Part 1—Preliminary
1 Name of regulation
This regulation is the Privacy Regulation 2013.
3 Authority
This regulation is made under the Privacy Act 1988.
5 Definitions
In this regulation:
Act means the Privacy Act 1988.
agency means an agency that is:
(a) an agency within the meaning of subsection 6(1) of the Act; or
(b) an agency mentioned in:
(i) Schedule 1; or
(ii) Schedule 1 to the Financial Management and Accountability Regulations 1997; or
(iii) subregulation 4(1) of the Commonwealth Authorities and Companies Regulations 1997; or
(iv) Part 1 of Schedule 1 to the Commonwealth Authorities and Companies Regulations 1997; or
(c) an agency in relation to which the Minister is satisfied that the events mentioned in paragraphs 100(2)(a) and (b) of the Act have occurred.
Ausgrid means the body established by the Energy Services Corporations Act 1995 (NSW).
AustralianSuper means AustralianSuper Pty Ltd, ABN 65 714 394 898, and includes a payroll contractor of AustralianSuper.
AvSuper means AvSuper Pty Ltd, ABN 84 421 446 069, and includes a payroll contractor of AvSuper.
Centrelink Confirmation eServices scheme means the scheme of that name that is administered by the Human Services Department.
Centrelink program has the meaning given by section 40 of the Human Services (Centrelink) Act 1997.
Customer Reference Number means the number assigned to an individual, in relation to a Centrelink program, by the Department administered by the Minister who administers the Human Services (Centrelink) Act 1997.
DVA File Number means the file number assigned to an individual by the Department administered by the Minister who administers the Veterans’ Entitlements Act 1986.
DVA unique identification number means the unique identification number assigned to an individual by the Department administered by the Minister who administers the Veterans’ Entitlements Act 1986.
Endeavour Energy means the body established by the Energy Services Corporations Act 1995 (NSW).
Essential Energy means the body established by the Energy Services Corporations Act 1995 (NSW).
HomeStart Finance means the body established by regulation 4 of the Housing and Urban Development (Administrative Arrangements) (HomeStart Finance) Regulations 1995 (SA).
Human Services Department means the Department administered by the Human Services Minister.
Human Services Minister means the Minister administering the Human Services (Centrelink) Act 1997.
payroll contractor, of an organisation (the principal organisation), means an organisation that is responsible, under a contract, for processing, on behalf of the principal organisation, any payments received by, or on behalf of, the principal organisation from an agency, its agent or its contracted service provider for the benefit of an individual employed, or formerly employed, by the agency.
payroll number, assigned to an individual by an agency, means the identifier assigned to the individual by the agency, its agent or its contracted service provider for the purpose of providing salary and other employment benefits to the individual.
residential tenancy database means a database that:
(a) stores personal information in relation to an individual’s occupation of residential premises as a tenant; and
(b) can be accessed by a person other than the operator of the database or a person acting for the operator.
6 Consumer credit liability information
For paragraph (e) of the definition of consumer credit liability information in subsection 6(1) of the Act, the terms or conditions of the consumer credit are the following:
(a) how the principal and interest on the consumer credit are to be paid, namely whether:
(i) the principal and interest are to be paid in full; or
(ii) the principal and interest are to be paid, leaving a residual unpaid amount of principal and interest at the end of the term of the consumer credit; or
(iii) only the interest is to be paid;
(b) whether the term of the consumer credit is fixed or revolving;
(c) if the term of the consumer credit is fixed—the length of the term;
(d) whether the individual is a guarantor to another individual in relation to the other individual’s credit;
(e) whether the consumer credit is secured or unsecured;
(f) any variation to any of the terms or conditions mentioned in paragraphs (a) to (e).
7 Small business operators treated as organisations
Aussie Farms Inc.
(1A) For the purposes of subsection 6E(1) of the Act, Aussie Farms Inc (ABN 17 356 117 654) is prescribed.
Small business operators that operate residential tenancy databases
(1) For subsection 6E(2) of the Act, a small business operator that operates a residential tenancy database is prescribed.
(2) For subsection 6E(2) of the Act, the following acts or practices of a small business operator of the kind mentioned in subsection (1) are prescribed:
(a) an act done, or a practice engaged in, in connection with collecting personal information for the purpose of establishing or maintaining a residential tenancy database;
(b) an act done, or a practice engaged in, in connection with maintaining personal information on a residential tenancy database;
(c) an act done, or a practice engaged in, in connection with using or disclosing personal information that is stored on a residential tenancy database.
8 State authorities treated as organisations
New South Wales
(1) For the purposes of subsection 6F(1) of the Act, the following authorities of New South Wales are prescribed:
(a) Essential Energy;
(b) Ausgrid;
(c) Endeavour Energy.
South Australia
(2) For the purposes of subsection 6F(1) of the Act:
(a) the Department for Health and Wellbeing of South Australia is prescribed; and
(b) the modification set out in subsection (3) of this section is prescribed.
(3) The Act applies in relation to the Department for Health and Wellbeing of South Australia as if paragraph 7(1)(ee) of the Act were modified by substituting the following paragraph:
“(ee) an act done, or a practice engaged in, by the Department for Health and Wellbeing of South Australia in connection with undertaking technical data linkage work for SA NT DataLink, other than an exempt act or exempt practice (see sections 7B and 7C);”.
(4) For the purposes of subsection 6F(1) of the Act, the Office of the National Rail Safety Regulator established under the Rail Safety National Law (South Australia) Act 2012 (SA) is prescribed.
(5) For the purposes of subsection 6F(1) of the Act:
(a) the Department of the Premier and Cabinet of South Australia is prescribed; and
(b) the modification set out in subsection (6) of this section is prescribed.
(6) The Act applies in relation to the Department of the Premier and Cabinet of South Australia as if paragraph 7(1)(ee) of the Act were modified by substituting the following paragraph:
“(ee) an act done, or a practice engaged in, by the Department of the Premier and Cabinet of South Australia in relation to:
(i) access to information from the My Health Record system (within the meaning of the My Health Records Act 2012); or
(ii) information it obtains under subparagraph (i);
for the purposes of managing risks from the coronavirus known as COVID‑19, other than an exempt act or exempt practice (see sections 7B and 7C);”.
9 State instrumentality treated as an organisation
(1) For subsection 6F(1) of the Act, HomeStart Finance, an authority of South Australia, is prescribed.
(2) Australian Privacy Principle 11.2 does not apply to HomeStart Finance.
10 Meaning of credit provider
(1) For subparagraph 6G(1)(d)(ii) of the Act, the following agencies, organisations or small business operators are prescribed as credit providers:
(a) Indigenous Business Australia;
(b) Export Finance and Insurance Corporation;
(c) the Regional Investment Corporation.
(2) For subsection 6G(6) of the Act, an organisation or small business operator is not a credit provider in relation to an individual if the organisation or small business operator acts in the capacity of a current or prospective landlord of the individual.
11 Meaning of credit reporting business
(1) For subsection 6P(4) of the Act, a business or undertaking is not a credit reporting business if the business or undertaking is in a class of businesses or undertakings that:
(a) provides personal information to a credit provider; and
(b) provides the information to:
(i) verify an individual’s identity; or
(ii) validate other information relating to the individual’s financial position (such as real property assets) that the individual provides to the credit provider.
(2) A class of businesses or undertakings complies with paragraph (1)(b) if the class of businesses or undertakings:
(a) compiles information about the individual from sources, including publicly available sources; and
(b) provides the information to the credit provider to assist the credit provider to:
(i) verify the individual’s identity; or
(ii) verify that the individual owns the real estate or other assets that the individual claims to own; or
(iii) validate the individual’s claimed financial position (in relation to the value of the individual’s assets).
12 Meaning of repayment history information
For paragraph 6V(2)(a) of the Act, an individual will be taken to have not met an obligation to make a monthly payment that is due and payable in relation to consumer credit if the individual misses any or all repayments due in a month, irrespective of the actual payment cycle for that obligation.
13AA Use or disclosure of credit reporting information
For the purposes of paragraph 20E(4)(a) of the Act, the following credit providers are prescribed:
(a) Indigenous Business Australia;
(b) the Regional Investment Corporation.
13A Permitted disclosure of credit information by commercial credit providers
For subparagraph 21D(2)(a)(i) of the Act, a credit provider is prescribed if:
(a) the credit provider discloses credit information; and
(b) the disclosure is made in connection with the provision of commercial credit.
14 Permitted disclosure of credit information to a credit reporting body
(1) For the purposes of subparagraph 21D(2)(a)(i) of the Act, the following credit providers are prescribed:
(a) Indigenous Business Australia;
(b) if the Regional Investment Corporation is not a member of, or subject to, a recognised external dispute resolution scheme—the Regional Investment Corporation.
(2) For the purposes of subparagraph 21D(3)(c)(i) of the Act, the following credit providers are prescribed:
(a) Indigenous Business Australia;
(b) the Regional Investment Corporation.
Part 2—Australian Privacy Principles
15 Exceptions to Australian Privacy Principle 9.1
For subclause 9.3 of the Australian Privacy Principles:
(a) AvSuper is a prescribed organisation; and
(b) the payroll number assigned to an individual by Airservices Australia, or the Civil Aviation Safety Authority, is a prescribed identifier; and
(c) the prescribed circumstance is that the payroll number is adopted by AvSuper to provide a superannuation service to the individual.
16 Exceptions to Australian Privacy Principle 9.2
For subclause 9.3 of the Australian Privacy Principles:
(a) AustralianSuper and AvSuper are each a prescribed organisation; and
(b) the payroll number assigned to an individual by an agency is a prescribed identifier; and
(c) the prescribed circumstance is that the payroll number is used or disclosed by AustralianSuper or AvSuper to provide a superannuation service to the individual.
17 Exceptions to Australian Privacy Principle 9.2—Centrelink Confirmation eServices (customer confirmation and income confirmation)
(1) For subclause 9.3 of the Australian Privacy Principles:
(a) each of the following is a prescribed identifier:
(i) a Customer Reference Number;
(ii) a DVA file number;
(iii) a DVA unique identification number; and
(b) an organisation is a prescribed organisation if the organisation:
(i) is a participant in the Centrelink Confirmation eServices scheme; and
(ii) is included in a class of organisations set out in the table in subsection (2); and
(c) the prescribed circumstance is that a prescribed organisation uses or discloses an individual’s prescribed identifier, with the individual’s consent, to access services provided under the Centrelink Confirmation eServices scheme to enquire whether the individual is entitled to receive a concession, service or assistance.
(2) The classes of organisations are set out in the following table:
Classes of organisations that can use or disclose Customer Reference Numbers, DVA File Numbers and DVA unique identification numbers |
Item | Class of organisation |
1 | Organisations that provide healthcare services or healthcare products, including any of the following: (a) hospitals; (b) providers of hearing products and hearing services; (c) providers of disability support services; (d) providers of counselling and mental health services; (e) providers of drug treatment and rehabilitation services. |
2 | Organisations that are education providers, including any of the following: (a) pre‑schools, primary schools and secondary schools; (b) providers of childcare services; (c) universities, TAFE, community colleges and other tertiary education providers; (d) adult education providers; (e) organisations that provide administrative services to education providers. |
3 | Organisations that provide any of the following: (a) electricity; (b) gas; (c) water; (d) telecommunications services; (e) broadband internet services. |
4 | Organisations that provide passenger rail services. |
5 | Organisations that provide motor vehicle roadside assistance services. |
6 | Organisations that provide trustee services. |
7 | Organisations that provide welfare services, including any of the following: (a) advocacy organisations; (b) organisations that provide assistance to: (i) elderly persons; or (ii) disabled persons; or (iii) immigrants and refugees; or (iv) Indigenous Australians; or (v) families; or (vi) children; or (vii) persons impacted by domestic violence; or (viii) homeless persons; or (ix) prisoners. |
8 | Organisations that provide free or subsidised social housing, facilities management services, mortgages or accommodation services to any of the following: (a) socially or economically disadvantaged persons; (b) elderly persons; (c) disabled persons; (d) Indigenous Australians. |
9 | Organisations that provide legal aid services, including any of the following: (a) legal aid organisations operated by the Commonwealth government, or the government of a State or Territory; (b) legal practitioners who provide services for or on behalf of legal aid organisations; (c) a court of the Commonwealth, a State or a Territory. |
10 | Organisations that provide services on behalf of local government. |
11 | Organisations that provide any of the following: (a) financial planning services; (b) financial products and services (including brokers); (c) insurance products and services; (d) banking services and loans as a credit union; (e) subsidised or reduced interest loans. |
18 Exceptions to Australian Privacy Principle 9.2—Centrelink Confirmation eServices (superannuation confirmation)
For subclause 9.3 of the Australian Privacy Principles:
(a) a Customer Reference Number is a prescribed identifier; and
(b) an organisation is a prescribed organisation if the organisation:
(i) is a participant in the Centrelink Confirmation eServices scheme; and
(ii) provides superannuation products and services; and
(c) the prescribed circumstance is that a prescribed organisation uses or discloses an individual’s prescribed identifier, with the individual’s consent, to access services provided under the Centrelink Confirmation eServices scheme to enquire whether the individual is entitled to the early release of superannuation on the ground of financial hardship.
Part 3—Privacy Advisory Committee
20 Travelling allowance—within Australia
For section 88 of the Act, the travelling allowance payable to an appointed member is:
(a) the amount that would be payable to the member if clause 3.3 of the Remuneration Tribunal Determination 2004/03 applied; or
(b) the amount that would be payable to the member if clause 3.4 of the Remuneration Tribunal Determination 2004/03 applied, at the tier 2 rate.
Part 4—Secrecy
21 Designated secrecy provisions
For paragraph 80P(7)(d) of the Act, the following provisions of the Census and Statistics Act 1905 are prescribed:
(a) section 19;
(b) section 19A.
Part 5—Transitional
22 Transitional
For item 19 of Schedule 6 to the Privacy Amendment (Enhancing Privacy Protection) Act 2012, section 18K of the Act applies to information mentioned in that section that has not been disclosed on or after 12 March 2014 and before 1 April 2014.
23 Application of the Privacy Amendment (Protection of Australian Farms) Regulations 2019
Subsection 7(1A) applies in relation to acts done, and practices engaged in, after the commencement of the Privacy Amendment (Protection of Australian Farms) Regulations 2019 (whether in relation to personal information collected before or after that commencement).