(1) The Commissioner may conduct an assessment of the following matters:
(a) whether personal information held by an APP entity is being maintained and handled in accordance with the following:
(i) the Australian Privacy Principles;
(ii) a registered APP code that binds the entity;
(b) whether information held by an entity is being maintained and handled in accordance with the following to the extent that they apply to the information:
(i) the provisions of Part IIIA;
(ii) the registered CR code if it binds the entity;
(c) whether tax file number information held by a file number recipient is being maintained and handled in accordance with any relevant rules issued under section 17;
(ca) the ability of an entity subject to Part IIIC to comply with that Part, including the extent to which the entity has processes and procedures in place to:
(i) assess suspected eligible data breaches; and
(ii) provide notice of eligible data breaches to the Commissioner and to individuals at risk from such breaches;
(d) whether the data matching program (within the meaning of the Data-matching Program (Assistance and Tax) Act 1990 ) of an agency complies with Part 2 of that Act and the rules issued under section 12 of that Act;
(e) whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section;
(f) whether the matching of information under Part VIIIA of the National Health Act 1953 , and the handling of information relating to that matching, is in accordance with that Part, including:
(i) any terms and conditions relating to the matching of the information determined by the Chief Executive Medicare under paragraph 132B(3)(a) of that Act; and
(ii) the principles made by the Minister under subsection 132F(1) of that Act.
(2) The Commissioner may conduct the assessment in such manner as the Commissioner considers fit.
(3) Without limiting subsection (2), if the Commissioner has reason to believe that an entity or file number recipient being assessed has information or a document relevant to the assessment the Commissioner may, by written notice, require the entity or file number recipient to give the information or produce the document within the period specified in the notice, which must not be less than 14 days after the notice is given to the entity or file number recipient.
Note: For a failure to give information etc., see section 66.
(4) The Commissioner must not give a notice under subsection (3) unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the following:
(a) the public interest;
(b) the impact on the entity or file number recipient of complying with the notice;
(c) any other matters that the Commissioner considers relevant.
(5) An enforcement body is not required to comply with a notice given by the Commissioner under subsection (3) if the chief executive officer of the enforcement body believes on reasonable grounds that compliance with the notice would be likely to prejudice one or more enforcement related activities conducted by or on behalf of the enforcement body.
(6) Subsection (3) is subject to section 70 but it has effect regardless of any other Commonwealth law.
(7) A person or entity is not liable to a penalty under the provisions of any other Commonwealth law because the person or entity gives information or produces a document when required to do so under subsection (3).
(8) The Commissioner may publish information relating to an assessment on the Commissioner's website.