PRIVACY ACT 1988
Table of Provisions
PART I--PRELIMINARY
- 1 Short title
- 2 Commencement
- 2A Objects of this Act
- 3 Saving of certain State and Territory laws
- 3A Application of the Criminal Code
- 4 Act to bind the Crown
- 5A Extension to external Territories
- 5B Extra - territorial operation of Act
PART II--INTERPRETATION
Division 1--General definitions
- 6 Interpretation
- 6AA Meaning of responsible person
- 6A Breach of an Australian Privacy Principle
- 6B Breach of a registered APP code
- 6BA Breach of the registered CR code
- 6C Organisations
- 6D Small business and small business operators
- 6DA What is the annual turnover of a business?
- 6E Small business operator treated as organisation
- 6EA Small business operators choosing to be treated as organisations
- 6F State instrumentalities etc. treated as organisations
- 6FA Meaning of health information
- 6FB Meaning of health service
Division 2--Key definitions relating to credit reporting
Subdivision A--Credit provider- 6G Meaning of credit provider
- 6H Agents of credit providers
- 6J Securitisation arrangements etc.
- 6K Acquisition of the rights of a credit provider Subdivision B--Other definitions
- 6L Meaning of access seeker
- 6M Meaning of credit and amount of credit
- 6N Meaning of credit information
- 6P Meaning of credit reporting business
- 6Q Meaning of default information
- 6QA Meanings of financial hardship arrangement and financial hardship information
- 6R Meaning of information request
- 6S Meaning of new arrangement information
- 6T Meaning of payment information
- 6U Meaning of personal insolvency information
- 6V Meaning of repayment history information
Division 3--Other matters
- 7 Acts and practices of agencies, organisations etc.
- 7A Acts of certain agencies treated as acts of organisation
- 7B Exempt acts and exempt practices of organisations
- 7C Political acts and practices are exempt
- 8 Acts and practices of, and disclosure of information to, staff of agency, organisation etc.
- 10 Agencies that are taken to hold a record
- 11 File number recipients
- 12A Act not to apply in relation to State banking or insurance within that State
- 12B Severability--additional effect of this Act
PART III--INFORMATION--PRIVACY
Division 1--Interferences with privacy
- 13 Interferences with privacy
- 13B Related bodies corporate
- 13C Change in partnership because of change in partners
- 13D Overseas act required by foreign law
- 13E Effect of sections 13B, 13C and 13D
- 13F Act or practice not covered by section 13 is not an interference with privacy
- 13G Serious and repeated interferences with privacy
Division 2--Australian Privacy Principles
- 14 Australian Privacy Principles
- 15 APP entities must comply with Australian Privacy Principles
- 16 Personal, family or household affairs
- 16A Permitted general situations in relation to the collection, use or disclosure of personal information
- 16B Permitted health situations in relation to the collection, use or disclosure of health information
- 16C Acts and practices of overseas recipients of personal information
Division 4--Tax file number information
- 17 Rules relating to tax file number information
- 18 File number recipients to comply with rules
PART IIIA--CREDIT--REPORTING
Division 1--Introduction
- 19 Guide to this Part
Division 2--Credit reporting bodies
Subdivision A--Introduction and application of this Division etc.- 20 Guide to this Division
- 20A Application of this Division and the Australian Privacy Principles to credit reporting bodies Subdivision B--Consideration of information privacy
- 20B Open and transparent management of credit reporting information Subdivision C--Collection of credit information
- 20C Collection of solicited credit information
- 20D Dealing with unsolicited credit information Subdivision D--Dealing with credit reporting information etc.
- 20E Use or disclosure of credit reporting information
- 20F Permitted CRB disclosures in relation to individuals
- 20G Use or disclosure of credit reporting information for the purposes of direct marketing
- 20H Use or disclosure of pre - screening assessments
- 20J Destruction of pre - screening assessment
- 20K No use or disclosure of credit reporting information during a ban period
- 20L Adoption of government related identifiers
- 20M Use or disclosure of credit reporting information that is de - identified Subdivision E--Integrity of credit reporting information
- 20N Quality of credit reporting information
- 20P False or misleading credit reporting information
- 20Q Security of credit reporting information Subdivision F--Access to, and correction of, information
- 20R Access to credit reporting information
- 20S Correction of credit reporting information
- 20T Individual may request the correction of credit information etc.
- 20U Notice of correction etc. must be given Subdivision G--Dealing with credit reporting information after the retention period ends etc.
- 20V Destruction etc. of credit reporting information after the retention period ends
- 20W Retention period for credit information--general
- 20X Retention period for credit information--personal insolvency information
- 20Y Destruction of credit reporting information in cases of fraud
- 20Z Dealing with information if there is a pending correction request etc.
- 20ZA Dealing with information if an Australian law etc. requires it to be retained
Division 3--Credit providers
Subdivision A--Introduction and application of this Division- 21 Guide to this Division
- 21A Application of this Division to credit providers Subdivision B--Consideration of information privacy
- 21B Open and transparent management of credit information etc. Subdivision C--Dealing with credit information
- 21C Additional notification requirements for the collection of personal information etc.
- 21D Disclosure of credit information to a credit reporting body
- 21E Payment information must be disclosed to a credit reporting body
- 21EA Financial hardship information must be disclosed
- 21F Limitation on the disclosure of credit information during a ban period Subdivision D--Dealing with credit eligibility information etc.
- 21G Use or disclosure of credit eligibility information
- 21H Permitted CP uses in relation to individuals
- 21J Permitted CP disclosures between credit providers
- 21K Permitted CP disclosures relating to guarantees etc.
- 21L Permitted CP disclosures to mortgage insurers
- 21M Permitted CP disclosures to debt collectors
- 21N Permitted CP disclosures to other recipients
- 21NA Disclosures to certain persons and bodies that do not have an Australian link
- 21P Notification of a refusal of an application for consumer credit Subdivision E--Integrity of credit information and credit eligibility information
- 21Q Quality of credit eligibility information
- 21R False or misleading credit information or credit eligibility information
- 21S Security of credit eligibility information Subdivision F--Access to, and correction of, information
- 21T Access to credit eligibility information
- 21U Correction of credit information or credit eligibility information
- 21V Individual may request the correction of credit information etc.
- 21W Notice of correction etc. must be given
Division 4--Affected information recipients
- 22 Guide to this Division Subdivision A--Consideration of information privacy
- 22A Open and transparent management of regulated information Subdivision B--Dealing with regulated information
- 22B Additional notification requirements for affected information recipients
- 22C Use or disclosure of information by mortgage insurers or trade insurers
- 22D Use or disclosure of information by a related body corporate
- 22E Use or disclosure of information by credit managers etc.
- 22F Use or disclosure of information by advisers etc.
Division 5--Complaints
- 23 Guide to this Division
- 23A Individual may complain about a breach of a provision of this Part etc.
- 23B Dealing with complaints
- 23C Notification requirements relating to correction complaints
Division 6--Unauthorised obtaining of credit reporting information etc.
- 24 Obtaining credit reporting information from a credit reporting body
- 24A Obtaining credit eligibility information from a credit provider
Division 7--Court orders
Division 8--Review
- 25B Review of operation of this Part
PART IIIB--PRIVACY--CODES
Division 1--Introduction
- 26 Guide to this Part
Division 2--Registered APP codes
Subdivision A--Compliance with registered APP codes etc.- 26A APP entities to comply with binding registered APP codes
- 26B What is a registered APP code
- 26C What is an APP code
- 26D Extension of Act to exempt acts or practices covered by registered APP codes Subdivision B--Development and registration of APP codes
- 26E Development of APP codes by APP code developers
- 26F Application for registration of APP codes
- 26G Development of APP codes by the Commissioner
- 26H Commissioner may register APP codes Subdivision C--Variation and removal of registered APP codes
- 26J Variation of registered APP codes
- 26K Removal of registered APP codes
Division 3--Registered CR code
Subdivision A--Compliance with the registered CR code- 26L Entities to comply with the registered CR code if bound by the code
- 26M What is the registered CR code
- 26N What is a CR code Subdivision B--Development and registration of CR code
- 26P Development of CR code by CR code developers
- 26Q Application for registration of CR code
- 26R Development of CR code by the Commissioner
- 26S Commissioner may register CR code Subdivision C--Variation of the registered CR code
- 26T Variation of the registered CR code
Division 4--General matters
- 26U Codes Register
- 26V Guidelines relating to codes
- 26W Review of operation of registered codes
PART IIIC--NOTIFICATION--OF ELIGIBLE DATA BREACHES
Division 1--Introduction
- 26WA Simplified outline of this Part
- 26WB Entity
- 26WC Deemed holding of information
- 26WD Exception--notification under the My Health Records Act 2012
Division 2--Eligible data breach
- 26WE Eligible data breach
- 26WF Exception--remedial action
- 26WG Whether access or disclosure would be likely, or would not be likely, to result in serious harm--relevant matters
Division 3--Notification of eligible data breaches
Subdivision A--Suspected eligible data breaches- 26WH Assessment of suspected eligible data breach
- 26WJ Exception--eligible data breaches of other entities Subdivision B--General notification obligations
- 26WK Statement about eligible data breach
- 26WL Entity must notify eligible data breach
- 26WM Exception--eligible data breaches of other entities
- 26WN Exception--enforcement related activities
- 26WP Exception--inconsistency with secrecy provisions
- 26WQ Exception--declaration by Commissioner Subdivision C--Commissioner may direct entity to notify eligible data breach
- 26WR Commissioner may direct entity to notify eligible data breach
- 26WS Exception--enforcement related activities
- 26WT Exception--inconsistency with secrecy provisions
Division 4--Commissioner's powers to obtain information or documents relating to eligible data breaches
- 26WU Power to obtain information and documents relating to eligible data breaches
PART IV--FUNCTIONS--OF THE INFORMATION COMMISSIONER
Division 2--Functions of Commissioner
- 27 Functions of the Commissioner
- 28 Guidance related functions of the Commissioner
- 28A Monitoring related functions of the Commissioner
- 28B Advice related functions of the Commissioner
- 29 Commissioner must have due regard to the objects of the Act
Division 3--Reports and information sharing by Commissioner
- 30 Reports following investigation of act or practice
- 31 Report following examination of proposed law
- 32 Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.
- 33 Exclusion of certain matters from reports
- 33A Commissioner may share information with other authorities
- 33B Commissioner may disclose certain information if in the public interest etc.
Division 3A--Assessments by, or at the direction of, the Commissioner
- 33C Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.
- 33D Commissioner may direct an agency to give a privacy impact assessment
Division 4--Miscellaneous
- 34 Provisions relating to documents exempt under the Freedom of Information Act 1982
- 35 Direction where refusal or failure to amend exempt document
- 35A Commissioner may recognise external dispute resolution schemes
PART V--INVESTIGATIONS--ETC.
Division 1A--Introduction
- 36A Guide to this Part
Division 1--Investigation of complaints and investigations on the Commissioner's initiative
- 36 Complaints
- 36B Complaints relating to the data sharing scheme
- 37 Principal executive of agency
- 38 Conditions for making a representative complaint
- 38A Commissioner may determine that a complaint is not to continue as a representative complaint
- 38B Additional rules applying to the determination of representative complaints
- 38C Amendment of representative complaints
- 39 Class member for representative complaint not entitled to lodge individual complaint
- 40 Investigations
- 40A Conciliation of complaints
- 41 Commissioner may or must decide not to investigate etc. in certain circumstances
- 42 Preliminary inquiries
- 43 Conduct of investigations
- 43A Interested party may request a hearing
- 44 Power to obtain information and documents
- 45 Power to examine witnesses
- 46 Directions to persons to attend compulsory conference
- 47 Conduct of compulsory conference
- 48 Complainant and certain other persons to be informed of various matters
- 49 Investigation under section 40 to cease if certain offences may have been committed
- 49A Investigation under section 40 to cease if civil penalty provision under Personal Property Securities Act 2009 may have been contravened
- 49B Transfer of complaints from the Inspector - General of Intelligence and Security
- 50 Reference of matters to other authorities
- 50A Substitution of respondent to complaint
- 51 Effect of investigation by Auditor - General
Division 2--Determinations following investigation of complaints
- 52 Determination of the Commissioner
- 52A Determination--requirement to notify conduct constituting interference with privacy of individual
- 53 Determination must identify the class members who are to be affected by the determination
- 53A Notice to be given to outsourcing agency
- 53B Substituting an agency for a contracted service provider
Division 3--Enforcement of determinations
- 54 Application of Division
- 55 Obligations of organisations and small business operators
- 55A Proceedings in the Federal Court or Federal Circuit and Family Court of Australia (Division 2) to enforce a determination
- 55B Evidentiary certificate
Division 4--Review and enforcement of determinations involving Commonwealth agencies
- 57 Application of Division
- 58 Obligations of agencies
- 59 Obligations of principal executive of agency
- 60 Compensation and expenses
- 62 Enforcement of determination against an agency
Division 5--Miscellaneous
- 63 Legal assistance
- 64 Commissioner etc. not to be sued
- 65 Failure to attend etc. before Commissioner
- 66 Failure to give information etc.
- 67 Protection from civil actions
- 68 Power to enter premises
- 68A Identity cards
- 70 Certain documents and information not required to be disclosed
- 70B Application of this Part to former organisations
PART VI--PUBLIC--INTEREST DETERMINATIONS AND TEMPORARY PUBLIC INTEREST DETERMINATIONS
Division 1--Public interest determinations
- 71 Interpretation
- 72 Power to make, and effect of, determinations
- 73 Application by APP entity
- 74 Publication of application etc.
- 75 Draft determination
- 76 Conference
- 77 Conduct of conference
- 78 Determination of application
- 79 Making of determination
Division 2--Temporary public interest determinations
- 80A Temporary public interest determinations
- 80B Effect of temporary public interest determination
- 80D Commissioner may continue to consider application
Division 3--Register of determinations
- 80E Register of determinations
PART VIA--DEALING--WITH PERSONAL INFORMATION IN EMERGENCIES AND DISASTERS
Division 1--Object and interpretation
Division 2--Declaration of emergency
- 80J Declaration of emergency--events of national significance
- 80K Declaration of emergency--events outside Australia
- 80L Form of declarations
- 80M When declarations take effect
- 80N When declarations cease to have effect
Division 3--Provisions dealing with the use and disclosure of personal information
- 80P Authorisation of collection, use and disclosure of personal information
Division 4--Other matters
- 80Q Disclosure of information--offence
- 80R Operation of Part
- 80S Severability--additional effect of Part
- 80T Compensation for acquisition of property--constitutional safety net
PART VIB--ENFORCEMENT
Division 1--Civil penalties
Division 1A--Infringement notices
- 80UB Infringement notices
Division 2--Enforceable undertakings
- 80V Enforceable undertakings
Division 3--Injunctions
- 80W Injunctions
PART VII--PRIVACY--ADVISORY COMMITTEE
- 81 Interpretation
- 82 Establishment and membership
- 83 Functions
- 84 Leave of absence
- 85 Removal and resignation of members
- 86 Disclosure of interests of members
- 87 Meetings of Advisory Committee
- 88 Travel allowance
PART VIII--OBLIGATIONS--OF CONFIDENCE
- 89 Obligations of confidence to which Part applies
- 90 Application of Part
- 91 Effect of Part on other laws
- 92 Extension of certain obligations of confidence
- 93 Relief for breach etc. of certain obligations of confidence
- 94 Jurisdiction of courts
PART IX--MISCELLANEOUS
- 95 Medical research guidelines
- 95A Guidelines for Australian Privacy Principles about health information
- 95AA Guidelines for Australian Privacy Principles about genetic information
- 95B Requirements for Commonwealth contracts
- 95C Disclosure of certain provisions of Commonwealth contracts
- 96 Review by the Administrative Appeals Tribunal
- 98A Treatment of partnerships
- 98B Treatment of unincorporated associations
- 98C Treatment of trusts
- 99A Conduct of directors, employees and agents
- 100 Regulations