Privacy Amendment (Enhancing Privacy Protection) Act 2012 (197 of 2012)

Schedule 4   Other amendments of the Privacy Act 1988

64   After section 33B

Insert:

Division 3A - Assessments by, or at the direction of, the Commissioner

33C Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.

(1) The Commissioner may conduct an assessment of the following matters:

(a) whether personal information held by an APP entity is being maintained and handled in accordance with the following:

(i) the Australian Privacy Principles;

(ii) a registered APP code that binds the entity;

(b) whether information held by an entity is being maintained and handled in accordance with the following to the extent that they apply to the information:

(i) the provisions of Part IIIA;

(ii) the registered CR code if it binds the entity;

(c) whether tax file number information held by a file number recipient is being maintained and handled in accordance with any relevant rules issued under section 17;

(d) whether the data matching program (within the meaning of the Data-matching Program (Assistance and Tax) Act 1990) of an agency complies with Part 2 of that Act and the rules issued under section 12 of that Act;

(e) whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section.

(2) The Commissioner may conduct the assessment in such manner as the Commissioner considers fit.

33D Commissioner may direct an agency to give a privacy impact assessment

(1) If:

(a) an agency proposes to engage in an activity or function involving the handling of personal information about individuals; and

(b) the Commissioner considers that the activity or function might have a significant impact on the privacy of individuals;

the Commissioner may, in writing, direct the agency to give the Commissioner, within a specified period, a privacy impact assessment about the activity or function.

(2) A direction under subsection (1) is not a legislative instrument.

Privacy impact assessment

(3) A privacy impact assessment is a written assessment of an activity or function that:

(a) identifies the impact that the activity or function might have on the privacy of individuals; and

(b) sets out recommendations for managing, minimising or eliminating that impact.

(4) Subsection (3) does not limit the matters that the privacy impact assessment may deal with.

(5) A privacy impact assessment is not a legislative instrument.

Failure to comply with a direction

(6) If an agency does not comply with a direction under subsection (1), the Commissioner must advise both of the following of the failure:

(a) the Minister;

(b) if another Minister is responsible for the agency - that other Minister.

Review

(7) Before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.

Division 3B - Enforceable undertakings

33E Commissioner may accept undertakings

(1) The Commissioner may accept any of the following undertakings:

(a) a written undertaking given by an entity that the entity will, in order to comply with this Act, take specified action;

(b) a written undertaking given by an entity that the entity will, in order to comply with this Act, refrain from taking specified action;

(c) a written undertaking given by an entity that the entity will take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

(2) The undertaking must be expressed to be an undertaking under this section.

(3) The entity may withdraw or vary the undertaking at any time, but only with the consent of the Commissioner.

(4) The Commissioner may, by written notice given to the entity, cancel the undertaking.

(5) The Commissioner may publish the undertaking on the Commissioner’s website.

33F Enforcement of undertakings

(1) If:

(a) an entity gives an undertaking under section 33E; and

(b) the undertaking has not been withdrawn or cancelled; and

(c) the Commissioner considers that the entity has breached the undertaking;

the Commissioner may apply to the Federal Court or Federal Magistrates Court for an order under subsection (2).

(2) If the court is satisfied that the entity has breached the undertaking, the court may make any or all of the following orders:

(a) an order directing the entity to comply with the undertaking;

(b) any order that the court considers appropriate directing the person to compensate any other person who has suffered loss or damage as a result of the breach;

(c) any other order that the court considers appropriate.