Privacy and Other Legislation Amendment Act 2024 (128 of 2024)
Schedule 1 Privacy reforms
Part 7 Eligible data breaches
Privacy Act 1988
43 At the end of Part IIIC
Add:
Division 5 - Dealing with personal information involved in eligible data breaches
Subdivision A - Eligible data breach declaration
26X Eligible data breach declaration
Minister may make eligible data breach declaration
(1) The Minister may, by writing, make a declaration under this subsection if:
(a) there is an eligible data breach of an entity; and
(b) the Minister is satisfied that making the declaration is:
(i) necessary or appropriate to prevent; or
(ii) necessary or appropriate to reduce;
a risk of harm arising from a misuse of personal information about one or more individuals following unauthorised access to, or unauthorised disclosure of, that personal information from the eligible data breach of the entity.
Note: A declaration under this subsection is relevant for the operation of section 26XB (authorisation of collection, use and disclosure of personal information) and related provisions.
Matters covered by declaration
(2) Without limiting subsection (1), the declaration must specify the following matters:
(a) the kind or kinds of personal information to which the declaration applies;
(b) the entity or class of entities that may collect, use or disclose the personal information;
(c) the entity or class of entities that the personal information may be disclosed to;
(d) one or more permitted purposes of the collection, use or disclosure.
Specified entities
(3) An entity or class of entities specified for the purposes of paragraph (2)(c):
(a) may include a State or Territory authority; and
(b) must not be or include a media organisation, the Australian Broadcasting Corporation or the Special Broadcasting Service Corporation.
Specified permitted purposes
(4) A permitted purpose specified for the purposes of paragraph (2)(d) in relation to an eligible data breach must be a purpose that is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b) to one or more individuals at risk from the eligible data breach.
(5) Without limiting subsection (4), any of the following things may be specified as a permitted purpose in relation to an eligible data breach, to the extent that it is directly related to preventing or reducing a risk of harm mentioned in paragraph (1)(b):
(a) preventing a cyber security incident (within the meaning of the Security of Critical Infrastructure Act 2018), fraud, scam activity or identity theft;
(b) responding to a cyber security incident, fraud, scam activity or identity theft;
(c) responding to the consequences of a cyber security incident, fraud, scam activity, identity crime and misuse, financial loss, emotional and psychological harm, family violence and physical harm or intimidation;
(d) addressing malicious cyber activity.
(6) Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, or any other provision of this Act, an eligible data breach declaration may provide differently for:
(a) different kinds of personal information; and
(b) different entities or classes of entities; and
(c) different permitted purposes.
Conditions
(7) The declaration may specify a matter mentioned in subsection (2) subject to conditions.
Consultation
(8) Before the Minister makes a declaration under subsection (1), the Minister may consult with any person or body, including the Commissioner and the Director-General of the Australian Signals Directorate.
(9) Despite subsection 29(1) of the Australian Information Commissioner Act 2010 and any provision of this Act, the Commissioner may disclose information to the Minister for the purposes of consultation under subsection (8).
Declaration is a legislative instrument
(10) A declaration under subsection (1) is a legislative instrument, but section 42 (disallowance) of the Legislation Act 2003 does not apply to the declaration.
26XA When declarations cease to be in force
An eligible data breach declaration ceases to be in force at the earliest of the following:
(a) if a time at which the declaration will cease to be in force is specified in the declaration - at that time;
(b) the time at which the declaration is repealed;
(c) the start of the day after the end of the period of 12 months beginning on the day the declaration commences.
Subdivision B - Provisions dealing with the collection, use and disclosure of personal information
26XB Authorisation of collection, use and disclosure of personal information
(1) At any time when an eligible data breach declaration is in force in relation to an eligible data breach, an entity may collect, use or disclose personal information about an individual if:
(a) the entity reasonably believes that the individual may be at risk from the eligible data breach; and
(b) the collection, use or disclosure is for a permitted purpose specified in the declaration; and
(c) the information is information of a kind or kinds specified in the declaration; and
(d) the information is disclosed by an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and
(e) the information is disclosed to an entity specified in the declaration, or an entity included in a class of entities specified in the declaration; and
(f) if a matter mentioned in paragraph (b), (c), (d) or (e) is specified in the declaration subject to conditions - those conditions are satisfied.
(2) An entity is not liable to any proceedings for contravening a secrecy provision in respect of a use or disclosure of personal information authorised by subsection (1) unless the secrecy provision is a designated secrecy provision (see subsection (6)).
(3) An entity is not liable to any proceedings for contravening a duty of confidence in respect of a disclosure of personal information authorised by subsection (1).
(4) An entity does not breach an Australian Privacy Principle, a registered APP code that binds the entity or a rule issued under section 17 (rules relating to tax file number information) in respect of a collection, use or disclosure of personal information authorised by subsection (1).
(5) A collection, use or disclose of personal information by an officer or employee of an agency in the course of duty as an officer or employee is authorised by subsection (1) only if the officer or employee is authorised by the agency to collect, use or disclose the personal information.
(6) In this section:
designated secrecy provision means any of the following:
(a) sections 18, 18A, 18B, 34GF, 35P, 92 and 92A, and subsection 34GE(4), of the Australian Security Intelligence Organisation Act 1979;
(b) section 15LC of the Crimes Act 1914;
(c) section 34 of the Inspector-General of Intelligence and Security Act 1986;
(d) sections 39, 40C, 40D and 41 of, and clause 9 of Schedule 1 to, the Intelligence Services Act 2001;
(e) sections 42 and 44 of the Office of National Intelligence Act 2018;
(f) sections 22, 22A and 22B of the Witness Protection Act 1994;
(g) a provision of a Commonwealth law prescribed by the regulations for the purposes of this paragraph;
(h) a provision of a Commonwealth law of a kind prescribed by the regulations for the purposes of this paragraph.
secrecy provision means a provision of a Commonwealth law (including a provision of this Act) that prohibits or regulates the use or disclosure of personal information, whether the provision relates to the use or disclosure of personal information generally or in specified circumstances.
Subdivision C - Other matters
26XC Disclosure of information - offence
(1) A person (the first person ) commits an offence if:
(a) personal information that relates to an individual is disclosed to the first person because of the operation of this Division; and
(b) the first person subsequently discloses the personal information.
Penalty: 60 penalty units or imprisonment for 1 year, or both.
(2) Subsection (1) does not apply to the following disclosures:
(a) if the first person is an APP entity - a disclosure permitted under an Australian Privacy Principle, a registered APP code that binds the person or a rule issued under section 17 (rules relating to tax file number information);
(b) a disclosure for the purposes of carrying out a State's constitutional functions, powers or duties;
(c) a disclosure for the purposes of obtaining or providing legal advice in relation to the operation of this Division;
(d) a disclosure permitted under section 26XB;
(e) a disclosure made with the consent of the individual to whom the personal information relates;
(f) a disclosure to the individual to whom the personal information relates;
(g) a disclosure to a court;
(h) a disclosure prescribed by the regulations.
Note: A defendant bears an evidential burden in relation to a matter in this subsection (see subsection 13.3(3) of the Criminal Code).
(3) If a disclosure of personal information is covered by subsection (2), the disclosure is authorised by this section.
(4) For the purposes of paragraph (2)(g), court includes any tribunal, authority or person having power to require the production of documents or the answering of questions.
26XD Division not limited by secrecy provisions
(1) The operation of this Division is not limited by a secrecy provision of any other Commonwealth law (whether made before or after the commencement of this Act) except to the extent that the secrecy provision expressly excludes the operation of this section.
Note: Section 3 provides for the concurrent operation of State and Territory laws.
(2) Nothing in this Division is to be taken to require an entity to collect, use or disclose personal information.
(3) In this section:
secrecy provision means a provision of a Commonwealth law (including a provision of this Act) that prohibits or regulates the use or disclosure of personal information, whether the provision relates to the use or disclosure of personal information generally or in specified circumstances.
26XE Constitutional basis of this Division
This Division relies on the Commonwealth's legislative powers under paragraph 51(xxix) (external affairs) of the Constitution as it relates to giving effect to Australia's obligations under relevant international agreements, in particular Article 17 of the International Covenant on Civil and Political Rights done at New York on 16 December 1966 ([1980] ATS 23).
Note: The Covenant is in Australian Treaty Series 1980 No. 23 ([1980] ATS 23) and could in 2024 be viewed in the Australian Treaties Library on the AustLII website (http://www.austlii.edu.au).
26XF Additional operation of this Division
(1) In addition to section 26XE, this Division also has effect as provided by this section.
Corporations
(2) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure by a corporation to which paragraph 51(xx) of the Constitution applies.
Banking
(3) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure that occurs in the course of, or in relation to, the carrying on of the business of banking (within the meaning of paragraph 51(xiii) of the Constitution), other than State banking not extending beyond the limits of the State concerned.
Insurance
(4) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure that occurs in the course of, or in relation to, the carrying on of the business of insurance (within the meaning of paragraph 51(xiv) of the Constitution), other than State insurance not extending beyond the limits of the State concerned.
Trade and commerce
(5) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure that occurs in the course of, or in relation to, trade or commerce:
(a) between Australia and places outside Australia; or
(b) among the States; or
(c) within a Territory, between a State and a Territory or between 2 Territories.
Communications
(6) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution).
Territories
(7) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure taking place in a Territory.
Aliens
(8) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to:
(a) a collection, use or disclosure by an alien (within the meaning of paragraph 51(xix) of the Constitution); or
(b) a collection, use or disclosure of personal information about an alien (within the meaning of paragraph 51(xix) of the Constitution).
External affairs
(9) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure taking place outside Australia.
Executive power
(10) This Division also has the effect it would have if a reference to a collection, use or disclosure were expressly confined to a collection, use or disclosure by a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) for the purposes of the Commonwealth entity performing its functions or duties or exercising its powers.
26XG Interaction with section 12B
To avoid doubt, section 12B does not apply in relation to this Division.
26XH Compensation for acquisition of property
(1) If the operation of this Division would result in an acquisition of property (within the meaning of paragraph 51(xxxi) of the Constitution) from a person otherwise than on just terms (within the meaning of that paragraph), the Commonwealth is liable to pay a reasonable amount of compensation to the person.
(2) If the Commonwealth and the person do not agree on the amount of the compensation, the person may institute proceedings in the Federal Court of Australia or the Supreme Court of a State or Territory for the recovery from the Commonwealth of such reasonable amount of compensation as the court determines.