Skip to main
Help and resources
Register
for My Account
Sign in
to My Account
Search
Australian Government
Federal Register of Legislation
Site navigation
Constitution
Acts
Legislative instruments
Notifiable instruments
Gazettes
Administrative Arrangements
Prerogative instruments
Norfolk Island
Home
Acts
In force
Text
Details
Authorises
Downloads
All versions
Interactions
Privacy Act 1988
In force
Administered by
Attorney-General's Department
Superseded version
View latest version
Order print copy
Save this title to My Account
Set up an alert
C2019C00241 (C81)
13 August 2019
-
12 December 2019
Legislation text
View document
Select value
Act
Filter active
Table of contents
Enter text to search the table of contents
Collapse
Part I—Preliminary
1 Short title
2 Commencement
2A Objects of this Act
3 Saving of certain State and Territory laws
3A Application of the Criminal Code
4 Act to bind the Crown
5A Extension to external Territories
5B Extra territorial operation of Act
Collapse
Part II—Interpretation
Collapse
Division 1—General definitions
6 Interpretation
6AA Meaning of responsible person
6A Breach of an Australian Privacy Principle
6B Breach of a registered APP code
6BA Breach of the registered CR code
6C Organisations
6D Small business and small business operators
6DA What is the annual turnover of a business?
6E Small business operator treated as organisation
6EA Small business operators choosing to be treated as organisations
6F State instrumentalities etc. treated as organisations
6FA Meaning of health information
6FB Meaning of health service
Division 2—Key definitions relating to credit reporting
Collapse
Subdivision A—Credit provider
6G Meaning of credit provider
6H Agents of credit providers
6J Securitisation arrangements etc.
6K Acquisition of the rights of a credit provider
Subdivision B—Other definitions
6L Meaning of access seeker
6M Meaning of credit and amount of credit
6N Meaning of credit information
6P Meaning of credit reporting business
6Q Meaning of default information
6R Meaning of information request
6S Meaning of new arrangement information
6T Meaning of payment information
6U Meaning of personal insolvency information
6V Meaning of repayment history information
Division 3—Other matters
7 Acts and practices of agencies, organisations etc.
7A Acts of certain agencies treated as acts of organisation
7B Exempt acts and exempt practices of organisations
7C Political acts and practices are exempt
8 Acts and practices of, and disclosure of information to, staff of agency, organisation etc.
10 Agencies that are taken to hold a record
11 File number recipients
12A Act not to apply in relation to State banking or insurance within that State
12B Severability—additional effect of this Act
Collapse
Part III—Information privacy
Collapse
Division 1—Interferences with privacy
13 Interferences with privacy
13B Related bodies corporate
13C Change in partnership because of change in partners
13D Overseas act required by foreign law
13E Effect of sections 13B, 13C and 13D
13F Act or practice not covered by section 13 is not an interference with privacy
13G Serious and repeated interferences with privacy
Collapse
Division 2—Australian Privacy Principles
14 Australian Privacy Principles
15 APP entities must comply with Australian Privacy Principles
16 Personal, family or household affairs
16A Permitted general situations in relation to the collection, use or disclosure of personal information
16B Permitted health situations in relation to the collection, use or disclosure of health information
16C Acts and practices of overseas recipients of personal information
Collapse
Division 4—Tax file number information
17 Rules relating to tax file number information
18 File number recipients to comply with rules
Collapse
Part IIIA—Credit reporting
Collapse
Division 1—Introduction
19 Guide to this Part
Collapse
Division 2—Credit reporting bodies
Collapse
Subdivision A—Introduction and application of this Division etc.
20 Guide to this Division
20A Application of this Division and the Australian Privacy Principles to credit reporting bodies
Collapse
Subdivision B—Consideration of information privacy
20B Open and transparent management of credit reporting information
Collapse
Subdivision C—Collection of credit information
20C Collection of solicited credit information
20D Dealing with unsolicited credit information
Collapse
Subdivision D—Dealing with credit reporting information etc.
20E Use or disclosure of credit reporting information
20F Permitted CRB disclosures in relation to individuals
20G Use or disclosure of credit reporting information for the purposes of direct marketing
20H Use or disclosure of pre screening assessments
20J Destruction of pre screening assessment
20K No use or disclosure of credit reporting information during a ban period
20L Adoption of government related identifiers
20M Use or disclosure of credit reporting information that is de identified
Collapse
Subdivision E—Integrity of credit reporting information
20N Quality of credit reporting information
20P False or misleading credit reporting information
20Q Security of credit reporting information
Collapse
Subdivision F—Access to, and correction of, information
20R Access to credit reporting information
20S Correction of credit reporting information
20T Individual may request the correction of credit information etc.
20U Notice of correction etc. must be given
Collapse
Subdivision G—Dealing with credit reporting information after the retention period ends etc.
20V Destruction etc. of credit reporting information after the retention period ends
20W Retention period for credit information—general
20X Retention period for credit information—personal insolvency information
20Y Destruction of credit reporting information in cases of fraud
20Z Dealing with information if there is a pending correction request etc.
20ZA Dealing with information if an Australian law etc. requires it to be retained
Collapse
Division 3—Credit providers
Collapse
Subdivision A—Introduction and application of this Division
21 Guide to this Division
21A Application of this Division to credit providers
Collapse
Subdivision B—Consideration of information privacy
21B Open and transparent management of credit information etc.
Collapse
Subdivision C—Dealing with credit information
21C Additional notification requirements for the collection of personal information etc.
21D Disclosure of credit information to a credit reporting body
21E Payment information must be disclosed to a credit reporting body
21F Limitation on the disclosure of credit information during a ban period
Collapse
Subdivision D—Dealing with credit eligibility information etc.
21G Use or disclosure of credit eligibility information
21H Permitted CP uses in relation to individuals
21J Permitted CP disclosures between credit providers
21K Permitted CP disclosures relating to guarantees etc.
21L Permitted CP disclosures to mortgage insurers
21M Permitted CP disclosures to debt collectors
21N Permitted CP disclosures to other recipients
21NA Disclosures to certain persons and bodies that do not have an Australian link
21P Notification of a refusal of an application for consumer credit
Collapse
Subdivision E—Integrity of credit information and credit eligibility information
21Q Quality of credit eligibility information
21R False or misleading credit information or credit eligibility information
21S Security of credit eligibility information
Collapse
Subdivision F—Access to, and correction of, information
21T Access to credit eligibility information
21U Correction of credit information or credit eligibility information
21V Individual may request the correction of credit information etc.
21W Notice of correction etc. must be given
Collapse
Division 4—Affected information recipients
22 Guide to this Division
Collapse
Subdivision A—Consideration of information privacy
22A Open and transparent management of regulated information
Collapse
Subdivision B—Dealing with regulated information
22B Additional notification requirements for affected information recipients
22C Use or disclosure of information by mortgage insurers or trade insurers
22D Use or disclosure of information by a related body corporate
22E Use or disclosure of information by credit managers etc.
22F Use or disclosure of information by advisers etc.
Collapse
Division 5—Complaints
23 Guide to this Division
23A Individual may complain about a breach of a provision of this Part etc.
23B Dealing with complaints
23C Notification requirements relating to correction complaints
Collapse
Division 6—Unauthorised obtaining of credit reporting information etc.
24 Obtaining credit reporting information from a credit reporting body
24A Obtaining credit eligibility information from a credit provider
Collapse
Division 7—Court orders
25 Compensation orders
25A Other orders to compensate loss or damage
Collapse
Part IIIB—Privacy codes
Collapse
Division 1—Introduction
26 Guide to this Part
Collapse
Division 2—Registered APP codes
Collapse
Subdivision A—Compliance with registered APP codes etc.
26A APP entities to comply with binding registered APP codes
26B What is a registered APP code
26C What is an APP code
26D Extension of Act to exempt acts or practices covered by registered APP codes
Collapse
Subdivision B—Development and registration of APP codes
26E Development of APP codes by APP code developers
26F Application for registration of APP codes
26G Development of APP codes by the Commissioner
26H Commissioner may register APP codes
Collapse
Subdivision C—Variation and removal of registered APP codes
26J Variation of registered APP codes
26K Removal of registered APP codes
Collapse
Division 3—Registered CR code
Collapse
Subdivision A—Compliance with the registered CR code
26L Entities to comply with the registered CR code if bound by the code
26M What is the registered CR code
26N What is a CR code
Collapse
Subdivision B—Development and registration of CR code
26P Development of CR code by CR code developers
26Q Application for registration of CR code
26R Development of CR code by the Commissioner
26S Commissioner may register CR code
Collapse
Subdivision C—Variation of the registered CR code
26T Variation of the registered CR code
Collapse
Division 4—General matters
26U Codes Register
26V Guidelines relating to codes
26W Review of operation of registered codes
Collapse
Part IIIC—Notification of eligible data breaches
Collapse
Division 1—Introduction
26WA Simplified outline of this Part
26WB Entity
26WC Deemed holding of information
26WD Exception—notification under the My Health Records Act 2012
Collapse
Division 2—Eligible data breach
26WE Eligible data breach
26WF Exception—remedial action
26WG Whether access or disclosure would be likely, or would not be likely, to result in serious harm—relevant matters
Collapse
Division 3—Notification of eligible data breaches
Collapse
Subdivision A—Suspected eligible data breaches
26WH Assessment of suspected eligible data breach
26WJ Exception—eligible data breaches of other entities
Collapse
Subdivision B—General notification obligations
26WK Statement about eligible data breach
26WL Entity must notify eligible data breach
26WM Exception—eligible data breaches of other entities
26WN Exception—enforcement related activities
26WP Exception—inconsistency with secrecy provisions
26WQ Exception—declaration by Commissioner
Collapse
Subdivision C—Commissioner may direct entity to notify eligible data breach
26WR Commissioner may direct entity to notify eligible data breach
26WS Exception—enforcement related activities
26WT Exception—inconsistency with secrecy provisions
Collapse
Part IV—Functions of the Information Commissioner
Collapse
Division 2—Functions of Commissioner
27 Functions of the Commissioner
28 Guidance related functions of the Commissioner
28A Monitoring related functions of the Commissioner
28B Advice related functions of the Commissioner
29 Commissioner must have due regard to the objects of the Act
Collapse
Division 3—Reports by Commissioner
30 Reports following investigation of act or practice
31 Report following examination of proposed enactment
32 Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.
33 Exclusion of certain matters from reports
Collapse
Division 3A—Assessments by, or at the direction of, the Commissioner
33C Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.
33D Commissioner may direct an agency to give a privacy impact assessment
Collapse
Division 4—Miscellaneous
34 Provisions relating to documents exempt under the Freedom of Information Act 1982
35 Direction where refusal or failure to amend exempt document
35A Commissioner may recognise external dispute resolution schemes
Collapse
Part V—Investigations etc.
Collapse
Division 1A—Introduction
36A Guide to this Part
Collapse
Division 1—Investigation of complaints and investigations on the Commissioner’s initiative
36 Complaints
37 Principal executive of agency
38 Conditions for making a representative complaint
38A Commissioner may determine that a complaint is not to continue as a representative complaint
38B Additional rules applying to the determination of representative complaints
38C Amendment of representative complaints
39 Class member for representative complaint not entitled to lodge individual complaint
40 Investigations
40A Conciliation of complaints
41 Commissioner may or must decide not to investigate etc. in certain circumstances
42 Preliminary inquiries
43 Conduct of investigations
43A Interested party may request a hearing
44 Power to obtain information and documents
45 Power to examine witnesses
46 Directions to persons to attend compulsory conference
47 Conduct of compulsory conference
48 Complainant and certain other persons to be informed of various matters
49 Investigation under section 40 to cease if certain offences may have been committed
49A Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened
50 Reference of matters to other authorities
50A Substitution of respondent to complaint
51 Effect of investigation by Auditor General
Collapse
Division 2—Determinations following investigation of complaints
52 Determination of the Commissioner
53 Determination must identify the class members who are to be affected by the determination
53A Notice to be given to outsourcing agency
53B Substituting an agency for a contracted service provider
Collapse
Division 3—Enforcement
54 Application of Division
55 Obligations of organisations and small business operators
55A Proceedings in the Federal Court or Federal Circuit Court to enforce a determination
55B Evidentiary certificate
Collapse
Division 4—Review and enforcement of determinations involving Commonwealth agencies
57 Application of Division
58 Obligations of agencies
59 Obligations of principal executive of agency
60 Compensation and expenses
62 Enforcement of determination against an agency
Collapse
Division 5—Miscellaneous
63 Legal assistance
64 Commissioner etc. not to be sued
65 Failure to attend etc. before Commissioner
66 Failure to give information etc.
67 Protection from civil actions
68 Power to enter premises
68A Identity cards
70 Certain documents and information not required to be disclosed
70B Application of this Part to former organisations
Collapse
Part VI—Public interest determinations and temporary public interest determinations
Collapse
Division 1—Public interest determinations
71 Interpretation
72 Power to make, and effect of, determinations
73 Application by APP entity
74 Publication of application etc.
75 Draft determination
76 Conference
77 Conduct of conference
78 Determination of application
79 Making of determination
Collapse
Division 2—Temporary public interest determinations
80A Temporary public interest determinations
80B Effect of temporary public interest determination
80D Commissioner may continue to consider application
Collapse
Division 3—Register of determinations
80E Register of determinations
Collapse
Part VIA—Dealing with personal information in emergencies and disasters
Collapse
Division 1—Object and interpretation
80F Object
80G Interpretation
80H Meaning of permitted purpose
Collapse
Division 2—Declaration of emergency
80J Declaration of emergency—events of national significance
80K Declaration of emergency—events outside Australia
80L Form of declarations
80M When declarations take effect
80N When declarations cease to have effect
Collapse
Division 3—Provisions dealing with the use and disclosure of personal information
80P Authorisation of collection, use and disclosure of personal information
Collapse
Division 4—Other matters
80Q Disclosure of information—offence
80R Operation of Part
80S Severability—additional effect of Part
80T Compensation for acquisition of property—constitutional safety net
Collapse
Part VIB—Enforcement
Collapse
Division 1—Civil penalties
80U Civil penalty provisions
Collapse
Division 2—Enforceable undertakings
80V Enforceable undertakings
Collapse
Division 3—Injunctions
80W Injunctions
Collapse
Part VII—Privacy Advisory Committee
81 Interpretation
82 Establishment and membership
83 Functions
84 Leave of absence
85 Removal and resignation of members
86 Disclosure of interests of members
87 Meetings of Advisory Committee
88 Travel allowance
Collapse
Part VIII—Obligations of confidence
89 Obligations of confidence to which Part applies
90 Application of Part
91 Effect of Part on other laws
92 Extension of certain obligations of confidence
93 Relief for breach etc. of certain obligations of confidence
94 Jurisdiction of courts
Collapse
Part IX—Miscellaneous
95 Medical research guidelines
95A Guidelines for Australian Privacy Principles about health information
95AA Guidelines for Australian Privacy Principles about genetic information
95B Requirements for Commonwealth contracts
95C Disclosure of certain provisions of Commonwealth contracts
96 Review by the Administrative Appeals Tribunal
98A Treatment of partnerships
98B Treatment of unincorporated associations
98C Treatment of trusts
99A Conduct of directors, employees and agents
100 Regulations
Collapse
Schedule 1—Australian Privacy Principles
Overview of the Australian Privacy Principles
Collapse
Part 1—Consideration of personal information privacy
1 Australian Privacy Principle 1—open and transparent management of personal information
2 Australian Privacy Principle 2—anonymity and pseudonymity
Collapse
Part 2—Collection of personal information
3 Australian Privacy Principle 3—collection of solicited personal information
4 Australian Privacy Principle 4—dealing with unsolicited personal information
5 Australian Privacy Principle 5—notification of the collection of personal information
Collapse
Part 3—Dealing with personal information
6 Australian Privacy Principle 6—use or disclosure of personal information
7 Australian Privacy Principle 7—direct marketing
8 Australian Privacy Principle 8—cross border disclosure of personal information
9 Australian Privacy Principle 9—adoption, use or disclosure of government related identifiers
Collapse
Part 4—Integrity of personal information
10 Australian Privacy Principle 10—quality of personal information
11 Australian Privacy Principle 11—security of personal information
Collapse
Part 5—Access to, and correction of, personal information
12 Australian Privacy Principle 12—access to personal information
13 Australian Privacy Principle 13—correction of personal information
Collapse
Endnotes
Endnote 1—About the endnotes
Endnote 2—Abbreviation key
Endnote 3—Legislation history
Endnote 4—Amendment history