Federal Register of Legislation - Australian Government

Primary content

A Bill for an Act to amend the law relating to privacy, and for related purposes
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Introduced HR 12 Apr 2000

1998‑1999‑2000

 

 

The Parliament of the

Commonwealth of Australia

 

HOUSE OF REPRESENTATIVES

 

 

 

 

Presented and read a first time

 

 

 

 

 

 

 

 

 

Privacy Amendment (Private Sector) Bill 2000

 

No.      , 2000

 

(Attorney‑General)

 

 

 

A Bill for an Act to amend the law relating to privacy, and for related purposes

  

 

 

 

ISBN:  0642 434859


Contents

1............ Short title............................................................................................ 1

2............ Commencement.................................................................................. 1

3............ Objects................................................................................................ 2

4............ Schedule(s).......................................................................................... 2

Schedule 1—Amendment of the Privacy Act 1988                                               3

Schedule 2—Amendment of other Acts                                                                    77

Administrative Decisions (Judicial Review) Act 1977                                       77

Customs Act 1901                                                                                                      77

Telecommunications Act 1997                                                                                78

Telecommunications (Consumer Protection and Service Standards) Act 1999 82

Schedule 3—Disclosures to intelligence bodies                                                  83

Australian Security Intelligence Organisation Act 1979                                  83

Privacy Act 1988                                                                                                       83

 


A Bill for an Act to amend the law relating to privacy, and for related purposes

The Parliament of Australia enacts:

1  Short title

                   This Act may be cited as the Privacy Amendment (Private Sector) Act 2000.

2  Commencement

             (1)  Subject to this section, this Act commences on the later of the following days (or either of them if they are the same):

                     (a)  the first day after the end of the period of 12 months beginning on the day on which this Act receives the Royal Assent;

                     (b)  1 July 2001.

             (2)  Schedule 3 commences on the day on which this Act receives the Royal Assent.

3  Objects

                   The main objects of this Act are:

                     (a)  to establish a single comprehensive national scheme providing, through codes adopted by private sector organisations and National Privacy Principles, for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by those organisations; and

                     (b)  to do so in a way that:

                              (i)  meets international concerns and Australia’s international obligations relating to privacy; and

                             (ii)  recognises individuals’ interests in protecting their privacy; and

                            (iii)  recognises important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise) and the right of business to achieve its objectives efficiently.

4  Schedule(s)

                   Subject to section 2, each Act that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.


 

Schedule 1Amendment of the Privacy Act 1988

  

1  Section 3

Omit “interferences with the privacy of persons”, substitute “the collection, holding, use, correction, disclosure or transfer of personal information”.

2  At the end of section 3

Add:

Note:          Such a law can have effect for the purposes of the provisions of the National Privacy Principles that regulate the handling of personal information by organisations by reference to the effect of other laws.

3  At the end of Part I

Add:

5B  Extra‑territorial operation of Act

Application to overseas acts and practices of organisations

             (1)  This Act (except Divisions 4 and 5 of Part III and Part IIIA) and approved privacy codes extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation if:

                     (a)  the act or practice relates to personal information about an Australian citizen or a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; and

                     (b)  the requirements of subsection (2) or (3) are met.

Note:          The act or practice overseas will not breach a National Privacy Principle or approved privacy code or be an interference with the privacy of an individual if the act or practice is required by an applicable foreign law. See sections 6A, 6B and 13A.

Organisational link with Australia

             (2)  The organisation must be:

                     (a)  an Australian citizen; or

                     (b)  a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or

                     (c)  a partnership formed in Australia or an external Territory; or

                     (d)  a trust created in Australia or an external Territory; or

                     (e)  a body corporate incorporated in Australia or an external Territory; or

                      (f)  an unincorporated association that has its central management and control in Australia or an external Territory.

Other link with Australia

             (3)  All of the following conditions must be met:

                     (a)  the organisation is not described in subsection (2);

                     (b)  the organisation carries on business in Australia or an external Territory;

                     (c)  the personal information was collected or held by the organisation in Australia or an external Territory, either before or at the time of the act or practice.

Power to deal with complaints about overseas acts and practices

             (4)  Part V of this Act has extra‑territorial operation so far as that Part relates to complaints and investigation concerning acts and practices to which this Act extends because of subsection (1).

Note:          This lets the Commissioner take action overseas to investigate complaints and lets the ancillary provisions of Part V operate in that context.

4  Subsection 6(1)

Insert:

annual turnover of a business carried on by an organisation or small business operator has the meaning given by section 6D.

5  Subsection 6(1)

Insert:

approved privacy code means:

                     (a)  a privacy code approved by the Commissioner under section 18BB; or

                     (b)  a privacy code approved by the Commissioner under section 18BB with variations approved by the Commissioner under section 18BD.

6  Subsection 6(1)

Insert:

breach an approved privacy code has the meaning given by section 6B.

7  Subsection 6(1)

Insert:

breach an Information Privacy Principle has a meaning affected by subsection 6(2).

8  Subsection 6(1)

Insert:

breach a National Privacy Principle has the meaning given by section 6A.

9  Subsection 6(1)

Insert:

code complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because it breached an approved privacy code.

10  Subsection 6(1)

Insert:

Commonwealth contract means a contract, to which the Commonwealth or an agency is or was a party, under which services are to be, or were to be, provided to an agency.

Note:          See also subsection (9) about provision of services to an agency.

11  Subsection 6(1)

Insert:

contracted service provider, for a government contract, means:

                     (a)  an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to an agency or a State or Territory authority under the government contract; or

                     (b)  a subcontractor for the government contract.

12  Subsection 6(1)

Insert:

employee record, in relation to an employee, means a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:

                     (a)  the engagement, training, disciplining or resignation of the employee;

                     (b)  the termination of the employment of the employee;

                     (c)  the terms and conditions of employment of the employee;

                     (d)  the employee’s personal and emergency contact details;

                     (e)  the employee’s performance or conduct;

                      (f)  the employee’s hours of employment;

                     (g)  the employee’s salary or wages;

                     (h)  the employee’s membership of a professional or trade association;

                      (i)  the employee’s trade union membership;

                      (j)  the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

                     (k)  the employee’s taxation, banking or superannuation affairs.

13  Subsection 6(1)

Insert:

enforcement body means:

                     (a)  the Australian Federal Police; or

                     (b)  the National Crime Authority; or

                     (c)  the Australian Customs Service; or

                     (d)  the Australian Prudential Regulation Authority; or

                     (e)  the Australian Securities and Investments Commission; or

                      (f)  another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or

                     (g)  another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or

                     (h)  a police force or service of a State or a Territory; or

                      (i)  the New South Wales Crime Commission; or

                      (j)  the Independent Commission Against Corruption of New South Wales; or

                     (k)  the Police Integrity Commission of New South Wales; or

                      (l)  the Criminal Justice Commission of Queensland; or

                    (m)  another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or

                     (n)  a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or

                     (o)  a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.

14  Subsection 6(1) (definition of generally available publication)

After “other publication”, insert “(however published)”.

15  Subsection 6(1)

Insert:

government contract means a Commonwealth contract or a State contract.

16  Subsection 6(1)

Insert:

health information means:

                     (a)  information or an opinion about:

                              (i)  the health or a disability (at any time) of an individual; or

                             (ii)  an individual’s expressed wishes about the future provision of health services to him or her; or

                            (iii)  a health service provided, or to be provided, to an individual;

                            that is also personal information; or

                     (b)  other personal information collected to provide, or in providing, a health service; or

                     (c)  other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.

17  Subsection 6(1)

Insert:

health service means:

                     (a)  an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

                              (i)  to assess, record, maintain or improve the individual’s health; or

                             (ii)  to diagnose the individual’s illness or disability; or

                            (iii)  to treat the individual’s illness or disability or suspected illness or disability; or

                     (b)  the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

18  Subsection 6(1)

Insert:

journalism means the practice of collecting, preparing for dissemination or disseminating the following material for the purpose of making it available to the public:

                     (a)  material having the character of news, current affairs, information or a documentary;

                     (b)  material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.

19  Subsection 6(1)

Insert:

media organisation means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:

                     (a)  material having the character of news, current affairs, information or a documentary;

                     (b)  material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.

20  Subsection 6(1)

Insert:

National Privacy Principle means a clause of Schedule 3. A reference in this Act to a National Privacy Principle by number is a reference to the clause of Schedule 3 with that number.

21  Subsection 6(1)

Insert:

NPP complaint means a complaint about an act or practice that, if established, would be an interference with the privacy of the complainant because it breached a National Privacy Principle.

22  Subsection 6(1)

Insert:

organisation has the meaning given by section 6C.

23  Subsection 6(1)

Insert:

privacy code means a written code regulating acts and practices that affect privacy.

24  Subsection 6(1) (at the end of paragraphs (a), (d), (e) and (f) of the definition of record)

Add “or”.

25  Subsection 6(1) (after paragraph (f) of the definition of record)

Insert:

                    (fa)  records (as defined in the Archives Act 1983) in the custody of the Archives (as defined in that Act) in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or

26  Subsection 6(1)

Insert:

registered political party means a political party registered under Part XI of the Commonwealth Electoral Act 1918.

27  Subsection 6(1)

Insert:

sensitive information means:

                     (a)  information or an opinion about an individual’s:

                              (i)  racial or ethnic origin; or

                             (ii)  political opinions; or

                            (iii)  membership of a political association; or

                            (iv)  religious beliefs or affiliations; or

                             (v)  philosophical beliefs; or

                            (vi)  membership of a professional or trade association; or

                           (vii)  membership of a trade union; or

                           (viii)  sexual preferences or practices; or

                            (ix)  criminal record;

                            that is also personal information; or

                     (b)  health information about an individual.

28  Subsection 6(1)

Insert:

small business has the meaning given by section 6D.

29  Subsection 6(1)

Insert:

small business operator has the meaning given by section 6D.

30  Subsection 6(1)

Insert:

State contract means a contract, to which a State or Territory or State or Territory authority is or was a party, under which services are to be, or were to be, provided to a State or Territory authority.

Note:          See also subsection (9) about provision of services to a State or Territory authority.

31  Subsection 6(1)

Insert:

State or Territory authority has the meaning given by section 6C.

32  Subsection 6(1)

Insert:

subcontractor, for a government contract, means an organisation:

                     (a)  that is or was a party to a contract (the subcontract):

                              (i)  with a contracted service provider for the government contract (within the meaning of paragraph (a) of the definition of contracted service provider); or

                             (ii)  with a subcontractor for the government contract (under a previous application of this definition); and

                     (b)  that is or was responsible under the subcontract for the provision of services to an agency or a State or Territory authority, or to a contracted service provider for the government contract, for the purposes (whether direct or indirect) of the government contract.

33  Subsection 6(1)

Insert:

temporary public interest determination means a determination made under section 80A.

34  At the end of subsection 6(7)

Add:

               ; or (c)  being both a file number complaint and a code complaint; or

                     (d)  being both a file number complaint and an NPP complaint; or

                     (e)  being both a code complaint and a credit reporting complaint; or

                      (f)  being both an NPP complaint and a credit reporting complaint.

35  Subsection 6(8)

Repeal the subsection, substitute:

             (8)  For the purposes of this Act, the question whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Law.

             (9)  To avoid doubt, for the purposes of this Act, services provided to an agency or a State or Territory authority include services that consist of the provision of services to other persons in connection with the performance of the functions of the agency or State or Territory authority.

36  After section 6

Insert:

6A  Breach of a National Privacy Principle

Breach if contrary to, or inconsistent with, Principle

             (1)  For the purposes of this Act, an act or practice breaches a National Privacy Principle if, and only if, it is contrary to, or inconsistent with, that National Privacy Principle.

No breach—contracted service provider

             (2)  An act or practice does not breach a National Privacy Principle if:

                     (a)  the act is done, or the practice is engaged in:

                              (i)  by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

                             (ii)  for the purposes of meeting (directly or indirectly) an obligation under the contract; and

                     (b)  the act or practice is authorised by a provision of the contract that is inconsistent with the Principle.

No breach—disclosure to the Archives

             (3)  An act or practice does not breach a National Privacy Principle if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the Archives (as defined in that Act) to decide whether to accept, or to arrange, custody of the record.

No breach—act or practice outside Australia

             (4)  An act or practice does not breach a National Privacy Principle if:

                     (a)  the act is done, or the practice is engaged in, outside Australia and the external Territories; and

                     (b)  the act or practice is required by an applicable law of a foreign country.

Effect despite subsection (1)

             (5)  Subsections (2), (3) and (4) have effect despite subsection (1).

6B  Breach of an approved privacy code

Breach if contrary to, or inconsistent with, code

             (1)  For the purposes of this Act, an act or practice breaches an approved privacy code if, and only if, it is contrary to, or inconsistent with, the code.

No breach—contracted service provider

             (2)  An act or practice does not breach an approved privacy code if:

                     (a)  the act is done, or the practice is engaged in:

                              (i)  by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

                             (ii)  for the purposes of meeting (directly or indirectly) an obligation under the contract; and

                     (b)  the act or practice is authorised by a provision of the contract that is inconsistent with the code.

No breach—disclosure to the Archives

             (3)  An act or practice does not breach an approved privacy code if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the Archives (as defined in that Act) to decide whether to accept, or to arrange, custody of the record.

No breach—act or practice outside Australia

             (4)  An act or practice does not breach an approved privacy code if:

                     (a)  the act is done, or the practice is engaged in, outside Australia and the external Territories; and

                     (b)  the act or practice is required by an applicable law of a foreign country.

Effect despite subsection (1)

             (5)  Subsections (2), (3) and (4) have effect despite subsection (1).

6C  Organisations

What is an organisation?

             (1)  In this Act:

organisation means:

                     (a)  an individual; or

                     (b)  a body corporate; or

                     (c)  a partnership; or

                     (d)  any other unincorporated association; or

                     (e)  a trust;

that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.

Note:          Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 46(2) of the Acts Interpretation Act 1901.

Example:    Regulations may prescribe an instrumentality of a State or Territory that is an incorporated company, society or association and therefore not a State or Territory authority.

Legal person treated as different organisations in different capacities

             (2)  A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a different organisation.

Example:    In addition to his or her personal capacity, an individual may be the trustee of one or more trusts. In his or her personal capacity, he or she is one organisation. As trustee of each trust, he or she is a different organisation.

What is a State or Territory authority?

             (3)  In this Act:

State or Territory authority means:

                     (a)  a State or Territory Minister; or

                     (b)  a Department of State of a State or Territory; or

                     (c)  a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a law of a State or Territory, other than:

                              (i)  an incorporated company, society or association; or

                             (ii)  an association of employers or employees that is registered or recognised under a law of a State or Territory dealing with the resolution of industrial disputes; or

                     (d)  a body established or appointed, otherwise than by or under a law of a State or Territory, by:

                              (i)  a Governor of a State; or

                             (ii)  the Australian Capital Territory Executive; or

                            (iii)  the Administrator of the Northern Territory; or

                            (iv)  the Administrator of Norfolk Island; or

                             (v)  a State or Territory Minister; or

                            (vi)  a person holding an executive office mentioned in section 12 of the Norfolk Island Act 1979; or

                     (e)  a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory, other than the office of head of a State or Territory Department (however described); or

                      (f)  a person holding or performing the duties of an appointment made, otherwise than under a law of a State or Territory, by:

                              (i)  a Governor of a State; or

                             (ii)  the Australian Capital Territory Executive; or

                            (iii)  the Administrator of the Northern Territory; or

                            (iv)  the Administrator of Norfolk Island; or

                             (v)  a State or Territory Minister; or

                            (vi)  a person holding an executive office mentioned in section 12 of the Norfolk Island Act 1979; or

                     (g)  a State or Territory court.

Making regulations to stop instrumentalities being organisations

             (4)  Before the Governor‑General makes regulations prescribing an instrumentality of a State or Territory for the purposes of the definition of organisation in subsection (1), the Minister must:

                     (a)  be satisfied that the State or Territory has requested that the instrumentality be prescribed for those purposes; and

                     (b)  consider:

                              (i)  whether treating the instrumentality as an organisation for the purposes of this Act adversely affects the government of the State or Territory; and

                             (ii)  the desirability of regulating under this Act the collection, holding, use, correction, disclosure and transfer of personal information by the instrumentality; and

                            (iii)  whether the law of the State or Territory regulates the collection, holding, use, correction, disclosure and transfer of personal information by the instrumentality to a standard that is at least equivalent to the standard that would otherwise apply to the instrumentality under this Act; and

                     (c)  consult the Commissioner about the matters mentioned in subparagraphs (b)(ii) and (iii).

State does not include Territory

             (5)  In this section:

State does not include the Australian Capital Territory or the Northern Territory (despite subsection 6(1)).

6D  Small business and small business operators

What is a small business?

             (1)  A business is a small business if its annual turnover is $3,000,000 or less.

What is the annual turnover of a business?

             (2)  The annual turnover of a business carried on by an organisation or small business operator at a time (the test time) in a month (the test month) is:

                     (a)  the current annual turnover at the test time of the organisation or operator worked out under subsection 188‑15(1) of the A New Tax System (Goods and Services Tax) Act 1999, if the organisation or operator:

                              (i)  has carried on the business for the 11 months before the test month; and

                             (ii)  has not carried on another business in the 12 months before the test time; or

                     (b)  the amount that would be the current annual turnover at the test time of the organisation or operator worked out under that subsection disregarding supplies (as defined in that Act) made or likely to be made by the organisation or operator otherwise than in the course of the business, if the organisation or operator:

                              (i)  has carried on the business for the 11 months before the test month; and

                             (ii)  has carried on another business in the 12 months before the test time; or

                     (c)  the amount that would be the projected annual turnover at the test time of the organisation or operator worked out under subsection 188‑20(1) of that Act disregarding supplies (as defined in that Act) made or likely to be made by the organisation or operator otherwise than in the course of the business, if the organisation or operator has not carried on the business for the 11 months before the test month.

What is a small business operator?

             (3)  A small business operator is an individual, body corporate, partnership, unincorporated association or trust that:

                     (a)  carries on one or more small businesses; and

                     (b)  does not carry on a business that is not a small business.

Entities that are not small business operators

             (4)  However, an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if he, she or it:

                     (a)  carries on a business that has had an annual turnover of more than $3,000,000 at any time after the later of the following:

                              (i)  the time he, she or it started to carry on the business;

                             (ii)  the commencement of this section;

                     (b)  provides a health service to another individual and holds any health information except in an employee record; or

                     (c)  discloses personal information about another individual to anyone else for a benefit, service or advantage; or

                     (d)  provides a benefit, service or advantage to collect personal information about another individual from anyone else; or

                     (e)  is a contracted service provider for a Commonwealth contract (whether or not a party to the contract).

Private affairs of small business operators who are individuals

             (5)  Subsection (4) does not prevent an individual from being a small business operator merely because he or she does something described in paragraph (4)(b), (c) or (d):

                     (a)  otherwise than in the course of a business he or she carries on; and

                     (b)  only for the purposes of, or in connection with, his or her personal, family or household affairs.

Non‑business affairs of other small business operators

             (6)  Subsection (4) does not prevent a body corporate, partnership, unincorporated association or trust from being a small business operator merely because it does something described in paragraph (4)(b), (c) or (d) otherwise than in the course of a business it carries on.

6E  Small business operator treated as organisation

Regulations treating a small business operator as an organisation

             (1)  This Act applies, with the prescribed modifications (if any), in relation to a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.

Note 1:       The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2:       Regulations may prescribe a small business operator by reference to one or more classes of small business operator. See subsection 46(2) of the Acts Interpretation Act 1901.

Regulations treating a small business operator as an organisation for particular acts or practices

             (2)  This Act also applies, with the prescribed modifications (if any), in relation to the prescribed acts or practices of a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.

Note 1:       The regulations may prescribe different modifications of the Act for different acts, practices or small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2:       Regulations may prescribe an act, practice or small business operator by reference to one or more classes of acts, practices or small business operators. See subsection 46(2) of the Acts Interpretation Act 1901.

What are modifications?

             (3)  In this section:

modifications includes additions, omissions and substitutions.

Making regulations

             (4)  Before the Governor‑General makes regulations prescribing a small business operator, act or practice for the purposes of subsection (1) or (2), the Minister must:

                     (a)  be satisfied that it is desirable in the public interest to regulate under this Act the small business operator, act or practice; and

                     (b)  consult the Commissioner about the desirability of regulating under this Act the matters described in paragraph (a).

6F  State instrumentalities etc. treated as organisations

Regulations treating a State instrumentality etc. as an organisation

             (1)  This Act applies, with the prescribed modifications (if any), in relation to a prescribed State or Territory authority or a prescribed instrumentality of a State or Territory (except an instrumentality that is an organisation because of section 6C) as if the authority or instrumentality were an organisation.

Note 1:       The regulations may prescribe different modifications of the Act for different authorities or instrumentalities. See subsection 33(3A) of the Acts Interpretation Act 1901.

Note 2:       Regulations may prescribe an authority or instrumentality by reference to one or more classes of authority or instrumentality. See subsection 46(2) of the Acts Interpretation Act 1901.

What are modifications?

             (2)  In this section:

modifications includes additions, omissions and substitutions.

Making regulations to treat instrumentality etc. as organisation

             (3)  Before the Governor‑General makes regulations prescribing a State or Territory authority or instrumentality of a State or Territory for the purposes of subsection (1), the Minister must:

                     (a)  be satisfied that the relevant State or Territory has requested that the authority or instrumentality be prescribed for those purposes; and

                     (b)  consult the Commissioner about the desirability of regulating under this Act the collection, holding, use, correction, disclosure and transfer of personal information by the authority or instrumentality.

37  Application

Under subsection 6A(2) or 6B(2) of the Privacy Act 1988 (as amended by this Schedule), a Commonwealth contract may prevent an act or practice from being a breach of a National Privacy Principle or an approved privacy code (as appropriate) regardless of whether the contract was made before or after the commencement of that subsection.

38  At the end of paragraph 7(1)(ed)

Add “or”.

Note:       The heading to section 7 is altered by inserting “, organisations” after “agencies”.

39  After paragraph 7(1)(ed)

Insert:

                    (ee)  an act done, or a practice engaged in, by an organisation, other than an exempt act or exempt practice (see sections 7B and 7C);

40  Subsection 7(2)

After “Information Privacy Principles”, insert “, the National Privacy Principles, an approved privacy code”.

41  Subsection 7(4)

Omit “, (m) and (n)”, substitute “and (m)”.

42  After section 7

Insert:

7A  Acts of certain agencies treated as acts of organisation

             (1)  This Act applies, with the prescribed modifications (if any), in relation to an act or practice described in subsection (2) or (3) as if:

                     (a)  the act or practice were an act done, or practice engaged in, by an organisation; and

                     (b)  the agency mentioned in that subsection were the organisation.

             (2)  Subsection (1) applies to acts done, and practices engaged in, by a prescribed agency. Regulations for this purpose may prescribe an agency only if it is specified in Part I of Schedule 2 to the Freedom of Information Act 1982.

             (3)  Subsection (1) also applies to acts and practices that:

                     (a)  are done or engaged in by an agency specified in Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982 in relation to documents in respect of its commercial activities or the commercial activities of another entity; and

                     (b)  relate to those commercial activities.

             (4)  This section has effect despite subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2).

             (5)  In this section:

modifications includes additions, omissions and substitutions.

7B  Exempt acts and exempt practices of organisations

Individuals in non‑business capacity

             (1)  An act done, or practice engaged in, by an organisation that is an individual is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, other than in the course of a business carried on by the individual.

Note:          See also section 16E which provides that the National Privacy Principles do not apply for the purposes of, or in connection with, an individual’s personal, family or household affairs.

Organisation acting under Commonwealth contract

             (2)  An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:

                     (a)  the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

                     (b)  the organisation would be a small business operator if it were not a contracted service provider for a Commonwealth contract; and

                     (c)  the act is done, or the practice is engaged in, otherwise than for the purposes of meeting (directly or indirectly) an obligation under a Commonwealth contract for which the organisation is the contracted service provider.

Note:          This puts the organisation in the same position as a small business operator as far as its activities that are not for the purposes of a Commonwealth contract are concerned, so the organisation need not comply with the National Privacy Principles or a binding approved privacy code in relation to those activities.

Employee records

             (3)  An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

                     (a)  a current or former employment relationship between the employer and the individual; and

                     (b)  an employee record held by the organisation and relating to the individual.

Journalism

             (4)  An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, by the organisation in the course of journalism.

Organisation acting under State contract

             (5)  An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:

                     (a)  the organisation is a contracted service provider for a State contract (whether or not the organisation is a party to the contract); and

                     (b)  the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.

7C  Political acts and practices are exempt

Members of a Parliament etc.

             (1)  An act done, or practice engaged in, by an organisation (the political representative) consisting of a member of a Parliament, or a councillor (however described) of a local government authority, is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, for any purpose in connection with:

                     (a)  an election under an electoral law; or

                     (b)  a referendum under a law of the Commonwealth or a law of a State or Territory; or

                     (c)  the participation by the political representative in another aspect of the political process.

Contractors for political representatives etc.

             (2)  An act done, or practice engaged in, by an organisation (the contractor) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:

                     (a)  for the purposes of meeting an obligation under a contract between the contractor and a registered political party or a political representative described in subsection (1); and

                     (b)  for any purpose in connection with one or more of the following:

                              (i)  an election under an electoral law;

                             (ii)  a referendum under a law of the Commonwealth or a law of a State or Territory;

                            (iii)  the participation in another aspect of the political process by the registered political party or political representative;

                            (iv)  facilitating acts or practices of the registered political party or political representative for a purpose mentioned in subparagraph (i), (ii) or (iii) of this paragraph.

Subcontractors for organisations covered by subsection (1) etc.

             (3)  An act done, or practice engaged in, by an organisation (the subcontractor) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:

                     (a)  for the purposes of meeting an obligation under a contract between the subcontractor and a contractor described in subsection (2); and

                     (b)  for a purpose described in paragraph (2)(b).

Volunteers for registered political parties

             (4)  An act done voluntarily, or practice engaged in voluntarily, by an organisation for or on behalf of a registered political party and with the authority of the party is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in for any purpose in connection with one or more of the following:

                     (a)  an election under an electoral law;

                     (b)  a referendum under a law of the Commonwealth or a law of a State or Territory;

                     (c)  the participation in another aspect of the political process by the registered political party;

                     (d)  facilitating acts or practices of the registered political party for a purpose mentioned in paragraph (a), (b) or (c).

Effect of subsection (4) on other operation of Act

             (5)  Subsection (4) does not otherwise affect the operation of the Act in relation to agents or principals.

Meaning of electoral law and Parliament

             (6)  In this section:

electoral law means a law of the Commonwealth, or a law of a State or Territory, relating to elections to a Parliament or to a local government authority.

Parliament means:

                     (a)  the Parliament of the Commonwealth; or

                     (b)  a State Parliament; or

                     (c)  the legislature of a Territory.

43  Paragraph 8(1)(a)

After “an agency,”, insert “organisation,”.

Note:       The heading to section 8 is altered by inserting “, organisation” after “agency”.

44  Paragraph 8(1)(a)

After “the agency,”, insert “organisation,”.

45  Paragraph 8(1)(b)

After “an agency”, insert “or organisation”.

46  Paragraph 8(1)(b)

After “the agency”, insert “or organisation”.

47  At the end of section 8

Add:

             (3)  For the purposes of the application of this Act in relation to an organisation that is a partnership:

                     (a)  an act done or practice engaged in by a partner is taken to have been done or engaged in by the organisation; and

                     (b)  a communication (including a complaint, notice, request or disclosure of information) made to a partner is taken to have been made to the organisation.

             (4)  For the purposes of the application of this Act in relation to an organisation that is an unincorporated association:

                     (a)  an act done or practice engaged in by a member of the committee of management of the association is taken to have been done or engaged in by the organisation; and

                     (b)  a communication (including a complaint, notice, request or disclosure of information) made to a member of the committee of management of the association is taken to have been made to the organisation.

             (5)  For the purposes of the application of this Act in relation to an organisation that is a trust:

                     (a)  an act done or practice engaged in by a trustee is taken to have been done or engaged in by the organisation; and

                     (b)  a communication (including a complaint, notice or request or disclosure of information) made to a trustee is taken to have been made to the organisation.

48  At the end of Part II

Add:

12B  Severability: additional effect of Act in relation to organisations

             (1)  Without limiting its effect apart from each of the following subsections of this section, this Act also has effect in relation to organisations as provided by that subsection.

             (2)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to an operation to give effect to the International Covenant on Civil and Political Rights, and in particular Article 17 of the Covenant.

Note:          The text of the International Covenant on Civil and Political Rights is set out in Australian Treaty Series 1980 No. 23. In 2000, this was available in the Australian Treaties Library of the Department of Foreign Affairs and Trade, accessible on the Internet through that Department’s world‑wide web site.

             (3)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices covered by subsection 5B(1) (which deals with acts and practices outside Australia and the external Territories by organisations).

             (4)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to organisations that are corporations.

             (5)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place in the course of, or in relation to, trade or commerce:

                     (a)  between Australia and places outside Australia; or

                     (b)  among the States; or

                     (c)  within a Territory, between a State and a Territory or between 2 Territories.

             (6)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place using a postal, telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution.

             (7)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place in a Territory.

             (8)  This Act also has the effect it would have if its operation in relation to organisations were expressly confined to acts or practices of organisations taking place in a place acquired by the Commonwealth for public purposes.

49  Before section 13

Insert:

Division 1Interferences with privacy

50  Section 13

Omit “, and only if,”.

51  Paragraphs 13(b) and (d)

After “an agency”, insert “, organisation”.

52  After section 13

Insert:

13A  Interferences with privacy by organisations

General rule

             (1)  For the purposes of this Act, an act or practice of an organisation is an interference with the privacy of an individual if:

                     (a)  the act or practice breaches an approved privacy code that binds the organisation in relation to personal information that relates to the individual; or

                     (b)  both of the following apply:

                              (i)  the act or practice breaches a National Privacy Principle in relation to personal information that relates to the individual;

                             (ii)  the organisation is not bound by an approved privacy code in relation to the personal information; or

                     (c)  all of the following apply:

                              (i)  the act or practice relates to personal information that relates to the individual;

                             (ii)  the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract);

                            (iii)  because of a provision of the contract that is inconsistent with an approved privacy code or a National Privacy Principle that applies to the organisation in relation to the personal information, the act or practice does not breach the code or Principle (see subsections 6A(2) and 6B(2));

                            (iv)  the act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision; or

                     (d)  the act or practice involves the organisation in a contravention of section 16F (which limits direct marketing using information collected under a Commonwealth contract) involving personal information that relates to the individual.

Note:          Sections 13B, 13C and 13D contain exceptions to this rule.

Rule applies even if other rules also apply

             (2)  It does not matter whether the organisation is also a credit reporting agency, a credit provider or a file number recipient.

13B  Related bodies corporate

Acts or practices that are not interferences with privacy

             (1)  Despite paragraphs 13A(1)(a) and (b), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual:

                     (a)  the collection of personal information (other than sensitive information) about the individual by the body corporate from a related body corporate;

                     (b)  the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate.

Note:          Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the National Privacy Principles or a binding approved privacy code. For example, there is an interference with privacy if:

(a)           a body corporate uses personal information it has collected from a related body corporate; and

(b)           the use breaches National Privacy Principle 2 (noting that the collecting body’s primary purpose of collection will be taken to be the same as that of the related body) or a corresponding provision in a binding approved privacy code.

Relationship with paragraphs 13A(1)(c) and (d)

             (2)  Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under paragraph 13A(1)(c) or (d).

13C  Change in partnership because of change in partners

Acts or practices that are not interferences with privacy

             (1)  If:

                     (a)  an organisation (the new partnership) that is a partnership forms at the same time as, or immediately after, the dissolution of another partnership (the old partnership); and

                     (b)  at least one person who was a partner in the old partnership is a partner in the new partnership; and

                     (c)  the new partnership carries on a business that is the same as, or similar to, a business carried on by the old partnership; and

                     (d)  the new partnership holds, immediately after its formation, personal information about an individual that the old partnership held immediately before its dissolution;

neither the disclosure (if any) by the old partnership, nor the collection (if any) by the new partnership, of the information that was necessary for the new partnership to hold the information immediately after its formation constitutes an interference with the privacy of the individual.

Note:          Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the National Privacy Principles or a binding approved privacy code. For example, the new partnership’s use of personal information collected from the old partnership may constitute an interference with privacy if it breaches National Privacy Principle 2 or a corresponding provision in a binding approved privacy code.

Effect despite section 13A

             (2)  Subsection (1) has effect despite section 13A.

13D  Overseas act required by foreign law

Acts or practices that are not interferences with privacy

             (1)  An act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country.

Effect despite section 13A

             (2)  Subsection (1) has effect despite section 13A.

13E  Effect on section 13 of sections 13B, 13C and 13D

                   Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under section 13.

13F  Act or practice not covered by section 13 or section 13A is not an interference with privacy

                   An act or practice that is not covered by section 13 or section 13A is not an interference with the privacy of an individual.

Division 2Information Privacy Principles

53  Application

An act or practice of an organisation may be an interference with the privacy of an individual under paragraph 13A(1)(c) of the Privacy Act 1988 whether the contract mentioned in that paragraph was made before or after the commencement of section 13A of that Act.

54  After section 16

Insert:

Division 3Approved privacy codes and the National Privacy Principles

16A  Organisations to comply with approved privacy codes or National Privacy Principles

             (1)  An organisation must not do an act, or engage in a practice, that breaches an approved privacy code that binds the organisation.

             (2)  To the extent (if any) that an organisation is not bound by an approved privacy code, the organisation must not do an act, or engage in a practice, that breaches a National Privacy Principle.

             (3)  This section, approved privacy codes and the National Privacy Principles have effect in addition to sections 18 and 18A and Part IIIA, and do not derogate from them.

             (4)  To avoid doubt, an act done, or practice engaged in, by an organisation without breaching an approved privacy code or the National Privacy Principles is not authorised by law (or by this Act) for the purposes of Part IIIA merely because it does not breach the code or the Principles.

Note:          If an act or practice is otherwise authorised by law, exceptions to the prohibitions in the National Privacy Principles and Part IIIA may mean that the act or practice does not breach the Principles or certain provisions of that Part.

16B  Personal information in records

             (1)  This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to the collection of personal information by an organisation only if the information is collected for inclusion in a record or a generally available publication.

             (2)  This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to personal information that has been collected by an organisation only if the information is held by the organisation in a record.

16C  Application of National Privacy Principles

             (1)  National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information after the commencement of this section.

             (2)  National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to personal information held by an organisation regardless of whether the organisation holds the personal information as a result of collection occurring before or after the commencement of this section.

             (3)  National Privacy Principles 2 and 6 apply only in relation to personal information collected after the commencement of this section.

             (4)  National Privacy Principle 8 applies only to transactions entered into after the commencement of this section.

16D  Delayed application of National Privacy Principles to small business

             (1)  This section deals with the application of the National Privacy Principles to an organisation that carries on one or more small businesses and does not carry on any other business. This section has effect despite section 16C.

             (2)  National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information by the organisation after the delayed application period.

             (3)  National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to the organisation only after the delayed application period. Those Principles then apply in relation to personal information held by the organisation as a result of collection occurring before, during or after that period.

             (4)  National Privacy Principles 2 and 6 apply only in relation to personal information collected by the organisation after the delayed application period.

             (5)  National Privacy Principle 8 applies only to transactions entered into with the organisation after the delayed application period.

             (6)  In this section:

delayed application period means the period of 12 months starting when this section commences.

16E  Personal, family or household affairs

                   Nothing in the National Privacy Principles applies to:

                     (a)  the collection, holding, use, disclosure or transfer of personal information by an individual; or

                     (b)  personal information held by an individual;

only for the purposes of, or in connection with, his or her personal, family or household affairs.

16F  Information under Commonwealth contract not to be used for direct marketing

             (1)  This section limits the use and disclosure of personal information collected:

                     (a)  for the purpose of meeting (directly or indirectly) an obligation under a Commonwealth contract; and

                     (b)  by an organisation that is a contracted service provider for the contract.

Note:          An organisation may be a contracted service provider for a Commonwealth contract whether or not the organisation is a party to the contract.

             (2)  An organisation that is a contracted service provider for the contract must not use or disclose the personal information for direct marketing, unless the use or disclosure is necessary to meet (directly or indirectly) an obligation under the contract.

             (3)  Subsection (2) has effect despite:

                     (a)  an approved privacy code (if any) binding the organisation in relation to the personal information; and

                     (b)  the National Privacy Principles.

Division 4Tax file number information

55  After section 18

Insert:

Division 5Credit information

56  After paragraph 18A(3)(a)

Insert:

                    (aa)  the National Privacy Principles and the provisions of Part IIIAA; and

57  Application

The amendment of section 18A of the Privacy Act 1988 by this Schedule applies to the preparation of the Code of Conduct for issue after the commencement of the amendment.

58  After Part III

Insert:

Part IIIAAPrivacy codes

18BA  Application for approval of privacy code

                   An organisation may apply in writing to the Commissioner for approval of a privacy code.

18BB  Commissioner may approve privacy code

             (1)  Before deciding whether to approve a privacy code, the Commissioner may consult any person the Commissioner considers appropriate.

             (2)  The Commissioner may approve a privacy code if, and only if, the Commissioner is satisfied:

                     (a)  that the code incorporates all the National Privacy Principles or sets out obligations that, overall, are at least the equivalent of all the obligations set out in those Principles; and

                     (b)  that the code specifies the organisations bound by the code or a way of determining the organisations that are, or will be, bound by the code; and

                     (c)  that only organisations that consent to be bound by the code are, or will be, bound by the code; and

                     (d)  that the code sets out a procedure by which an organisation may cease to be bound by the code and when the cessation takes effect; and

                     (e)  of the matters mentioned in subsection (3), if the code sets out procedures for making and dealing with complaints in relation to acts or practices of an organisation bound by the code that may be an interference with the privacy of an individual; and

                      (f)  that members of the public have been given an adequate opportunity to comment on a draft of the code.

             (3)  If the code sets out procedures for making and dealing with complaints, the Commissioner must be satisfied that:

                     (a)  the procedures meet:

                              (i)  the prescribed standards; and

                             (ii)  the Commissioner’s guidelines (if any) in relation to making and dealing with complaints; and

                     (b)  the code provides for the appointment of an independent adjudicator to whom complaints may be made; and

                     (c)  the code provides that, in performing his or her functions, and exercising his or her powers, under the code, an adjudicator for the code must have due regard for the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information (through the media and otherwise); and

                     (d)  the determinations, findings, declarations, orders and directions that the adjudicator may make under the code after investigating a complaint are the same as those that the Commissioner may make under section 52 after investigating a complaint under this Act; and

                     (e)  the code obliges an organisation bound by the code not to repeat or continue conduct of the organisation declared by the adjudicator (after investigating a complaint) to constitute an interference with the privacy of the complainant; and

                      (f)  the code obliges an organisation bound by the code to perform an act or course of conduct that the adjudicator has declared (after investigating a complaint) that the organisation should perform to redress loss or damage suffered by the complainant; and

                     (g)  the code requires organisations bound by the code to co‑operate with the adjudicator when the adjudicator is performing functions or exercising powers under the code; and

                     (h)  the code requires a report (in a form satisfactory to the Commissioner) to be prepared as soon as practicable after 30 June each year on the operation of the code during the financial year that ended on that 30 June; and

                      (i)  the code requires that a copy of each report is to be given to the Commissioner within a timetable that is satisfactory to the Commissioner; and

                      (j)  the code requires that a copy of each report is to be made available to anyone who asks for it; and

                     (k)  the code requires the report prepared for each year to include the number, nature and outcome of complaints made to an adjudicator under the code during the relevant financial year; and

                      (l)  the code identifies a person who is responsible for the requirements in this subsection relating to the annual report for the code.

             (4)  In deciding whether to approve a privacy code, the Commissioner may consider the matters specified in guidelines issued by the Commissioner (if any).

             (5)  An approval must be in writing.

             (6)  This section does not prevent the Commissioner approving a privacy code if:

                     (a)  the code also sets out:

                              (i)  the period during which it will operate; or

                             (ii)  the circumstances in which it will expire; and

                     (b)  the Commissioner considers that the period or circumstances are appropriate.

             (7)  This section does not prevent the Commissioner approving a privacy code if the code is expressed to apply to:

                     (a)  all personal information or a specified type of personal information; or

                     (b)  a specified activity or class of activities of an organisation; or

                     (c)  a specified industry sector and/or profession; or

                     (d)  a specified class of industry sectors and/or professions.

18BC  When approval takes effect

             (1)  The approval of a privacy code takes effect on the day specified in the approval.

             (2)  The day specified must not be before the day on which the approval is given.

18BD  Varying an approved privacy code

             (1)  An organisation may apply in writing to the Commissioner for approval of a variation of an approved privacy code by giving the Commissioner a copy of the code that incorporates the variations.

             (2)  The Commissioner may approve in writing the variation.

             (3)  In deciding whether to approve the variation, the Commissioner must consider all of the matters that the Commissioner would consider in deciding whether to approve under section 18BB a privacy code identical to the approved privacy code with the variation.

             (4)  However, if the Commissioner thinks that a variation is minor, he or she need not be satisfied that members of the public have been given an adequate opportunity to comment on a draft variation of the code (as would otherwise be required by paragraph 18BB(2)(f)). Instead, the Commissioner may consult any person he or she thinks appropriate about the draft variation.

             (5)  The approval of the variation takes effect on the day specified in the approval.

             (6)  The day specified must not be before the day on which the approval is given.

18BE  Revoking the approval of an approved privacy code

             (1)  The Commissioner may revoke his or her approval of an approved privacy code or a variation of an approved privacy code:

                     (a)  on his or her own initiative; or

                     (b)  on application by an organisation that is bound by the code.

             (2)  Before deciding whether to revoke the approval of a code or variation, the Commissioner must:

                     (a)  if practicable, consult the organisation that originally sought approval of the code or variation; and

                     (b)  consult any other person the Commissioner considers appropriate; and

                     (c)  consider the extent to which members of the public have been given an opportunity to comment on the proposed revocation.

             (3)  A revocation must be in writing.

             (4)  A revocation comes into effect on the day specified in the revocation.

             (5)  The day specified must not be before the day on which the revocation is made.

18BF  Guidelines about privacy codes

             (1)  The Commissioner may make:

                     (a)  written guidelines to assist organisations to develop privacy codes or to apply approved privacy codes; and

                     (b)  written guidelines relating to making and dealing with complaints under approved privacy codes; and

                     (c)  written guidelines about matters the Commissioner may consider in deciding whether to approve a privacy code or a variation of an approved privacy code.

             (2)  The Commissioner may publish the guidelines in any way the Commissioner considers appropriate.

18BG  Register of approved privacy codes

             (1)  The Commissioner must keep a register of approved privacy codes.

             (2)  The Commissioner may decide the form of the register and how it is to be kept.

             (3)  The Commissioner must make the register available to the public in the way that the Commissioner determines.

             (4)  The Commissioner may charge fees for:

                     (a)  making the register available to the public; or

                     (b)  providing copies of, or extracts from, the register.

59  After paragraph 27(1)(a)

Insert:

                    (aa)  to approve privacy codes and variations of approved privacy codes and to revoke those approvals;

                    (ab)  subject to Part V—to investigate an act or practice of an organisation that may be an interference with the privacy of an individual because of section 13A and, if the Commissioner considers it appropriate to do so, to attempt, by conciliation, to effect a settlement of the matters that gave rise to the investigation;

                    (ac)  to perform functions, and exercise powers, conferred on an adjudicator by an approved privacy code under which the Commissioner has been appointed as an independent adjudicator to whom complaints may be made;

60  Paragraph 27(1)(b)

After “agency”, insert “or organisation”.

61  At the end of paragraph 27(1)(d)

Add “and of the National Privacy Principles”.

62  Paragraph 27(1)(e)

After “agency”, insert “or an organisation”.

63  After paragraph 27(1)(e)

Insert:

                    (ea)  to prepare, and to publish in the way that the Commissioner considers appropriate, guidelines:

                              (i)  to assist organisations to develop privacy codes or to apply approved privacy codes; or

                             (ii)  relating to making and dealing with complaints under approved privacy codes; or

                            (iii)  about matters the Commissioner may consider in deciding whether to approve a privacy code or a variation of an approved privacy code;

64  Paragraph 27(1)(f)

Repeal the paragraph, substitute:

                      (f)  to provide (on request or on the Commissioner’s own initiative) advice to a Minister, agency or organisation on any matter relevant to the operation of this Act;

                    (fa)  to provide advice to an adjudicator for an approved privacy code on any matter relevant to the operation of this Act or the code, on request by the adjudicator;

65  Paragraphs 27(1)(n) and (o)

Repeal the paragraphs.

66  At the end of subsection 27(1)

Add:

                    ; (s)  to do anything incidental or conducive to the performance of any of the Commissioner’s other functions.

67  After subsection 27(1)

Insert:

          (1A)  To avoid doubt, the Commissioner is not subject to Part V in performing functions, and exercising powers, conferred on an adjudicator by an approved privacy code under which the Commissioner has been appointed as an independent adjudicator to whom complaints may be made.

68  At the end of section 27

Add:

             (3)  Without limiting subsection (2), the Commissioner may, at the request of an organisation, examine the records of personal information maintained by the organisation, for the purpose of ascertaining whether the records are maintained according to:

                     (a)  an approved privacy code that binds the organisation; or

                     (b)  to the extent (if any) that the organisation is not bound by an approved privacy code—the National Privacy Principles.

69  Paragraph 29(a)

After “free flow of information”, insert “(through the media and otherwise)”.

70  Paragraph 29(d)

Repeal the paragraph, substitute:

                     (d)  ensure that his or her directions and guidelines are consistent with whichever of the following (if any) are relevant:

                              (i)  the Information Privacy Principles;

                             (ii)  the National Privacy Principles;

                            (iii)  the Code of Conduct and Part IIIA.

71  At the end of section 30

Add:

             (6)  This section does not apply to:

                     (a)  a complaint made under section 36 in relation to an act or practice of an organisation; or

                     (b)  a complaint the Commissioner accepts under subsection 40(1B).

72  Subsection 31(2)

After “agency”, insert “or organisation”.

73  Subsection 36(1)

Omit “An”, substitute “Subject to subsection (1A), an”.

74  After subsection 36(1)

Insert:

          (1A)  Subsection (1) does not apply to a complaint by an individual about an act or practice of an organisation that is bound by an approved privacy code that:

                     (a)  contains a procedure for making and dealing with complaints to an adjudicator in relation to acts or practices that may be an interference with the privacy of an individual; and

                     (b)  is relevant to the act or practice complained of.

          (1B)  Subsection (1A) does not prevent an individual from making a complaint under an approved privacy code to the adjudicator for the code if the adjudicator is the Commissioner.

          (1C)  Subsection (1A) does not prevent an individual from complaining under this Part to the Commissioner about an act done, or practice engaged in, by an organisation purportedly for the purpose of meeting (directly or indirectly) an obligation under a Commonwealth contract (whether or not the organisation is a party to the contract).

Note:          Section 40A requires an adjudicator for an approved privacy code to refer a code complaint to the Commissioner if the complaint is about an act or practice of a contracted service provider for a Commonwealth contract.

75  Subsection 36(7)

Repeal the subsection, substitute:

             (7)  In the case of a complaint about an act or practice of an organisation, the organisation is the respondent.

Note:          Section 70A contains further rules about how this Part operates in relation to respondent organisations that are not legal persons.

             (8)  The respondent to a complaint about an act or practice described in one of paragraphs 13(b) to (d) (inclusive), other than an act or practice of an agency or organisation, is the person who engaged in the act or practice.

76  Application

Subsection 36(8) of the Privacy Act 1988 as amended by this Schedule applies in relation to complaints made after the commencement of this Schedule.

77  Subsection 38(1)

After “36”, insert “or accepted under subsection 40(1B)”.

78  Subsection 38(2)

Omit “under section 36”, substitute “made under section 36 or accepted under subsection 40(1B)”.

79  Subsection 40(1)

Omit “The”, substitute “Subject to subsection (1A), the”.

80  After subsection 40(1)

Insert:

          (1A)  The Commissioner must not investigate a complaint if the complainant did not complain to the respondent before making the complaint to the Commissioner under section 36. However, the Commissioner may decide to investigate the complaint if he or she considers that it was not appropriate for the complainant to complain to the respondent.

          (1B)  The Commissioner must investigate under this Part a complaint about an act or practice of an organisation that is bound by a relevant approved privacy code that contains a procedure for making and dealing with complaints in relation to acts or practices that may be an interference with the privacy of an individual if:

                     (a)  the act or practice occurred after the approval of the code came into effect; and

                     (b)  the adjudicator for the code refers the complaint to the Commissioner; and

                     (c)  the Commissioner accepts the complaint; and

                     (d)  the Commissioner consults the complainant before accepting the complaint.

          (1C)  If the Commissioner accepts a complaint mentioned in subsection (1B), the Commissioner must deal with it as if it were a complaint made under section 36 in relation to an act or practice of the organisation.

81  At the end of section 40

Add:

             (3)  This section has effect subject to section 41.

82  After section 40

Insert:

40A  Referring complaint about act under Commonwealth contract

             (1)  This section applies if:

                     (a)  a complaint is made to an adjudicator for an approved privacy code; and

                     (b)  the adjudicator forms the view that the complaint is about an act done or practice engaged in:

                              (i)  by an organisation that is a contracted service provider for a Commonwealth contract; and

                             (ii)  for the purposes of meeting (directly or indirectly) an obligation under the contract.

             (2)  Despite the code, the adjudicator must:

                     (a)  stop investigating the complaint under the code (without making a determination under the code about the complaint); and

                     (b)  refer the complaint to the Commissioner under subsection 40(1B) for investigation under this Part.

             (3)  The Commissioner must accept the complaint under subsection 40(1B).

Note:          This means that the Commissioner must investigate the complaint (subject to section 41) as if the complaint had been made to the Commissioner under section 36. See subsections 40(1B) and (1C).

83  Subsection 41(1)

After “under section 36”, insert “, or which the Commissioner has accepted under subsection 40(1B),”.

84  Paragraph 41(1)(b)

Repeal the paragraph.

85  Paragraphs 41(1)(e) and (f)

Repeal the paragraphs, substitute:

                     (e)  the act or practice is the subject of an application under another Commonwealth law, or a State or Territory law, and the subject‑matter of the complaint has been, or is being, dealt with adequately under that law; or

                      (f)  another Commonwealth law, or a State or Territory law, provides a more appropriate remedy for the act or practice that is the subject of the complaint.

86  Subsections 41(2) and 41(3)

After “under section 36”, insert “, or accepted by the Commissioner under subsection 40(1B),”.

87  Subsection 41(4)

Repeal the subsection, substitute:

             (4)  If an act or practice may be an interference with the privacy of an individual solely because it may breach:

                     (a)  Information Privacy Principle 7; or

                     (b)  National Privacy Principle 6, to the extent that it deals with the correction of personal information; or

                     (c)  a provision of an approved privacy code that corresponds to National Privacy Principle 6, to the extent that it deals with the correction of personal information;

the Commissioner must not investigate the act or practice except to the extent that it is an interference with the privacy of one or more individuals each of whom is:

                     (d)  an Australian citizen; or

                     (e)  a person whose continued presence in Australia is not subject to a limitation as to time imposed by law.

88  Section 42

After “Commissioner” (first occurring), insert “, or the Commissioner accepts a complaint under subsection 40(1B),”.

89  After subsection 43(1)

Insert:

          (1A)  Before starting to investigate an act done, or practice engaged in, by a contracted service provider for the purpose of providing (directly or indirectly) a service to an agency under a Commonwealth contract, the Commissioner must also inform the agency that the act or practice is to be investigated.

Note:          See subsection 6(9) about provision of services to an agency.

90  Subsection 43(6)

After “agency” (twice occurring), insert “, organisation”.

91  After subsection 43(8)

Insert:

          (8A)  Subsection (8) does not allow the Commissioner to discuss a matter relevant to an investigation of a breach of an approved privacy code or the National Privacy Principles with a Minister, unless the investigation is of an act done, or practice engaged in:

                     (a)  by a contracted service provider for a Commonwealth contract; and

                     (b)  for the purpose of providing a service to an agency to meet (directly or indirectly) an obligation under the contract.

92  Subsection 46(1)

After “a complaint”, insert “(except an NPP complaint or a code complaint accepted under subsection 40(1B))”.

93  At the end of section 48

Add:

             (2)  If the Commissioner decides not to investigate (at all or further) an act done, or practice engaged in, by a contracted service provider for the purpose of providing (directly or indirectly) a service to an agency under a Commonwealth contract, the Commissioner must also inform the agency of the decision.

Note:          See subsection 6(9) about provision of services to an agency.

94  After section 50

Insert:

50A  Substitution of respondent to complaint

             (1)  This section lets the Commissioner substitute an agency for an organisation as respondent to a complaint if:

                     (a)  the organisation is a contracted service provider for a Commonwealth contract to provide services to the agency; and

                     (b)  before the Commissioner makes a determination under section 52 in relation to the complaint, the organisation:

                              (i)  dies or ceases to exist; or

                             (ii)  becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors.

             (2)  The Commissioner may amend the complaint to specify as a respondent to the complaint the agency or its principal executive, instead of the organisation.

Note 1:       The complaint still relates to the act or practice of the organisation.

Note 2:       Section 53B lets the Commissioner treat an agency as a respondent to a determination if the organisation cannot comply with a determination to pay an amount to a complainant.

             (3)  Before amending the complaint, the Commissioner must:

                     (a)  give the agency a notice stating that the Commissioner proposes to amend the complaint and stating the reasons for the proposal; and

                     (b)  give the agency an opportunity to appear before the Commissioner and to make oral and/or written submissions relating to the proposed amendment.

             (4)  If the Commissioner amends the complaint after starting to investigate it, the Commissioner is taken to have satisfied subsection 43(1A) in relation to the agency.

95  Subsection 52(3A)

Repeal the subsection, substitute:

          (3A)  The Commissioner may include an order mentioned in subsection (3B) in a determination under subparagraph (1)(b)(i) or (ii) that concerns a breach of:

                     (a)  Information Privacy Principle 7; or

                     (b)  National Privacy Principle 6, to the extent that it deals with the correction of personal information; or

                     (c)  a provision of an approved privacy code that corresponds to National Privacy Principle 6, to the extent that it deals with the correction of personal information; or

                     (d)  section 18J.

          (3B)  A determination may include an order that:

                     (a)  an agency or respondent make an appropriate correction, deletion or addition to a record, or to a credit information file or credit report, as the case may be; or

                     (b)  an agency or respondent attach to a record, or include in a credit information file or credit report, as the case may be, a statement provided by the complainant of a correction, deletion or addition sought by the complainant.

96  At the end of Division 2 of Part V

Add:

53A  Notice to be given to outsourcing agency

             (1)  If the Commissioner makes a determination to which a contracted service provider for a Commonwealth contract is the respondent, the Commissioner:

                     (a)  must give a copy of the determination to each agency:

                              (i)  to which services are or were to be provided under the contract; and

                             (ii)  to which the Commissioner considers it appropriate to give a copy; and

                     (b)  may give such an agency a written recommendation of any measures that the Commissioner considers appropriate.

             (2)  The Commissioner may give an agency a recommendation only after consulting the agency.

             (3)  An agency that receives a recommendation from the Commissioner must tell the Commissioner in writing of any action the agency proposes to take in relation to the recommendation. The agency must do so within 60 days of receiving the recommendation.

53B  Substituting respondent to determination

             (1)  This section applies if:

                     (a)  the respondent to a determination under subsection 52(1) is a contracted service provider for a Commonwealth contract; and

                     (b)  the determination includes:

                              (i)  a declaration under subparagraph 52(1)(b)(iii) that the complainant is entitled to a specified amount by way of compensation; or

                             (ii)  a declaration under subsection 52(3) that the complainant is entitled to a specified amount by way of reimbursement; and

                     (c)  at a particular time after the determination was made, the respondent:

                              (i)  dies or ceases to exist; or

                             (ii)  becomes bankrupt or insolvent, commences to be wound up, applies to take the benefit of a law for the relief of bankrupt or insolvent debtors, compounds with creditors or makes an assignment of any property for the benefit of creditors; and

                     (d)  at that time, the complainant had not been paid the whole or part of an amount referred to in subparagraph (b)(i) or (b)(ii).

             (2)  The Commissioner may determine in writing that a specified agency to which services were or were to be provided under the contract is the respondent to the determination under section 52. The determination has effect according to its terms for the purposes of section 60.

Note:          This means that the amount owed by the contracted service provider will be a debt due by the agency to the complainant.

             (3)  Before making a determination, the Commissioner must give the agency:

                     (a)  a notice stating that the Commissioner proposes to make the determination and stating the reasons for the proposal; and

                     (b)  an opportunity to appear before the Commissioner and to make oral and/or written submissions relating to the proposed determination.

97  Division 3 of Part V (heading)

Repeal the heading, substitute:

Division 3Enforcement

98  After subsection 54(1)

Insert:

          (1A)  This Division also applies to a determination made by an adjudicator for an approved privacy code under the code in relation to a complaint made under the code.

Note:          The making of a determination by the Commissioner under this Act or by an adjudicator under an approved privacy code is subject to judicial review under the Administrative Decisions (Judicial Review) Act 1977.

99  Section 55

Repeal the section, substitute:

55  Obligations of respondent organisation

Determination under section 52

             (1)  An organisation that is the respondent to a determination made under section 52:

                     (a)  must not repeat or continue conduct that is covered by a declaration that is included in the determination under sub‑subparagraph 52(1)(b)(i)(B); and

                     (b)  must perform the act or course of conduct that is covered by a declaration that is included in the determination under subparagraph 52(1)(b)(ii).

Determination under approved privacy code

             (2)  An organisation that is the respondent to a determination made under an approved privacy code:

                     (a)  must not repeat or continue conduct that is covered by a declaration that is included in the determination and that corresponds to a declaration mentioned in paragraph (1)(a); and

                     (b)  must perform the act or course of conduct that is covered by a declaration that is included in the determination and that corresponds to a declaration mentioned in paragraph (1)(b).

55A  Proceedings in the Federal Court or Federal Magistrates Court to enforce a determination

             (1)  Any of the following persons may commence proceedings in the Federal Court or the Federal Magistrates Court for an order to enforce a determination:

                     (a)  the complainant;

                     (b)  the Commissioner, if the determination was made under section 52;

                     (c)  the adjudicator for the approved privacy code under which the determination was made, if it was made under an approved privacy code.

             (2)  If the court is satisfied that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court may make such orders (including a declaration of right) as it thinks fit.

             (3)  The court may, if it thinks fit, grant an interim injunction pending the determination of the proceedings.

             (4)  The court is not to require a person, as a condition of granting an interim injunction, to give an undertaking as to damages.

             (5)  The court is to deal by way of a hearing de novo with the question whether the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant.

             (6)  Despite subsection (5), the court may receive any of the following as evidence in proceedings about a determination made by the Commissioner under section 52:

                     (a)  a copy of the Commissioner’s written reasons for the determination;

                     (b)  a copy of any document that was before the Commissioner;

                     (c)  a copy of a record (including any tape recording) of any appearance before the Commissioner (including any oral submissions made) under subsection 43(5).

             (7)  Despite subsection (5), the court may receive any of the following as evidence in proceedings about a determination made by an adjudicator under an approved privacy code:

                     (a)  a copy of the adjudicator’s written reasons for the determination;

                     (b)  a copy of any document that was before the adjudicator;

                     (c)  a copy of a record (including any tape recording) of any appearance before the adjudicator (including any oral submissions made).

             (8)  In this section:

complainant, in relation to a representative complaint, means any of the class members.

55B  Evidentiary certificate

             (1)  The Commissioner may issue a written certificate setting out the findings of fact upon which the Commissioner based his or her determination that:

                     (a)  a specified agency had breached an Information Privacy Principle; or

                     (b)  a specified organisation had breached an approved privacy code or a National Privacy Principle.

             (2)  An adjudicator for an approved privacy code may issue a written certificate setting out the findings of fact upon which the adjudicator based his or her determination that a specified organisation had breached an approved privacy code.

             (3)  In any proceedings under section 55A, a certificate under subsection (1) or (2) of this section is prima facie evidence of the facts found by the Commissioner or adjudicator and set out in the certificate. However, the certificate is not prima facie evidence of a finding that:

                     (a)  a specified agency had breached an Information Privacy Principle; or

                     (b)  a specified organisation had breached an approved privacy code or a National Privacy Principle.

             (4)  A document purporting to be a certificate under subsection (1) or (2) must, unless the contrary is established, be taken to be a certificate and to have been properly given.

100  Application

Enforcement of determinations

(1)        Division 3 of Part V of the Privacy Act 1988 as amended by this Schedule applies to a determination made as a result of a complaint made after the commencement of this Schedule.

Evidentiary certificates

(2)        Section 55B of the Privacy Act 1988 applies in relation to a determination made by the Commissioner in relation to an agency before or after the commencement of that section.

101  Subsections 62(1) and (2)

After “Federal Court”, insert “or the Federal Magistrates Court”.

102  Subsection 62(4)

Omit “Federal Court”, substitute “court”.

103  Paragraphs 63(2)(a) and (b)

After “Federal Court”, insert “or the Federal Magistrates Court”.

104  After subsection 63(2)

Insert:

          (2A)  Subsection (2) does not permit an application relating to proceedings under section 55A to enforce a determination relating to a code complaint or an NPP complaint.

105  At the end of section 64

Add:

             (2)  Neither an adjudicator for an approved privacy code, nor a person acting under his or her direction or authority, is liable to an action, suit or proceeding in relation to an act done or omitted to be done in good faith in the exercise or purported exercise of any power or authority conferred by this Act or the code.

Note:       The heading to section 64 is altered by inserting “etc.” after “Commissioner”.

106  After subsection 66(1)

Insert:

          (1A)  For the purposes of subsection (1), a journalist has a reasonable excuse if giving the information, answering the question or producing the document or record would tend to reveal the identity of a person who gave information or a document or record to the journalist in confidence.

107  After paragraph 67(a)

Insert:

                    (aa)  the making of a complaint under an approved privacy code;

                    (ab)  the acceptance of a complaint under subsection 40(1B);

108  Subsection 68(1)

After “Commissioner” (second occurring), insert “in writing”.

109  Subsection 68(1)

After “an agency,”, insert “an organisation,”.

110  After subsection 68(1)

Insert:

          (1A)  The Commissioner may authorise a person only while the person is a member of the staff assisting the Commissioner.

111  After subsection 68(3)

Insert:

          (3A)  Before obtaining the consent, the authorised person must inform the occupier or person in charge that he or she may refuse to consent.

          (3B)  An entry by an authorised person with the consent of the occupier or person in charge is not lawful if the consent was not voluntary.

          (3C)  The authorised person may not enter premises (other than premises occupied by an agency) if:

                     (a)  the occupant or person in charge asks the authorised person to produce his or her identity card; and

                     (b)  the authorised person does not produce it.

          (3D)  If an authorised person is on premises with the consent of the occupier or person in charge, the authorised person must leave the premises if the occupier or person in charge asks the authorised person to do so.

112  After section 68

Insert:

68A  Identity cards

             (1)  The Commissioner must issue to a person authorised for the purposes of section 68 an identity card in the form approved by the Commissioner. The identity card must contain a recent photograph of the authorised person.

             (2)  As soon as practicable after the person ceases to be authorised, he or she must return the identity card to the Commissioner.

             (3)  A person must not contravene subsection (2).

Penalty:  1 penalty unit.

113  Subsection 69(9) (definition of complaint)

Repeal the definition, substitute:

complaint means:

                     (a)  a complaint under section 36; or

                     (b)  a complaint the Commissioner accepts under subsection 40(1B).

114  At the end of Division 5 of Part V

Add:

70A  Application of Part to organisations that are not legal persons

Partnerships

             (1)  If, apart from this subsection, this Part would impose an obligation to do something (or not to refuse or fail to do something) on an organisation that is a partnership, the obligation is imposed instead on each partner but may be discharged by any of the partners.

Unincorporated associations

             (2)  If, apart from this subsection, this Part would impose an obligation to do something (or not to refuse or fail to do something) on an organisation that is an unincorporated association, the obligation is imposed instead on each member of the committee of management of the association but may be discharged by any of the members of that committee.

Trusts

             (3)  If, apart from this subsection, this Part would impose an obligation to do something (or not to refuse or fail to do something) on an organisation that is a trust, the obligation is imposed instead on each trustee but may be discharged by any of the trustees.

115  Part VI (heading)

Repeal the heading, substitute:

Part VIPublic interest determinations and temporary public interest determinations

116  Before section 71

Insert:

Division 1Public interest determinations

117  Section 72

Omit “Part”, substitute “Division”.

118  At the end of section 72

Add:

Determinations about an organisation’s acts and practices

             (2)  Subject to this Division, if the Commissioner is satisfied that:

                     (a)  an act or practice of an organisation breaches, or may breach, an approved privacy code, or a National Privacy Principle, that binds the organisation; but

                     (b)  the public interest in the organisation doing the act, or engaging in the practice, substantially outweighs the public interest in adhering to that code or Principle;

the Commissioner may make a written determination to that effect.

Effect of determination under subsection (2)

             (3)  The organisation is taken not to contravene section 16A if the organisation does the act, or engages in the practice, while the determination is in force under subsection (2).

Giving a determination under subsection (2) general effect

             (4)  The Commissioner may make a written determination that no organisation is taken to contravene section 16A if, while that determination is in force, an organisation does an act, or engages in a practice, that is the subject of a determination under subsection (2) in relation to that organisation or any other organisation.

Effect of determination under subsection (4)

             (5)  A determination under subsection (4) has effect according to its terms.

Note:       The following heading to subsection 72(1) is inserted “Determinations about an agency’s acts and practices”.

119  Subsection 73(1)

After “agency”, insert “or organisation”.

Note:       The heading to section 73 is altered by adding at the end “or organisation”.

120  At the end of subsection 73(1)

Add “of the agency or organisation”.

121  Subsection 73(2)

Omit “care”, substitute “services”.

122  Subsection 75(2)

Repeal the subsection, substitute:

             (2)  If the applicant is an agency, the Commissioner must send to the agency, and to each other person (if any) who is interested in the application, a written invitation to notify the Commissioner, within the period specified in the invitation, whether or not the agency or other person wishes the Commissioner to hold a conference about the draft determination.

          (2A)  If the applicant is an organisation, the Commissioner must:

                     (a)  send a written invitation to the organisation to notify the Commissioner, within the period specified in the invitation, whether or not the organisation wishes the Commissioner to hold a conference about the draft determination; and

                     (b)  issue, in any way the Commissioner thinks appropriate, an invitation in corresponding terms to the other persons (if any) that the Commissioner thinks appropriate.

123  Subsection 75(3)

After “subsection (2)”, insert “or subsection (2A)”.

124  Application and saving

(1)        The amendments of section 75 of the Privacy Act 1988 made by this Schedule apply in relation to applications that are made under section 73 of that Act after the commencement of this Schedule.

(2)        Regulations (if any) in force for the purposes of subsection 75(3) of the Privacy Act 1988 immediately before the commencement of this Schedule have effect, after that commencement, as if they had been made for the purposes of that subsection after that commencement.

(3)        Subitem (2) does not prevent the amendment or repeal of the regulations.

125  Subsection 76(1)

After “agency” (wherever occurring), insert “, organisation”.

126  Subsection 76(4)

After “agency”, insert “or organisation”.

127  Subsection 77(1)

After “agency” (wherever occurring), insert “or organisation”.

128  Subsection 79(2)

Omit “or any person”, substitute “, organisation or any other person”.

129  At the end of Part VI

Add:

Division 2Temporary public interest determinations

80A  Temporary public interest determinations

             (1)  This section applies if the Commissioner is satisfied that:

                     (a)  the act or practice of an agency or organisation that is the subject of an application under section 73 for a determination under section 72 breaches, or may breach:

                              (i)  in the case of an agency—an Information Privacy Principle; and

                             (ii)  in the case of an organisation—an approved privacy code, or a National Privacy Principle, that binds the organisation; and

                     (b)  the public interest in the agency or organisation doing the act, or engaging in the practice, outweighs to a substantial degree the public interest in adhering to that Principle or code; and

                     (c)  the application raises issues that require an urgent decision.

             (2)  The Commissioner may make a written temporary public interest determination that he or she is satisfied of the matters set out in subsection (1). The Commissioner may do so:

                     (a)  on request by the agency or organisation; or

                     (b)  on the Commissioner’s own initiative.

             (3)  The Commissioner must:

                     (a)  specify in the determination a period of up to 12 months during which the determination is in force (subject to subsection 80D(2)); and

                     (b)  include in the determination a statement of the reasons for the determination.

80B  Effect of temporary public interest determination

Agency covered by a determination

             (1)  If an act or practice of an agency is the subject of a temporary public interest determination, the agency is taken not to breach section 16 if the agency does the act, or engages in the practice, while the determination is in force.

Organisation covered by a determination

             (2)  If an act or practice of an organisation is the subject of a temporary public interest determination, the organisation is taken not to contravene section 16A if the organisation does the act, or engages in the practice, while the determination is in force.

Giving a temporary public interest determination general effect

             (3)  The Commissioner may make a written determination that no organisation is taken to contravene section 16A if, while that determination is in force, an organisation does an act, or engages in a practice, that is the subject of a temporary public interest determination in relation to that organisation or another organisation.

Effect of determination under subsection (3)

             (4)  A determination under subsection (3) has effect according to its terms.

80C  Determinations disallowable

                   A determination under this Division is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901.

80D  Commissioner may continue to consider application

             (1)  The fact that the Commissioner has made a determination under this Division about an act or practice does not prevent the Commissioner from dealing under Division 1 with an application made under section 73 in relation to that act or practice.

             (2)  A determination under this Division about an act or practice ceases to be in effect when:

                     (a)  a determination made under subsection 72(1) or (2) (as appropriate) about the act or practice comes into effect; or

                     (b)  a determination is made under paragraph 78(b) to dismiss the application.

Division 3Register of determinations

80E  Register of determinations

             (1)  The Commissioner must keep a register of determinations made under Division 1 or 2.

             (2)  The Commissioner may decide the form of the register and how it is to be kept.

             (3)  The Commissioner must make the register available to the public in the way that the Commissioner determines.

             (4)  The Commissioner may charge fees for:

                     (a)  making the register available to the public; or

                     (b)  providing copies of, or extracts from, the register.

130  Application

Section 80A of the Privacy Act 1988 as amended by this Schedule applies in relation to an application made by or on behalf of an agency under section 73 of that Act, whether the application was made before or after the commencement of this Schedule.

131  After section 95

Insert:

95A  Guidelines for National Privacy Principles about health information

Overview

             (1)  This section allows the Commissioner to approve for the purposes of the National Privacy Principles (the NPPs) guidelines that are issued by the National Health and Medical Research Council or a prescribed authority.

Approving guidelines for use and disclosure

             (2)  For the purposes of subparagraph 2.1(d)(ii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.

Public interest test

             (3)  The Commissioner may give an approval under subsection (2) only if satisfied that the public interest in the use and disclosure of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 2.1(d)).

Approving guidelines for collection

             (4)  For the purposes of subparagraph 10.3(d)(iii) of the NPPs, the Commissioner may, by notice in the Gazette, approve guidelines that relate to the collection of health information for the purposes of:

                     (a)  research, or the compilation or analysis of statistics, relevant to public health or public safety; or

                     (b)  the management, funding or monitoring of a health service.

Public interest test

             (5)  The Commissioner may give an approval under subsection (4) only if satisfied that the public interest in the collection of health information for the purposes mentioned in that subsection in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 10.3(d)).

Revocation of approval

             (6)  The Commissioner may, by notice in the Gazette, revoke an approval of guidelines under this section if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines.

Review by AAT

             (7)  Application may be made to the Administrative Appeals Tribunal for review of a decision of the Commissioner to refuse to approve guidelines or to revoke an approval of guidelines.

95B  Requirements for Commonwealth contracts

             (1)  This section requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Information Privacy Principle if done or engaged in by the agency.

             (2)  The agency must ensure that the Commonwealth contract does not authorise a contracted service provider for the contract to do or engage in such an act or practice.

             (3)  The agency must also ensure that the Commonwealth contract contains provisions to ensure that such an act or practice is not authorised by a subcontract.

             (4)  For the purposes of subsection (3), a subcontract is a contract under which a contracted service provider for the Commonwealth contract is engaged to provide services to:

                     (a)  another contracted service provider for the Commonwealth contract; or

                     (b)  any agency;

for the purposes (whether direct or indirect) of the Commonwealth contract.

             (5)  This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency’s own right.

95C  Disclosure of certain provisions of Commonwealth contracts

                   If a person asks a party to a Commonwealth contract to be informed of the content of provisions (if any) of the contract that are inconsistent with an approved privacy code binding a party to the contract or with a National Privacy Principle, the party requested must inform the person in writing of that content (if any).

132  Subsection 97(2)

Omit “27(1)(n) and”.

133  After subsection 97(2)

Insert:

          (2A)  The report must also include a statement about the operation of approved privacy codes that contain procedures for making and dealing with complaints in relation to acts or practices that may be an interference with the privacy of an individual, including:

                     (a)  action taken by adjudicators to monitor compliance with the codes; and

                     (b)  details about the number of complaints made under codes, their nature and outcome.

134  Subsections 98(1) and (2)

After “Federal Court”, insert “or the Federal Magistrates Court”.

135  Subsections 99A(1) and (2)

Omit “servant” (wherever occurring), substitute “employee”.

Note:       The heading to section 99A is altered by omitting “servants” and substituting “employees”.

136  Paragraph 99A(3)(a)

Omit “a servant”, substitute “an employee”.

137  Paragraph 99A(3)(b)

Omit “servant”, substitute “employee”.

138  Subsection 99A(4)

Omit “a servant”, substitute “an employee”.

139  At the end of the Act

Add:

Schedule 3National Privacy Principles

Note:       See section 6.

1  Collection

             1.1  An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

             1.2  An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

             1.3  At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

                     (a)  the identity of the organisation and how to contact it; and

                     (b)  the fact that he or she is able to gain access to the information; and

                     (c)  the purposes for which the information is collected; and

                     (d)  the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

                     (e)  any law that requires the particular information to be collected; and

                      (f)  the main consequences (if any) for the individual if all or part of the information is not provided.

             1.4  If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

             1.5  If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

2  Use and disclosure

             2.1  An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

                     (a)  both of the following apply:

                              (i)  the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

                             (ii)  the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

                     (b)  the individual has consented to the use or disclosure; or

                     (c)  if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

                              (i)  it is impracticable for the organisation to seek the individual’s consent before that particular use; and

                             (ii)  the organisation will not charge the individual for giving effect to a request by the individual to the organisation not to receive direct marketing communications; and

                            (iii)  the individual has not made a request to the organisation not to receive direct marketing communications; and

                            (iv)  the organisation gives the individual the express opportunity at the time of first contact to express a wish not to receive any further direct marketing communications; or

                     (d)  if the information is health information and the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety:

                              (i)  it is impracticable for the organisation to seek the individual’s consent before the use or disclosure; and

                             (ii)  the use or disclosure is conducted in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph; and

                            (iii)  in the case of disclosure—the organisation reasonably believes that the recipient of the health information will not disclose the health information, or personal information derived from the health information; or

                     (e)  the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent:

                              (i)  a serious and imminent threat to an individual’s life, health or safety; or

                             (ii)  a serious threat to public health or public safety; or

                      (f)  the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

                     (g)  the use or disclosure is required or authorised by or under law; or

                     (h)  the organisation reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of an enforcement body:

                              (i)  the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;

                             (ii)  the enforcement of laws relating to the confiscation of the proceeds of crime;

                            (iii)  the protection of the public revenue;

                            (iv)  the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;

                             (v)  the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.

Note 1:       It is not intended to deter organisations from lawfully co‑operating with agencies performing law enforcement functions in the performance of their functions.

Note 2:       Subclause 2.1 does not override any existing legal obligations not to disclose personal information. Nothing in subclause 2.1 requires an organisation to disclose personal information; an organisation is always entitled not to disclose personal information in the absence of a legal obligation to disclose it.

Note 3:       An organisation is also subject to the requirements of National Privacy Principle 9 if it transfers personal information to a person in a foreign country.

             2.2  If an organisation uses or discloses personal information under paragraph 2.1(h), it must make a written note of the use or disclosure.

             2.3  Subclause 2.1 operates in relation to personal information that an organisation that is a body corporate has collected from a related body corporate as if the organisation’s primary purpose of collection of the information were the primary purpose for which the related body corporate collected the information.

             2.4  Despite subclause 2.1, an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:

                     (a)  the individual:

                              (i)  is physically or legally incapable of giving consent to the disclosure; or

                             (ii)  physically cannot communicate consent to the disclosure; and

                     (b)  a natural person (the carer) providing the health service for the organisation is satisfied that either:

                              (i)  the disclosure is necessary to provide appropriate care or treatment of the individual; or

                             (ii)  the disclosure is made for compassionate reasons; and

                     (c)  the disclosure is not contrary to any wish:

                              (i)  expressed by the individual before the individual became unable to give or communicate consent; and

                             (ii)  of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

                     (d)  the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).

             2.5  For the purposes of subclause 2.4, a person is responsible for an individual if the person is:

                     (a)  a parent of the individual; or

                     (b)  a child or sibling of the individual and at least 18 years old; or

                     (c)  a spouse or de facto spouse of the individual; or

                     (d)  a relative of the individual, at least 18 years old and a member of the individual’s household; or

                     (e)  a guardian of the individual; or

                      (f)  exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health; or

                     (g)  a person who has an intimate personal relationship with the individual; or

                     (h)  a person nominated by the individual to be contacted in case of emergency.

             2.6  In subclause 2.5:

child of an individual includes an adopted child, a step‑child and a foster‑child, of the individual.

parent of an individual includes a step‑parent, adoptive parent and a foster‑parent, of the individual.

relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.

sibling of an individual includes a half‑brother, half‑sister, adoptive brother, adoptive sister, step‑brother, step‑sister, foster‑brother and foster‑sister, of the individual.

3  Data quality

                   An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up‑to‑date.

4  Data security

             4.1  An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

             4.2  An organisation must take reasonable steps to destroy or permanently de‑identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.

5  Openness

             5.1  An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.

             5.2  On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

6  Access and correction

             6.1  If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

                     (a)  in the case of personal information other than health information—providing access would pose a serious and imminent threat to the life or health of any individual; or

                     (b)  in the case of health information—providing access would pose a serious threat to the life or health of any individual; or

                     (c)  providing access would have an unreasonable impact upon the privacy of other individuals; or

                     (d)  the request for access is frivolous or vexatious; or

                     (e)  the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery in those proceedings; or

                      (f)  providing access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations; or

                     (g)  providing access would be unlawful; or

                     (h)  denying access is required or authorised by or under law; or

                      (i)  providing access would be likely to prejudice an investigation of possible unlawful activity; or

                      (j)  providing access would be likely to prejudice:

                              (i)  the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; or

                             (ii)  the enforcement of laws relating to the confiscation of the proceeds of crime; or

                            (iii)  the protection of the public revenue; or

                            (iv)  the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct; or

                             (v)  the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of its orders;

                            by or on behalf of an enforcement body; or

                     (k)  an enforcement body performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.

             6.2  However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision‑making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

Note:          An organisation breaches subclause 6.1 if it relies on subclause 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where subclause 6.2 does not apply.

             6.3  If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

             6.4  If an organisation charges for providing access to personal information, those charges:

                     (a)  must not be excessive; and

                     (b)  must not apply to lodging a request for access.

             6.5  If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up‑to‑date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up‑to‑date.

             6.6  If the individual and the organisation disagree about whether the information is accurate, complete and up‑to‑date, and the individual asks the organisation to associate with the information a statement claiming that the information is not accurate, complete or up‑to‑date, the organisation must take reasonable steps to do so.

             6.7  An organisation must provide reasons for denial of access or a refusal to correct personal information.

7  Identifiers

             7.1  An organisation must not adopt as its own identifier of an individual an identifier of the individual that has been assigned by:

                     (a)  an agency; or

                     (b)  an agent of an agency acting in its capacity as agent; or

                     (c)  a contracted service provider for a Commonwealth contract acting in its capacity as contracted service provider for that contract.

             7.2  An organisation must not use or disclose an identifier assigned to an individual by an agency, or by an agent or contracted service provider mentioned in subclause 7.1, unless:

                     (a)  the use or disclosure is necessary for the organisation to fulfil its obligations to the agency; or

                     (b)  one or more of paragraphs 2.1(e) to 2.1(h) (inclusive) applies to the use or disclosure.

             7.3  In this clause:

identifier includes a number assigned by an organisation to an individual to identify uniquely the individual for the purposes of the organisation’s operations. However, an individual’s name is not an identifier.

8  Anonymity

                   Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

9  Transborder data flows

                   An organisation in Australia or an external Territory may transfer personal information about an individual to someone (other than the organisation or the individual) who is in a foreign country only if:

                     (a)  the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

                     (b)  the individual consents to the transfer; or

                     (c)  the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre‑contractual measures taken in response to the individual’s request; or

                     (d)  the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or

                     (e)  all of the following apply:

                              (i)  the transfer is for the benefit of the individual;

                             (ii)  it is impracticable to obtain the consent of the individual to that transfer;

                            (iii)  if it were practicable to obtain such consent, the individual would be likely to give it; or

                      (f)  the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

10  Sensitive information

           10.1  An organisation must not collect sensitive information about an individual unless:

                     (a)  the individual has consented; or

                     (b)  the collection is required by law; or

                     (c)  the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:

                              (i)  is physically or legally incapable of giving consent to the collection; or

                             (ii)  physically cannot communicate consent to the collection; or

                     (d)  if the information is collected in the course of the activities of a non‑profit organisation—the following conditions are satisfied:

                              (i)  the information relates solely to the members of the organisation or to individuals who have regular contact with it in connection with its activities;

                             (ii)  at or before the time of collecting the information, the organisation undertakes to the individual whom the information concerns that the organisation will not disclose the information without the individual’s consent; or

                     (e)  the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

           10.2  Despite subclause 10.1, an organisation may collect health information about an individual if:

                     (a)  the information is necessary to provide a health service to the individual; and

                     (b)  the information is collected:

                              (i)  as required by law (other than this Act); or

                             (ii)  in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

           10.3  Despite subclause 10.1, an organisation may collect health information about an individual if:

                     (a)  the collection is necessary for any of the following purposes:

                              (i)  research relevant to public health or public safety;

                             (ii)  the compilation or analysis of statistics relevant to public health or public safety;

                            (iii)  the management, funding or monitoring of a health service; and

                     (b)  that purpose cannot be served by the collection of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained; and

                     (c)  it is impracticable for the organisation to seek the individual’s consent to the collection; and

                     (d)  the information is collected:

                              (i)  as required by law (other than this Act); or

                             (ii)  in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or

                            (iii)  in accordance with guidelines approved by the Commissioner under section 95A for the purposes of this subparagraph.

           10.4  If an organisation collects health information about an individual in accordance with subclause 10.3, the organisation must take reasonable steps to permanently de‑identify the information before the organisation discloses it.

           10.5  In this clause:

non‑profit organisation means a non‑profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.


 

Schedule 2Amendment of other Acts

  

Administrative Decisions (Judicial Review) Act 1977

1  Subsection 3(1) (after paragraph (c) of the definition of enactment)

Insert:

                    (ca)  an approved privacy code as defined in the Privacy Act 1988; or

2  Subsection 3(1) (definition of enactment)

Omit “or (c)”, substitute “, (c) or (ca)”.

Customs Act 1901

3  After section 273GAA

Insert:

273GAB  Authorisation to disclose information to Customs

             (1)  A person may disclose to an officer information about any matter relating to actual or proposed travel:

                     (a)  of any person or goods on the way (directly or indirectly) to Australia; or

                     (b)  involving the departure from Australia of any person or goods;

even if the information is personal information (as defined in the Privacy Act 1988).

Note:          The Australian Customs Service (including the officer) is obliged to handle personal information in accordance with the Privacy Act 1988. Section 16 of the Customs Administration Act 1985 also limits the recording and disclosure of information disclosed to the officer under this section.

             (2)  To avoid doubt, this section does not:

                     (a)  require anyone to disclose information to an officer; or

                     (b)  affect a requirement of or under another provision of this Act for a person to disclose information to an officer (whether by answering a question, by providing a document or by other means).

Telecommunications Act 1997

4  At the end of Division 3 of Part 6

Add:

116A  Industry codes and standards do not affect Privacy Act 1988

                   Neither an industry code nor an industry standard derogates from a requirement made by or under the Privacy Act 1988 or an approved privacy code (as defined in that Act).

5  Paragraph 117(1)(j)

Omit “about the development of the code.”, substitute “by the body or association about the development of the code before the body or association gave the copy of the code to the ACA; and”.

6  At the end of subsection 117(1)

Add:

                     (k)  the ACA has consulted the Privacy Commissioner about the code and consequently believes that he or she is satisfied with the code, if the code deals directly or indirectly with a matter dealt with by:

                              (i)  the National Privacy Principles (as defined in the Privacy Act 1988); or

                             (ii)  other provisions of that Act that relate to those Principles; or

                            (iii)  an approved privacy code (as defined in that Act) that binds a participant in that section of the telecommunications industry; or

                            (iv)  provisions of that Act that relate to the approved privacy code.

7  At the end of subsection 117(4)

Add:

Note:          An industry code also ceases to be registered when it is removed from the Register of industry codes under section 122A.

8  At the end of subsection 118(1)

Add:

Note:          The ACA may request the body or association to develop the industry code to replace an earlier industry code that the Privacy Commissioner (exercising functions under the Privacy Act 1988) has advised the ACA is inconsistent with the National Privacy Principles or a relevant approved privacy code (as defined in that Act).

9  After subsection 118(4)

Insert:

          (4A)  The ACA must consult the Privacy Commissioner before making a request under subsection (1) for the development of an industry code that could reasonably be expected to deal directly or indirectly with a matter dealt with by:

                     (a)  the National Privacy Principles (as defined in the Privacy Act 1988); or

                     (b)  other provisions of that Act relating to those Principles; or

                     (c)  an approved privacy code (as defined in that Act) that binds one or more participants in the section of the telecommunications industry to which the request relates; or

                     (d)  provisions of that Act that relate to the approved privacy code.

10  At the end of subsection 120(1)

Add “However, this does not prevent the ACA from removing under section 122A an industry code, or a provision of an industry code, from the Register of industry codes kept under this Part.”.

11  After subsection 121(1)

Insert:

          (1A)  If the ACA is satisfied that the contravention of the industry code relates directly or indirectly to a matter dealt with by the National Privacy Principles (as defined in the Privacy Act 1988) or by an approved privacy code (as defined in that Act), the ACA must consult the Privacy Commissioner before giving the direction.

12  At the end of section 122

Add:

             (3)  If the ACA is satisfied that the contravention of the industry code relates directly or indirectly to a matter dealt with by the National Privacy Principles (as defined in the Privacy Act 1988) or by an approved privacy code (as defined in that Act), the ACA must consult the Privacy Commissioner before issuing the warning.

13  At the end of Division 4 of Part 6

Add:

122A  De‑registering industry codes and provisions of industry codes

             (1)  The ACA may remove from the Register of industry codes kept under section 136:

                     (a)  an industry code; or

                     (b)  a provision of an industry code.

             (2)  An industry code ceases to be registered when it is removed from the Register.

             (3)  If the ACA removes a provision of an industry code from the Register, this Part has effect in relation to things occurring after the removal of the provision as if the code registered under this Part did not include the provision removed.

14  At the end of subsection 130(1)

Add:

Note:          The ACA may be satisfied that it is necessary or convenient to vary an industry standard that is inconsistent with the National Privacy Principles or an approved privacy code (as defined in the Privacy Act 1988), following advice given by the Privacy Commissioner in the exercise of his or her functions under that Act.

15  Subsection 134(1)

Repeal the subsection, substitute:

             (1)  This section applies to an industry standard that deals with a matter set out in paragraph 113(3)(f), including a matter dealt with by:

                     (a)  the National Privacy Principles (as defined in the Privacy Act 1988); or

                     (b)  other provisions of that Act relating to those Principles; or

                     (c)  an approved privacy code (as defined in that Act); or

                     (d)  provisions of that Act that relate to an approved privacy code.

16  After subsection 136(1)

Insert:

          (1A)  Paragraph (1)(a) does not require the ACA to continue to include in the Register an industry code, or a provision of an industry code, removed from the Register under section 122A.

17  At the end of Division 4 of Part 13

Add:

303A  Generality of Division not limited

                   Nothing in this Division limits the generality of anything else in it.

18  After Division 4 of Part 13

Insert:

Division 4ARelationship with the Privacy Act 1988

303B  Acts taken to be authorised by law for purposes of Privacy Act

             (1)  If a disclosure or use of information by a person would be prohibited by Division 2 apart from a provision of Division 3, the disclosure or use is taken for the purposes of the Privacy Act 1988, and of an approved privacy code (as defined in that Act), to be authorised by law.

             (2)  If a disclosure or use of information by a person would be prohibited by a provision of Division 4 apart from the fact that the disclosure or use is covered by an exception in that provision to the prohibition, the disclosure or use is taken for the purposes of the Privacy Act 1988, and of an approved privacy code (as defined in that Act), to be authorised by law.

303C  Prosecution of an offence against this Part does not affect proceedings under the Privacy Act 1988

             (1)  The prosecution of an offence against Division 2 or 4 of this Part for disclosure or use of information or a document does not prevent civil proceedings or administrative action from being taken under the Privacy Act 1988 or an approved privacy code (as defined in that Act) in relation to the disclosure or use.

             (2)  This section applies regardless of the outcome of the prosecution.

             (3)  This section does not affect the operation of section 49 of the Privacy Act 1988.

19  Subclause 15(2) of Schedule 2

After “Privacy Act 1988”, insert “and the National Privacy Principles (as defined in that Act)”.

Telecommunications (Consumer Protection and Service Standards) Act 1999

20  After subparagraph 147(2)(l)(i)

Insert:

                            (ia)  National Privacy Principle 2 (as defined in the Privacy Act 1988);

                            (ib)  each approved privacy code (as defined in the Privacy Act 1988), if any, that binds a participant in a section of the telecommunications industry;


 

Schedule 3Disclosures to intelligence bodies

  

Australian Security Intelligence Organisation Act 1979

1  Section 93A

Repeal the section.

2  Saving

The repeal of section 93A of the Australian Security Intelligence Organisation Act 1979 by this Schedule does not make the Privacy Act 1988 apply to an act or practice:

                     (a)  that was done or engaged in before the repeal; and

                     (b)  to which the Privacy Act 1988 did not apply before the repeal because of that section.

Privacy Act 1988

3  After subsection 7(1)

Insert:

          (1A)  Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to:

                     (a)  the Australian Security Intelligence Organisation; or

                     (b)  the Australian Secret Intelligence Service.

4  Application

The amendment of the Privacy Act 1988 made by this Schedule applies for the purposes of determining the operation of that Act in relation to an act or practice, regardless of whether the act or practice occurred before or after the commencement of this Schedule.