Privacy Law and Policy Reporter
This is the first part of a review of Australian privacy laws against the EU’s adequacy criteria which was first carried out in mid-2000 and updated as a paper for the UNSW Continuing Legal Education seminar, ‘The New Australian Privacy Landscape’, held in Sydney on 14 March 2001. It is reprinted here by kind permission of the UNSW Centre for Continuing Legal Education. The first part covers the public sector and credit reporting. The second part, covering telecommunications and the rest of the private sector, will appear in the next issue — General Editor.
For the purposes of the analysis in this article, it is convenient to consider four broad sectors, between which the level and type of privacy protection currently varies considerably:
Each of these sectors will be dealt with separately, applying the EU criteria to assess adequacy of protection. Some of the explanation of legal processes and mechanisms given in the first section (public sector) will be applicable to the others, and cross-references will be made where appropriate to avoid repetition.
Until the new amendments take effect in December 2001, the Privacy Act 1988 (Cth) primarily covers the activities of federal government departments and agencies, subjecting them to a set of Information Privacy Principles (IPPs) based on the OECD Guidelines, and the supervision of a Privacy Commissioner. The Act was subsequently amended from 1989 to 1991 to add functions relating to special rules for data matching and the national health identification number.
In the ACT, Territory government agencies are subject to the Commonwealth Privacy Act and there is also a separate law covering the handling of health information in both the public and private sectors (Health Records (Access and Privacy) Act 1997 (ACT)).
While both NSW and Queensland have had statutory Privacy Committees with an Ombudsman handling complaints, the only State to currently have a fully fledged data protection law is NSW, which passed the Privacy and Personal Information Protection Act in 1998. The NSW Act, which came fully into effect in most respects on 1 July 2000, applies to most government agencies but not to State owned corporations, and there are also major exemptions which will be discussed later. There is a NSW Privacy Commissioner with powers of investigation, while complaints of alleged breaches of the IPPs are dealt with either by the Commissioner, who can attempt to conciliate, or by the Administrative Decisions Tribunal, which can make binding orders including for compensation of up to $40,000.
In Victoria, the Information Privacy Act 2000 was passed in late 2000 and commences in September 2001. The Victorian Act is more comprehensive than the NSW Act, having fewer exemptions, and covering State owned enterprises. There will be a Victorian Privacy Commissioner with strong powers including the issue of compliance notices, and complaints, if not conciliated, can be decided by the Victorian Civil and Administrative Tribunal which can make binding orders, including for compensation of up to $100,000. A separate Health Records Bill was introduced into the Victorian Parliament in 2000 and is expected to pass in 2001. It contains similar complaints and enforcement arrangements to the Information Privacy Act, with the Health Services Commissioner playing an equivalent role to that of the Privacy Commissioner.
South Australia, Tasmania and WA have all adopted versions of IPPs as admin-istrative instructions to their departments and agencies, but these do not have the force of law and there are no supervisory or enforcement mechanisms (SA has a part time Privacy Committee with some advisory and ombudsman functions).
Exemptions from the Commonwealth, NSW and Victorian Acts are of two types — complete exemptions for specified agencies, and exemptions for specified activities or types of data.
Under the Commonwealth Privacy Act, there is a relatively short list of completely exempt agencies which includes intelligence agencies, parliamentary departments, and some government business enterprises. The courts are exempt for information relating to their judicial functions.
Contractors in general are not directly subject to the Act, although eligible employment agencies are. However, in order to comply with the security principle (see below), agencies need to bind contractors with contractual terms to observe the privacy principles.
The Commonwealth Act provides a mechanism for waivers from the application of one or more of the principles through a Public Interest Determination by the Privacy Commissioner. However, the process involved is complex and transparent and any such determinations are subject to disallowance by Parliament. As a result, only a handful of determinations have been made in the 11 years of the Act’s operation, mostly for specific and non-controversial matters.
The application of the Act is complicated by the fact that most of the principles apply to records containing personal information — not to the information itself. The definition of ‘record’ confirms that documents, databases and photographs are all covered, but an important exemption is provided by the exclusion from the definition of ‘generally available publications’. This means that the Act cannot address the serious privacy issues that arise from the secondary use of public registers. Some laws governing individual public registers already contain limited privacy protections such as restrictions on direct marketing uses and facilities for suppression for individuals at risk, and there is a growing debate at both Commonwealth and State level about the need for more general rules on the use of public registers. The exemption also creates a risk of deliberate circumvention of privacy controls by a policy decision to publish personal information.
Another definitional problem is that ‘personal information’ may not include data such as email addresses or phone numbers which are typically used as surrogate identifiers and which can be used to interact with individuals even if the user is unaware of the holder’s ‘true identity’.
A significant exemption is that only citizens and permanent residents have the right to seek correction (rectification) of personal information. This contrasts with the application of all the other principles and all other rights under the Act to any individual, whatever their nationality or place of residence.
There is provision in the Act for ‘waivers’ from the application of the IPPs, going beyond any of the statutory exemptions already discussed above. The Privacy Act contains a mechanism for the Privacy Commissioner to make a Public Interest Determination allowing a derogation from the IPPs. Determinations are subject to an elaborate and public consultation process and are subject to disallowance by Parliament.
Under the Privacy and Personal Information Protection Act 1998 (NSW), a number of major State government agencies are exempted from some or all of the principles. These include the police and other law enforcement and investigative agencies (these are quite broadly defined) in respect of their operational functions. All state owned corporations are completely exempt, as are courts, tribunals and Royal Commissions in the exercise of their judicial functions.
Contractors providing data services are directly subject to the Act.
The NSW Act provides for agencies to receive further exemptions by means of either a code of practice or a direction by the Privacy Commissioner (both of which have to be approved by the Minister, but not by Parliament). These can weaken (but not increase) the level of protection. Several codes of practice and directions have already been approved, creating further exemptions.
The Act applies directly to personal information, but generally available publications are exempt.
The Information Privacy Act 2000 (Vic) applies to most public sector agencies and other bodies. Courts and tribunals are exempt in respect of their judicial functions and law enforcement agencies are exempt from some of the principles, but only where non-compliance is considered necessary on reasonable grounds.
Contractors to public sector agencies are directly subject to the Act.
The Act applies directly to personal information but generally available publications are exempt. Health information (broadly defined) is excluded but is covered by the separate Health Records Bill.
The provision in the Information Privacy Act for codes of practice expressly rules out codes which set less stringent standards than the statutory principles and there is no other mechanism in the Act for further waivers or exemptions other than provision for a government order exempting an organisation where it is covered by an alternative statutory scheme.
The Commonwealth, NSW and Victorian Acts include purpose limitation principles which are very similar, and which address the same objective as arts 6(1)(b) and 7 of the EU Directive. They all adopt the approach of allowing collection only where lawful and necessary, then separately restricting use and disclosure.
The basic principle in all three laws is that personal information should only be used or disclosed for the primary or original purpose of collection. Use and disclosure for secondary purposes is only permitted:
The way in which Australian laws deal with purpose limitation in respect of sensitive data is considered separately below.
The Commonwealth, NSW and Victorian Acts include one or more data quality principles. These mostly impose the same requirements as art 6(1)(c) and (d) of the EU Directive, although there are differences. The Commonwealth Act omits ‘adequate and not excessive’ and, somewhat confusingly, places ‘accuracy’ in the correction principle, although apparently applying it to all stages of information handling. The Victorian Act omits ‘adequate, relevant and not excessive’, while the NSW Act has the full set of criteria from art 6.
All three laws also include, under the security principle, a principle of ‘keeping no longer than necessary’, imposing a similar requirement to art 6(1)(e).
The Commonwealth, NSW and Victorian Acts include transparency and openness under two separate principles. A notice principle requires organisations to inform individuals when they are collecting information about certain matters, broadly similar to those in arts 10 and 11. A separate openness principle requires organisations to make publicly available general information about their handling of personal information.
There are some significant differences in the detail of these requirements. Unlike the NSW and Victorian Acts, the Common-wealth Act does not expressly require individuals to be notified of the identity of the collector; of access and correction rights, or of any consequences of not supplying information. Both the Common-wealth and NSW Acts only apply the notice requirement where an organisation is collecting directly from an individual (as in EU art 10), whereas the Victorian Act applies a similar obligation where infor-mation is collected indirectly (equivalent to art 11).
The Commonwealth and NSW Acts provide for publication of a Personal Information Digest by the respective Privacy Commissioners giving general information about the personal information holdings of agencies. Under the Commonwealth Act, publication is mandatory, but there has been relatively little use of the hard copy digest published annually. Under the NSW Act, the Commissioner has a discretion to publish a digest but has no immediate plans to do so.
The Commonwealth, NSW and Victorian Acts include rights of access and correction. In all three cases, this principle is complicated by interaction with existing Freedom of Information (FoI) laws which gave individuals a right of access and correction to information held by government agencies even before the enactment of privacy laws.
The approach taken by the privacy laws is to create separate rights but to defer to the FoI laws for the implementation of those rights. The Commonwealth Privacy Act adds a further ground for correction (relevance), but limits the correction right to Australian citizens and permanent residents. All three privacy laws provide additionally for individuals to add ‘challenges’ to their files where correction is inappropriate, and the NSW Act also provides for third party recipients of information to be notified of corrections or challenges where practicable.
The FoI laws contain a number of exemptions or grounds for withholding access or refusing correction, which are either designed to protect the privacy of third parties or directed towards important public interests of the kind acknowledged in arts 12 and 13 of the EU Directive. (The Victorian Act includes a detailed list of exemptions, and access and correction mechanisms to apply to contracted service providers who are not already subject to FoI.) There is a constant public debate about the exemptions, which many critics argue provide too many grounds for public servants and governments to withhold access, and are subject to abuse which undermines the objective of the access right.
The right to object to particular types of processing, established by art 14 of the EU Directive, is not provided in the Australian laws governing the public sector. None of the laws provides for the right to object generally as in art 14(a), although it is likely that in most public sector contexts either an express legal authority or one of the art 13 exemptions would override any expectation of a right to object. The right of opposition to direct marketing (art 14(b)) arguably has limited application to the public sector and is not provided in any of the three Acts. However, following a well publicised controversy in June 2000, the Commonwealth Government has agreed to amend the legislation setting up an Australian Business Register to give individual registrants an ‘opt out’ from direct marketing uses.
More generally, there is considerable debate about the direct marketing uses of personal information in public registers. The NSW Act has specific provisions relating to public registers and these include a right for individuals to have details suppressed if their safety or wellbeing is at risk (this right already exists in relation to some specific registers), but a desire to avoid direct marketing would not satisfy this test. The Victorian Government is currently studying the public register issue.
The Commonwealth, NSW and Victorian Acts all include a security principle which imposes the same general requirement as arts 16 and 17 of the EU Directive.
The Commonwealth Act contains no special provisions in relation to sensitive data other than the Government issued tax file number which is subject to a separate and restrictive regime. However, other Commonwealth laws contain specific privacy rules relating to old criminal convictions and data held for the purposes of the Medicare and Pharmaceutical Benefits Schemes. The Privacy Commissioner has a supervisory role in relation to these separate regimes.
The NSW Act includes a specific sensitive data principle which imposes tighter conditions on the disclosure (but not collection or use) of certain categories of personal information, being:
This list includes all of the categories in art 8 of the EU Directive.
Disclosure is generally permitted only to prevent a serious or imminent threat to life or health, but a number of the exemptions apply, including: express consent; where authorised or required by law; where reasonably necessary for law enforcement; and, in certain circumstances, for health care or treatment.
The Victorian Act also has a sensitive data principle which applies to collection (but not use or disclosure) of personal information about:
This list includes all of the categories in art 8 (except health, which is covered separately — see below). However, as the principle only restricts collection, then provided an organisation has bona fide grounds for collecting sensitive information there are no additional constraints on what it can be used for or who it can be given to, beyond those applying generally under the use and disclosure principle.
The grounds under which sensitive information can be collected include: consent; as required by law; due to serious and imminent threat to life or health; incapacity for consent; legal defence; and research.
It should be noted that in Victoria, health information (which is broadly defined) is excluded from the definition of personal information and therefore from the scope of the Information Privacy Act but is to be protected by a separate law, set out in the Health Records Bill 2000.
The Victorian Act also contains a specific principle concerning unique identifiers designed to provide a safeguard against the creation of a single identifier that could be used to cross-match data across all government departments.
The Commonwealth Act, which predates the EU Directive, contains no specific provisions relating to onward transfers to other jurisdictions, although advocates have argued that the security principle might require a data ‘exporter’ to take reasonable steps to ensure that personal information was not misused in the hands of a recipient. The Government does not appear to be proposing any amendments to accompany its private sector privacy Bill (see below) which would apply an onward transfer restriction to Commonwealth agencies. Any transfers of personal data to a Commonwealth agency will not, therefore, be able to meet the criteria expected in relation to the Directive’s onward transfer provisions.
The NSW and Victorian Acts both expressly address the issue of onward transfer in an attempt to meet the requirements of the Directive.
Under the NSW Act, the ‘special restrictions’ principle which deals with sensitive data also prohibits public sector agencies from disclosing personal information outside the State unless either a relevant privacy law is in force or the disclosure is permitted under a privacy code of practice. The Privacy Commissioner is required to develop a code concerning onward transfers by 1 July 2001. He can also issue determinations as to which laws in other jurisdictions qualify as having a relevant privacy law in force.
The extent to which this provision meets the criteria expected in relation to the Directive’s onward transfer provisions will depend on the content of the code and/or basis of any determinations by the Commissioner.
Many of the general exemptions apply to this onward transfer principle, so that it does not restrict transfers which are reasonably necessary for law enforcement, authorised or required by laws, made with the express consent of the individual, or made by specified investigative agencies.
The Victorian Act adopts the onward transfer principle developed by the Privacy Commissioner to put limits on the flow of information outside Victoria. An organisation is only allowed to transfer personal information outside Victoria if it reasonably believes the recipient is subject to a law or other binding obligation which imposes restrictions on the use of that information that are substantially similar to the IPPs.
Personal information may also be transferred with the individual’s consent or if the transfer is necessary for the performance of a contract. If consent of the individual cannot practically be obtained, the organisation can only transfer the information if it is for the benefit of the individual and if the individual would be likely to give their consent.
As there are few exemptions from any of the principles, this provision in the Victorian Act would seem to satisfy the criteria expected in relation to the Directive’s onward transfer provisions, but only if there is some mechanism for giving rulings or guidance on what constitutes an adequate level of protection in other jurisdictions. The Act gives the Privacy Commissioner a function of publishing model terms for a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria. But there is no express provision for more general guidance on adequacy.
Under the Commonwealth, NSW and Victorian laws, complaints are investigated by the Privacy Commissioner. All three Privacy Commissioners are appointed as statutory officers with a high degree of theoretical independence from government. They are appointed for fixed terms and can only be removed from office on very serious grounds such as misbehaviour or incapacity. The Victorian Act follows the same model. All three jurisdictions have final adjudication of complaints being by courts or tribunals which are even more independent.
In all cases, the Commissioner’s resources are provided through a sponsoring government department and they are subject to a range of budgetary and other pressures which have led to their effective independence being questioned at times. But this is no different from the situation in most countries, and Australian jurisdictions have not only a strong tradition of respect for the independence of statutory officers but also a highly developed system of administrative law which would allow any ‘suspect’ decisions to be challenged.
The remedies available to individuals whose privacy rights are infringed include, in all three jurisdictions, directions to perform specified actions, and the possibility of compensation for loss or damage (capped at $40,000 in NSW and $100,000 in Victoria). There is an emphasis in all three laws on conciliation and mediated settlements. Under the Commonwealth law there have been many such settlements, some including payment of compensation, but only a handful of formal determinations. The NSW and Victorian schemes are too new to have any ‘case law’.
The complaints handling and enforcement aspects of the three statutory public sector privacy regimes generally appear to meet the standards envisaged in arts 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision. (But see comments below in relation to the recent private sector amendments to the federal law concerning defects in enforcement which may become more obvious with private sector application).
The Commonwealth Government legislated for privacy protection in consumer credit reporting in 1989, by means of an amendment to the Privacy Act 1988 introducing a new part (Pt IIIA). The detailed statutory provisions are supplemented by a Code of Conduct and several Determinations issued by the Privacy Commissioner, which have the force of law as subordinate legislation endorsed by the Parliament.
The credit reporting regime relies on definitions of credit provider and consumer credit to apply to a business activity rather than to any specified organisations, although credit reporting agencies are also defined and subject to additional rules. Although Pt IIIA and the Code of Conduct do not exactly follow the normal sequence of IPPs, they cover the same ground with rules on collection, storage, use and disclosure, and rights of access and correction. The credit reporting regime is subject to the same supervisory and enforcement mechanisms as the public sector principles, with the Privacy Commissioner able to audit, investigate complaints, and make orders which are enforceable through the Federal Court.
Within the narrowly defined area of consumer credit reporting covered by the Privacy Act, there are few exemptions and restrictions on the operation of the law. Hire arrangements are considered as credit, even where payment is made in advance, if the value of the goods is greater than the hire fee. Purely commercial credit reporting is not covered, but there are complex rules about the interaction of information about personal credit worthiness and commercial lending practice. Some agents of credit providers, including both sales agents and legal advisors, are treated as though they were credit providers while handling personal information for their ‘principal’, but others — such as debt collectors — are not and can obtain access only to certain specified information even when recovering debts for a credit provider client.
The effect of the ‘boundaries’ of this jurisdiction depend on whether it is seen as imposing stricter privacy protection than applies elsewhere, or as permitting use of personal information which would otherwise be ‘off limits’. In the context of an otherwise unregulated private sector (the position for the last 10 years), the former view is more accurate. Once privacy law applies to the rest of the private sector it may be more accurate to see the boundaries as conferring benefits — authorising membership of an exclusive ‘club’ with privileged access to personal information without the express consent of individuals (although credit assessment would most likely be considered a related purpose under the normal application of privacy principles).
Part IIIA of the Privacy Act strictly limits access to personal credit information to businesses that are credit providers, and restricts both the use and further disclosure of that information to purposes associated directly with assessment of creditworth-iness.
Credit reporting agencies and credit providers are required to take reasonable steps to ensure that personal information they hold is accurate, up to date, complete and not misleading. The Code of Conduct specifies steps that must be taken to assist in meeting this requirement.
The main means of implementing this principle in consumer credit reporting is an indirect requirement on credit providers to notify applicants for credit about disclosure to a credit reporting agency and subsequent implications. Although the Act and Code of Conduct do not spell out notice requirements, they make it impossible for consumer credit reporting to operate unless individuals have been given quite detailed information. This is generally provided by means of versions of standard wording agreed between the Privacy Commissioner and industry representatives.
Some of these notices take the form of ‘consent for disclosure’ to be signed by individuals when applying for credit, but as they are effectively a condition of credit and applicants cannot decline to allow disclosure, they are more accurately described as providing notice rather than obtaining consent.
Credit providers are also required to give individuals additional information if they refuse them credit on the basis of a credit report. This information includes reference to the individual’s right of access and rectification.
The Privacy Act provides individuals with a right of access to credit information files held by credit reporting agencies and to credit reports held by credit providers or reporting agencies. The Act and Code of Conduct contain detailed provisions relating to correction of inaccurate data.
In relation to credit information files, the dominant reporting agency has a well established system for handling requests for access and correction which is periodically audited by the Privacy Commissioner and appears to work well, dealing with many thousands of requests each year.
There are no specific rights of ‘opposition’ in Pt IIIA or the Code but the issue of ‘secondary’ direct marketing does not arise as it is not a permitted use of credit information files or credit reports in the first place — although ‘primary’ direct marketing in relation to credit (such as other loans that might be of interest) is arguably permitted.
The Act requires credit reporting agencies and credit providers to take reasonable steps to ensure that personal information they hold is protected by reasonable security safeguards.
The Act expressly prohibits credit information files from containing information about:
The Act pre-dates express consideration of the onward transfer issue, but the security provision does require credit reporting agencies and credit providers to take reasonable steps to ensure that security standards are maintained when contracting out any service.
Provided any disclosures are lawful under the general disclosure provisions of Pt IIIA, it makes no difference currently whether they are to organisations within or outside Australia. However, under the proposed general private sector amendments to the Act, credit reporting agencies and credit providers will have to comply with the onward transfer principle (see pt 2 of this article to come in 8(2) PLPR 39 as well as with all of the credit specific provisions.
The same processes and machinery applies to credit reporting as to the public sector jurisdiction. The only difference in terms of enforcement and remedies is that Pt IIIA also contains some offence provisions. It is a criminal offence, for instance, to make an unauthorised use or disclosure (resulting in a fine of up to $150,000), to give a false or misleading credit report (resulting in a fine of up to $75,000), or to obtain unauthorised access (resulting in a fine of up to $30,000).
The complaints handling and enforce-ment aspects of the credit reporting privacy regime meet the standards envisaged in arts 22-24 and 28 of the EU Directive, in respect of judicial remedies, compensation, sanctions and supervision.
Nigel Waters, Associate Editor
 See <www.privacy.gov.au/>.
 See <www.lawlink.nsw.gov.au/pc>.
 The exemptions are to be found partly in the definitions in s 6 and partly in Schedules to the Freedom of Information Act 1982 (Cth) which are ‘imported’ by reference in s 7.
 Privacy Act 1988 (Cth) s 41(4).
 See Submission to House of Representatives Committee on the Privacy Amendment (Private Sector) Bill 2000 s 6.2.
 Privacy Act 1988 (Cth) s 41(4).
 Privacy Act 1988 (Cth) Pt VI.
 As at February 2001, the Minister had approved 10 Codes, covering health, police, local government, housing, the Legal Aid Commission, the Department of Fair Trading, the Bureau of Crime statistics, workforce profiling, the DPP, and law enforcement and investigative agency access to public registers. A further eight codes were listed by Privacy NSW as submitted, proposed or released for consultation.
 Privacy Act 1988 (Cth) s 14 — IPPs 1, 10 and 11; Privacy and Personal Information Protection Act 1998 (NSW) ss 8, 17 and 18; Information Privacy Act 2000 (Vic) Sch 1 IPPs 1.1 and 2.
 Privacy Act 1988 (Cth) s 14 — IPPs 3 and 8; Privacy and Personal Information Protection Act 1998 (NSW), ss 11 and 16; Information Privacy Act 2000 (Vic) Sch 1 IPP 3.
 Privacy Act 1988 (Cth) s 14 — IPP 4; Privacy and Personal Information Protection Act 1998 (NSW) ss 12(a); Information Privacy Act 2000 (Vic) Schedule 1 IPP 4.2.
 Privacy Act 1988 (Cth), s 14 — IPP 4; Privacy and Personal Information Protection Act 1998 (NSW), s 12(a); Information Privacy Act 2000 (Vic) Sch 1 IPP 4.2.
 Privacy Act 1988 (Cth) s 14 — IPP 2; Privacy and Personal Information Protection Act 1998 (NSW) s 10; Inform-ation Privacy Act 2000 (Vic) Sch 1 IPPs 1.3 and 1.5.
 Privacy Act 1988 (Cth) s 27(1)(g); Privacy and Personal Information Protection Act 1998 (NSW) s 40.
 Privacy Act 1988 (Cth) s 14 IPPs 6 and 7; Privacy and Personal Information Protection Act 1998 (NSW) ss 14 and 15; Information Privacy Act 2000 (Vic) Sch 1 IPP 6.
 Privacy Act 1988 (Cth) s 41(4).
 Privacy and Personal Information Protection Act 1998 (NSW) ss 57-59.
 Privacy Act 1988 (Cth) s 14 IPP 4; Privacy and Personal Information Protection Act 1998 (NSW) s 12; Information Privacy Act 2000 (Vic) Sch 1 IPP 4.
 Crimes Act 1914 (Cth) Pt VIIC.
 National Health Act 1953 s 135AA.
 Privacy and Personal Information Protection Act 1998 (NSW) s 19(1).
 IPP 2.
 Information Privacy Act 2000 (Vic) Sch 1 IPP 7.
 Privacy Act 1988 (Cth) s 14 IPP 4.
 Privacy and Personal Information Protection Act 1998 (NSW) s 19(2)-(5).
 Privacy and Personal Information Protection Act 1998 (NSW) ss 23-28.
 Information Privacy Act 2000 (Vic) Sch 1 IPP 9.
 Information Privacy Act 2000 (Vic) s 58(f).
 Privacy Act 1988 (Cth) Pt V; Privacy and Personal Information Protection Act 1998 (NSW) Pt 4 Div 3.
 Privacy Act 1988 (Cth) Pt IV Div 1; Privacy and Personal Information Protection Act 1998 (NSW) Sch 1; Information Privacy Act 2000 (Vic) Pt 7.
 Information Privacy Act 2000 (Vic) Pt 7.
 The Federal Court or Magistracy; the NSW Adminsitrative Decisions Tribunal and the Victorian Civil and Administrative Tribunal.
 Privacy Act 1988 (Cth) s 18K.
 Sections 18L and 18N.
 Section 18G.
 Credit Reporting Code of Conduct 1996 1.3-1.5.
 See Privacy Act 1988 (Cth) s 18E(8)(c).
 See Credit Reporting Advice Summaries, Pt 8.
 Privacy Act 1988 (Cth) s 18H.
 Section 18L(c).
 Section 18G.
 Section 18E(2).
 Section 18G(c).
 See the section on public sector privacy, and the Privacy Commissioner’s website at <www.privacy.gov.au/>.
 That is, being a breach of ss 18J, 18L, 18N, 18P or 18Q of the Privacy Act 1988 (Cth).
 Privacy Act 1988 (Cth) s 18R.
 Sections 18S and 18T.