. No. 155, 2000; No. 49, 2004
Ss. 42, 43................	am. No. 155, 2000
S. 44...................	am. No. 34, 1997
S. 46...................	am. No. 155, 2000; No. 24, 2001
S. 48...................	am. No. 155, 2000
S. 49...................	am. No. 116, 1990; No. 24, 2001
S. 50...................	am. No. 146, 1999
S. 50A..................	ad. No. 155, 2000
Division 2
S. 52...................	am. No. 116, 1990; No. 13, 1994; No. 155, 2000
S. 53...................	rs. No. 13, 1994
Ss. 53A, 53B.............	ad. No. 155, 2000
Division 3
Heading to Div. 3 of Part V ...	rs. No. 155, 2000
Div. 3 of Part V ...........	rs. No. 13, 1994; No. 59, 1995
S. 54...................	rs. No. 13, 1994
	am. No. 177, 1994
	rs. No. 59, 1995
	am. No. 82, 1997; No. 155, 2000
Note to s. 54(1A)..........	am. No. 9, 2006
S. 55...................	rs. No. 13, 1994; No. 59, 1995; No. 155, 2000
Ss. 55A, 55B.............	ad. No. 155, 2000
S. 56...................	rs. No. 13, 1994
	rep. No. 59, 1995
Division 4
Heading to Div. 4 of Part V...	am. No. 116, 1990
	rs. No. 13, 1994
Div. 4 of Part V ...........	rs. No. 13, 1994
S. 57...................	rs. No. 13, 1994
	am. No. 177, 1994; No. 82, 1997
Ss. 58, 59................	rs. No. 13, 1994
S. 60...................	am. No. 116, 1990
	rs. No. 13, 1994
S. 61...................	rs. No. 13, 1994
	am. No. 38, 2005
S. 62...................	rs. No. 13, 1994
	am. No. 155, 2000
Division 5
S. 63...................	rs. No. 13, 1994
	am. No. 59, 1995; No. 155, 2000
Heading to s. 64...........	am. No. 155, 2000
S. 64...................	am. No. 155, 2000
S. 65...................	am. No. 24, 2001
S. 66...................	am. No. 155, 2000; No. 24, 2001
S. 67...................	am. No. 155, 2000
S. 68...................	am. No. 116, 1990; No. 155, 2000
S. 68A..................	ad. No. 155, 2000
S. 69...................	am. No. 155, 2000
S. 70...................	am. No. 125, 2002
Ss. 70A, 70B.............	ad. No. 155, 2000
Part VI
Heading to Part VI .........	rs. No. 155, 2000
Division 1
Heading to Div. 1 of Part VI ..	ad. No. 155, 2000
Subhead. to s. 72(1) ........	ad. No. 155, 2000
S. 72...................	am. No. 155, 2000
Heading to s. 73 ..........	am. No. 155, 2000
S. 73...................	am. No. 155, 2000; No. 50, 2006
Ss. 75–77................	am. No. 155, 2000
S. 79...................	am. No. 155, 2000
Division 2
Heading to Div. 2 of Part VI ..	ad. No. 155, 2000
Ss. 80A–80D.............	ad. No. 155, 2000
Division 3
Heading to Div. 3 of Part VI ..	ad. No. 155, 2000
S. 80E..................	ad. No. 155, 2000
Part VII
S. 82...................	am. No. 159, 2001
S. 83...................	am. No. 2, 2000
Part IX
S. 95...................	am. No. 50, 2006
S. 95A..................	ad. No. 155, 2000
	am. No. 50, 2006
Ss. 95B, 95C.............	ad. No. 155, 2000
S. 96...................	am. No. 2, 2000
Note to s. 96(1)............	ad. No. 2, 2000
Ss. 97, 98................	am. No. 155, 2000
S. 99...................	am. No. 11, 1990; No. 2, 2000
Heading to s. 99A .........	am. No. 155, 2000
S. 99A..................	ad. No. 116, 1990
	am. No. 155, 2000; No. 24, 2001
S. 100..................	am. No. 155, 2000; No. 49, 2004
Schedule 3
Schedule 3 ..............	ad. No. 155, 2000
Cc. 1–7.................	ad. No. 155, 2000
Note to c. 7.2.............	am. No. 49, 2004
Cc. 8–10................	ad. No. 155, 2000