Privacy and Other Legislation Amendment Act 2024 (128 of 2024)

Schedule 1   Privacy reforms

Part 14   Monitoring and investigation

Privacy Act 1988

85   Before Division 1 of Part VIB

Insert:

Division 1AA - Introduction

80TA Simplified outline of this Part

Certain provisions, information and matters are subject to monitoring under Part 2 of the Regulatory Powers Act.

Certain provisions are subject to investigation under Part 3 of the Regulatory Powers Act.

Civil penalty orders may be sought under Part 4 of the Regulatory Powers Act from a relevant court in relation to contraventions of civil penalty provisions. If a relevant court has determined, or will determine, under the Regulatory Powers Act that an entity has contravened certain civil penalty provisions of this Act, the court may make other orders in the proceeding.

Infringement notices may be given under Part 5 of the Regulatory Powers Act for alleged contraventions of certain provisions.

Undertakings to comply with the provisions of this Act may be accepted and enforced under Part 6 of the Regulatory Powers Act.

Injunctions under Part 7 of the Regulatory Powers Act may be used to restrain a person from contravening a provision of this Act or to compel compliance with a provision of this Act.

Division 1AB - Monitoring powers

80TB Monitoring powers

Provisions subject to monitoring

(1) The following provisions are subject to monitoring under Part 2 of the Regulatory Powers Act:

(a) Divisions 2 and 3 of Part VIIC of the Crimes Act 1914 (pardons, and quashed and spent convictions);

(b) Part 2 of the Data-matching Program (Assistance and Tax) Act 1990, or rules issued under section 12 of that Act.

Note: Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the provisions mentioned in this subsection have been complied with. It includes powers of entry and inspection.

Information subject to monitoring

(2) Information given in compliance, or purported compliance, with any of the following provisions is subject to monitoring under Part 2 of the Regulatory Powers Act:

(a) subsection 26WU(3) (power to obtain information and documents relating to eligible data breaches);

(b) subsection 33C(3) (requirement to provide information relating to an assessment);

(c) subsection 44(1) (requirement to provide information relating to investigations).

Note: Part 2 of the Regulatory Powers Act creates a framework for monitoring whether the information is correct. It includes powers of entry and inspection.

Matters subject to monitoring

(3) The following matters are subject to monitoring under the Regulatory Powers Act:

(a) a matter referred to in subsection 28A(1) of this Act in relation to which the Commissioner has a monitoring related function (credit reporting and tax file number monitoring-related functions);

(b) a matter referred to in subsection 33C(1) of this Act if the Commissioner is undertaking an assessment of the matter (assessments related to Australian Privacy Principles).

Note: Part 2 of the Regulatory Powers Act creates a framework for monitoring the matters mentioned in this subsection. It includes powers of entry and inspection.

Authorised applicant

(4) For the purposes of Part 2 of the Regulatory Powers Act, each of the following persons is an authorised applicant in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3):

(a) the Commissioner;

(b) a member of the staff of the Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee.

Authorised person

(5) For the purposes of Part 2 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3):

(a) the Commissioner;

(b) a member of the staff of the Commissioner who is authorised in writing by the Commissioner or a delegate of the Commissioner;

(c) a consultant who is:

(i) engaged under section 24 of the Australian Information Commissioner Act 2010 in relation to performance of the functions or the exercise of the powers of the Commissioner; and

(ii) authorised in writing by the Commissioner or a delegate of the Commissioner.

Issuing officer

(6) For the purposes of Part 2 of the Regulatory Powers Act, any judicial officer within the meaning of the Regulatory Powers Act is an issuing officer in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3).

Relevant chief executive

(7) For the purposes of Part 2 of the Regulatory Powers Act, the Commissioner is the relevant chief executive in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3).

(8) The relevant chief executive may, in writing, delegate the relevant chief executive's powers and functions under Part 2 of the Regulatory Powers Act in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3), to a person who is:

(a) a member of the staff of the Commissioner; and

(b) an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee.

(9) A person exercising powers or performing functions under a delegation under subsection (8) must comply with any directions of the relevant chief executive.

Relevant court

(10) For the purposes of Part 2 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3):

(a) the Federal Court of Australia;

(b) the Federal Circuit and Family Court of Australia (Division 2).

Person assisting

(11) An authorised person may be assisted by other persons in exercising powers or performing functions or duties under Part 2 of the Regulatory Powers Act in relation to the provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3).

Extension to external Territories

(12) Part 2 of the Regulatory Powers Act, as that Part applies in relation tothe provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3), extends to every external Territory.

Relationship with other provisions

(13) Part 2 of the Regulatory Powers Act, as that Part applies in relation tothe provisions mentioned in subsection (1), the information mentioned in subsection (2), and the matters mentioned in subsection (3), is subject to section 70 of this Act.

Note: Section 70 deals with certain documents and information not required to be disclosed.

80TC Modifications of Part 2 of the Regulatory Powers Act

Use of force in executing a monitoring warrant

In executing a monitoring warrant under Part 2 of the Regulatory Powers Act, as that Part applies in relation to the provisions mentioned in subsection 80TB(1), the information mentioned in subsection 80TB(2), and the matters mentioned in subsection 80TB(3), of this Act:

(a) an authorised person may use such force against things as is necessary and reasonable in the circumstances; and

(b) a person assisting the authorised person may use such force against things as is necessary and reasonable in the circumstances.

Division 1AC - Investigation powers

80TD Investigation powers

Provisions subject to investigation

(1) A provision is subject to investigation under Part 3 of the Regulatory Powers Act if it is:

(a) an offence provision, or a civil penalty provision, in this Act; or

(b) any of the following:

(i) a civil penalty provision that is enforceable by the Commissioner under the Digital ID Act 2024;

(ii) a civil penalty provision that is enforceable by the Commissioner under the Healthcare Identifiers Act 2010 or an instrument made under that Act;

(iii) a civil penalty provision that is enforceable by the Commissioner under the My Health Records Act 2012;

(iv) a civil penalty provision that is enforceable by the Commissioner under Division 5 of Part IVD of the Competition and Consumer Act 2010; or

(c) an offence provision of the Crimes Act 1914 or the Criminal Code, to the extentthat it relates to an offence provision in this Act.

Note 1: Part 3 of the Regulatory Powers Act creates a framework for investigating whether a provision has been contravened. It includes powers of entry, search and seizure.

Note 2: Part 3 of the Regulatory Powers Act is modified by section 80TE.

Note 3: Subparagraph (1)(b)(iv) is subject to subsection 80TE(2).

Authorised applicant

(2) For the purposes of Part 3 of the Regulatory Powers Act, each of the following persons is an authorised applicant in relation to evidential material that relates to a provision mentioned in subsection (1):

(a) the Commissioner;

(b) a member of the staff of the Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee.

Authorised person

(3) For the purposes of Part 3 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to evidential material that relates to a provision mentioned in subsection (1):

(a) the Commissioner;

(b) a member of the staff of the Commissioner who is authorised in writing by the Commissioner or a delegate of the Commissioner;

(c) a consultant who is:

(i) engaged under section 24 of the Australian Information Commissioner Act 2010 in relation to performance of the functions or the exercise of the powers of the Commissioner; and

(ii) authorised in writing by the Commissioner or a delegate of the Commissioner.

Issuing officer

(4) For the purposes of Part 3 of the Regulatory Powers Act, any judicial officer within the meaning of the Regulatory Powers Act is an issuing officer in relation to evidential material that relates to a provision mentioned in subsection (1).

Relevant chief executive

(5) For the purposes of Part 3 of the Regulatory Powers Act, the Commissioner is the relevant chief executive in relation to evidential material that relates to a provision mentioned in subsection (1).

(6) The relevant chief executive may, in writing, delegate the relevant chief executive's powers and functions under Part 3 of the Regulatory Powers Act in relation to evidential material that relates to a provision mentioned in subsection (1) to a person who is:

(a) a member of the staff of the Commissioner; and

(b) an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee.

(7) A person exercising powers or performing functions under a delegation under subsection (6) must comply with any directions of the relevant chief executive.

Relevant court

(8) For the purposes of Part 3 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions mentioned in subsection (1):

(a) the Federal Court of Australia;

(b) the Federal Circuit and Family Court of Australia (Division 2).

Person assisting

(9) An authorised person may be assisted by other persons in exercising powers or performing functions or duties under Part 3 of the Regulatory Powers Act in relation to evidential material that relates to a provision mentioned in subsection (1).

Extension to external Territories

(10) Part 3 of the Regulatory Powers Act, as that Part applies in relation tothe provisions mentioned in subsection (1), extends to every external Territory.

Relationship with other provisions

(11) Part 3 of the Regulatory Powers Act, as that Part applies in relation tothe provisions mentioned in subsection (1), is subject to section 70 of this Act.

Note: Section 70 deals with certain documents and information not required to be disclosed.

80TE Modifications of Part 3 of the Regulatory Powers Act

Use of force in executing an investigation warrant

(1) In executing an investigation warrant under Part 3 of the Regulatory Powers Act, as that Part applies in relation to evidential material that relates to a provision mentioned in subsection 80TD(1) of this Act:

(a) an authorised person may use such force against things as is necessary and reasonable in the circumstances; and

(b) a person assisting the authorised person may use such force against things as is necessary and reasonable in the circumstances.

Limitation on use of investigation powers in relation to matters under the Competition and Consumer Act

(2) If a civil penalty provision that is enforceable by the Commissioner under Division 5 of Part IVD of the Competition and Consumer Act 2010 is subject to investigation under Part 3 of the Regulatory Powers Act, the powers under that Part may be exercised in relation to premises only if the premises are occupied by or on behalf of:

(a) a CDR participant for CDR data; or

(b) an accredited person who may become an accredited data recipient of CDR data; or

(c) a designated gateway for CDR data; or

(d) an action service provider for a type of CDR action who has been, or may be, disclosed CDR data under the consumer data rules;

(all within the meaning of the Competition and Consumer Act 2010).