Commonwealth Consolidated Acts
[Index]
[Table]
[Search]
[Search this Act]
[Notes]
[Noteup]
[Download]
[Help]
PRIVACY ACT 1988
TABLE OF PROVISIONS
Long Title
PART I--PRELIMINARY
1. Short title
2. Commencement
2A. Objects of this Act
3. Saving of certain State and Territory laws
3A. Application of the Criminal Code
4. Act to bind the Crown
5A. Extension to external Territories
5B. Extra - territorial operation of Act
PART II--INTERPRETATION
Division 1--General definitions
6. Interpretation
6AA. Meaning of responsible person
6A. Breach of an Australian Privacy Principle
6B. Breach of a registered APP code
6BA. Breach of the registered CR code
6C. Organisations
6D. Small business and small business operators
6DA. What is the annual turnover of a business?
6E. Small business operator treated as organisation
6EA. Small business operators choosing to be treated as organisations
6F. State instrumentalities etc. treated as organisations
6FA. Meaning of health information
6FB. Meaning of health service
Division 2--Key definitions relating to credit reporting
Subdivision A--Credit provider
6G. Meaning of credit provider
6H. Agents of credit providers
6J. Securitisation arrangements etc.
6K. Acquisition of the rights of a credit provider
Subdivision B--Other definitions
6L. Meaning of access seeker
6M. Meaning of credit and amount of credit
6N. Meaning of credit information
6P. Meaning of credit reporting business
6Q. Meaning of default information
6QA. Meanings of financial hardship arrangement and financial hardship information
6R. Meaning of information request
6S. Meaning of new arrangement information
6T. Meaning of payment information
6U. Meaning of personal insolvency information
6V. Meaning of repayment history information
Division 3--Other matters
7. Acts and practices of agencies, organisations etc.
7A. Acts of certain agencies treated as acts of organisation
7B. Exempt acts and exempt practices of organisations
7C. Political acts and practices are exempt
8. Acts and practices of, and disclosure of information to, staff of agency, organisation etc.
10. Agencies that are taken to hold a record
11. File number recipients
12A. Act not to apply in relation to State banking or insurance within that State
12B. Severability--additional effect of this Act
PART III--INFORMATION--PRIVACY
Division 1--Interferences with privacy
13. Interferences with privacy
13B. Related bodies corporate
13C. Change in partnership because of change in partners
13D. Overseas act required by foreign law
13E. Effect of sections 13B, 13C and 13D
13F. Act or practice not covered by section 13 is not an interference with privacy
13G. Serious and repeated interferences with privacy
Division 2--Australian Privacy Principles
14. Australian Privacy Principles
15. APP entities must comply with Australian Privacy Principles
16. Personal, family or household affairs
16A. Permitted general situations in relation to the collection, use or disclosure of personal information
16B. Permitted health situations in relation to the collection, use or disclosure of health information
16C. Acts and practices of overseas recipients of personal information
Division 4--Tax file number information
17. Rules relating to tax file number information
18. File number recipients to comply with rules
PART IIIA--CREDIT--REPORTING
Division 1--Introduction
19. Guide to this Part
Division 2--Credit reporting bodies
Subdivision A--Introduction and application of this Division etc.
20. Guide to this Division
20A. Application of this Division and the Australian Privacy Principles to credit reporting bodies
Subdivision B--Consideration of information privacy
20B. Open and transparent management of credit reporting information
Subdivision C--Collection of credit information
20C. Collection of solicited credit information
20D. Dealing with unsolicited credit information
Subdivision D--Dealing with credit reporting information etc.
20E. Use or disclosure of credit reporting information
20F. Permitted CRB disclosures in relation to individuals
20G. Use or disclosure of credit reporting information for the purposes of direct marketing
20H. Use or disclosure of pre - screening assessments
20J. Destruction of pre - screening assessment
20K. No use or disclosure of credit reporting information during a ban period
20L. Adoption of government related identifiers
20M. Use or disclosure of credit reporting information that is de - identified
Subdivision E--Integrity of credit reporting information
20N. Quality of credit reporting information
20P. False or misleading credit reporting information
20Q. Security of credit reporting information
Subdivision F--Access to, and correction of, information
20R. Access to credit reporting information
20S. Correction of credit reporting information
20T. Individual may request the correction of credit information etc.
20U. Notice of correction etc. must be given
Subdivision G--Dealing with credit reporting information after the retention period ends etc.
20V. Destruction etc. of credit reporting information after the retention period ends
20W. Retention period for credit information--general
20X. Retention period for credit information--personal insolvency information
20Y. Destruction of credit reporting information in cases of fraud
20Z. Dealing with information if there is a pending correction request etc.
20ZA. Dealing with information if an Australian law etc. requires it to be retained
Division 3--Credit providers
Subdivision A--Introduction and application of this Division
21. Guide to this Division
21A. Application of this Division to credit providers
Subdivision B--Consideration of information privacy
21B. Open and transparent management of credit information etc.
Subdivision C--Dealing with credit information
21C. Additional notification requirements for the collection of personal information etc.
21D. Disclosure of credit information to a credit reporting body
21E. Payment information must be disclosed to a credit reporting body
21EA. Financial hardship information must be disclosed
21F. Limitation on the disclosure of credit information during a ban period
Subdivision D--Dealing with credit eligibility information etc.
21G. Use or disclosure of credit eligibility information
21H. Permitted CP uses in relation to individuals
21J. Permitted CP disclosures between credit providers
21K. Permitted CP disclosures relating to guarantees etc.
21L. Permitted CP disclosures to mortgage insurers
21M. Permitted CP disclosures to debt collectors
21N. Permitted CP disclosures to other recipients
21NA. Disclosures to certain persons and bodies that do not have an Australian link
21P. Notification of a refusal of an application for consumer credit
Subdivision E--Integrity of credit information and credit eligibility information
21Q. Quality of credit eligibility information
21R. False or misleading credit information or credit eligibility information
21S. Security of credit eligibility information
Subdivision F--Access to, and correction of, information
21T. Access to credit eligibility information
21U. Correction of credit information or credit eligibility information
21V. Individual may request the correction of credit information etc.
21W. Notice of correction etc. must be given
Division 4--Affected information recipients
22. Guide to this Division
Subdivision A--Consideration of information privacy
22A. Open and transparent management of regulated information
Subdivision B--Dealing with regulated information
22B. Additional notification requirements for affected information recipients
22C. Use or disclosure of information by mortgage insurers or trade insurers
22D. Use or disclosure of information by a related body corporate
22E. Use or disclosure of information by credit managers etc.
22F. Use or disclosure of information by advisers etc.
Division 5--Complaints
23. Guide to this Division
23A. Individual may complain about a breach of a provision of this Part etc.
23B. Dealing with complaints
23C. Notification requirements relating to correction complaints
Division 6--Unauthorised obtaining of credit reporting information etc.
24. Obtaining credit reporting information from a credit reporting body
24A. Obtaining credit eligibility information from a credit provider
Division 7--Court orders
25. Compensation orders
25A. Other orders to compensate loss or damage
Division 8--Review
25B. Review of operation of this Part
PART IIIB--PRIVACY--CODES
Division 1--Introduction
26. Guide to this Part
Division 2--Registered APP codes
Subdivision A--Compliance with registered APP codes etc.
26A. APP entities to comply with binding registered APP codes
26B. What is a registered APP code
26C. What is an APP code
26D. Extension of Act to exempt acts or practices covered by registered APP codes
Subdivision B--Development and registration of APP codes
26E. Development of APP codes by APP code developers
26F. Application for registration of APP codes
26G. Development of APP codes by the Commissioner
26H. Commissioner may register APP codes
Subdivision C--Variation and removal of registered APP codes
26J. Variation of registered APP codes
26K. Removal of registered APP codes
Division 3--Registered CR code
Subdivision A--Compliance with the registered CR code
26L. Entities to comply with the registered CR code if bound by the code
26M. What is the registered CR code
26N. What is a CR code
Subdivision B--Development and registration of CR code
26P. Development of CR code by CR code developers
26Q. Application for registration of CR code
26R. Development of CR code by the Commissioner
26S. Commissioner may register CR code
Subdivision C--Variation of the registered CR code
26T. Variation of the registered CR code
Division 4--General matters
26U. Codes Register
26V. Guidelines relating to codes
26W. Review of operation of registered codes
PART IIIC--NOTIFICATION--OF ELIGIBLE DATA BREACHES
Division 1--Introduction
26WA. Simplified outline of this Part
26WB. Entity
26WC. Deemed holding of information
26WD. Exception--notification under the My Health Records Act 2012
Division 2--Eligible data breach
26WE. Eligible data breach
26WF. Exception--remedial action
26WG. Whether access or disclosure would be likely, or would not be likely, to result in serious harm--relevant matters
Division 3--Notification of eligible data breaches
Subdivision A--Suspected eligible data breaches
26WH. Assessment of suspected eligible data breach
26WJ. Exception--eligible data breaches of other entities
Subdivision B--General notification obligations
26WK. Statement about eligible data breach
26WL. Entity must notify eligible data breach
26WM. Exception--eligible data breaches of other entities
26WN. Exception--enforcement related activities
26WP. Exception--inconsistency with secrecy provisions
26WQ. Exception--declaration by Commissioner
Subdivision C--Commissioner may direct entity to notify eligible data breach
26WR. Commissioner may direct entity to notify eligible data breach
26WS. Exception--enforcement related activities
26WT. Exception--inconsistency with secrecy provisions
Division 4--Commissioner's powers to obtain information or documents relating to eligible data breaches
26WU. Power to obtain information and documents relating to eligible data breaches
PART IV--FUNCTIONS--OF THE INFORMATION COMMISSIONER
Division 2--Functions of Commissioner
27. Functions of the Commissioner
28. Guidance related functions of the Commissioner
28A. Monitoring related functions of the Commissioner
28B. Advice related functions of the Commissioner
29. Commissioner must have due regard to the objects of the Act
Division 3--Reports and information sharing by Commissioner
30. Reports following investigation of act or practice
31. Report following examination of proposed law
32. Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.
33. Exclusion of certain matters from reports
33A. Commissioner may share information with other authorities
33B. Commissioner may disclose certain information if in the public interest etc.
Division 3A--Assessments by, or at the direction of, the Commissioner
33C. Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.
33D. Commissioner may direct an agency to give a privacy impact assessment
Division 4--Miscellaneous
34. Provisions relating to documents exempt under the Freedom of Information Act 1982
35. Direction where refusal or failure to amend exempt document
35A. Commissioner may recognise external dispute resolution schemes
PART V--INVESTIGATIONS--ETC.
Division 1A--Introduction
36A. Guide to this Part
Division 1--Investigation of complaints and investigations on the Commissioner's initiative
36. Complaints
36B. Complaints relating to the data sharing scheme
37. Principal executive of agency
38. Conditions for making a representative complaint
38A. Commissioner may determine that a complaint is not to continue as a representative complaint
38B. Additional rules applying to the determination of representative complaints
38C. Amendment of representative complaints
39. Class member for representative complaint not entitled to lodge individual complaint
40. Investigations
40A. Conciliation of complaints
41. Commissioner may or must decide not to investigate etc. in certain circumstances
42. Preliminary inquiries
43. Conduct of investigations
43A. Interested party may request a hearing
44. Power to obtain information and documents
45. Power to examine witnesses
46. Directions to persons to attend compulsory conference
47. Conduct of compulsory conference
48. Complainant and certain other persons to be informed of various matters
49. Investigation under section 40 to cease if certain offences may have been committed
49A. Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened
49B. Transfer of complaints from the Inspector - General of Intelligence and Security
50. Reference of matters to other authorities
50A. Substitution of respondent to complaint
51. Effect of investigation by Auditor - General
Division 2--Determinations following investigation of complaints
52. Determination of the Commissioner
52A. Determination--requirement to notify conduct constituting interference with privacy of individual
53. Determination must identify the class members who are to be affected by the determination
53A. Notice to be given to outsourcing agency
53B. Substituting an agency for a contracted service provider
Division 3--Enforcement of determinations
54. Application of Division
55. Obligations of organisations and small business operators
55A. Proceedings in the Federal Court or Federal Circuit and Family Court of Australia (Division 2) to enforce a determination
55B. Evidentiary certificate
Division 4--Review and enforcement of determinations involving Commonwealth agencies
57. Application of Division
58. Obligations of agencies
59. Obligations of principal executive of agency
60. Compensation and expenses
62. Enforcement of determination against an agency
Division 5--Miscellaneous
63. Legal assistance
64. Commissioner etc. not to be sued
65. Failure to attend etc. before Commissioner
66. Failure to give information etc.
67. Protection from civil actions
68. Power to enter premises
68A. Identity cards
70. Certain documents and information not required to be disclosed
70B. Application of this Part to former organisations
PART VI--PUBLIC--INTEREST DETERMINATIONS AND TEMPORARY PUBLIC INTEREST DETERMINATIONS
Division 1--Public interest determinations
71. Interpretation
72. Power to make, and effect of, determinations
73. Application by APP entity
74. Publication of application etc.
75. Draft determination
76. Conference
77. Conduct of conference
78. Determination of application
79. Making of determination
Division 2--Temporary public interest determinations
80A. Temporary public interest determinations
80B. Effect of temporary public interest determination
80D. Commissioner may continue to consider application
Division 3--Register of determinations
80E. Register of determinations
PART VIA--DEALING--WITH PERSONAL INFORMATION IN EMERGENCIES AND DISASTERS
Division 1--Object and interpretation
80F. Object
80G. Interpretation
80H. Meaning of permitted purpose
Division 2--Declaration of emergency
80J. Declaration of emergency--events of national significance
80K. Declaration of emergency--events outside Australia
80L. Form of declarations
80M. When declarations take effect
80N. When declarations cease to have effect
Division 3--Provisions dealing with the use and disclosure of personal information
80P. Authorisation of collection, use and disclosure of personal information
Division 4--Other matters
80Q. Disclosure of information--offence
80R. Operation of Part
80S. Severability--additional effect of Part
80T. Compensation for acquisition of property--constitutional safety net
PART VIB--ENFORCEMENT
Division 1--Civil penalties
80U. Civil penalty provisions
Division 1A--Infringement notices
80UB. Infringement notices
Division 2--Enforceable undertakings
80V. Enforceable undertakings
Division 3--Injunctions
80W. Injunctions
PART VII--PRIVACY--ADVISORY COMMITTEE
81. Interpretation
82. Establishment and membership
83. Functions
84. Leave of absence
85. Removal and resignation of members
86. Disclosure of interests of members
87. Meetings of Advisory Committee
88. Travel allowance
PART VIII--OBLIGATIONS--OF CONFIDENCE
89. Obligations of confidence to which Part applies
90. Application of Part
91. Effect of Part on other laws
92. Extension of certain obligations of confidence
93. Relief for breach etc. of certain obligations of confidence
94. Jurisdiction of courts
PART IX--MISCELLANEOUS
95. Medical research guidelines
95A. Guidelines for Australian Privacy Principles about health information
95AA. Guidelines for Australian Privacy Principles about genetic information
95B. Requirements for Commonwealth contracts
95C. Disclosure of certain provisions of Commonwealth contracts
96. Review by the Administrative Review Tribunal
98A. Treatment of partnerships
98B. Treatment of unincorporated associations
98C. Treatment of trusts
99A. Conduct of directors, employees and agents
100. Regulations
SCHEDULE 1 Australian Privacy Principles
AustLII: Copyright Policy
| Disclaimers
| Privacy Policy
| Feedback