Privacy Act 1988
This Act may be cited as the Privacy Act 1988. SECTION 2 2 COMMENCEMENT
This Act commences on a day to be fixed by Proclamation.
[ CCH Note: This Act was proclaimed to commence on 1 January 1989.]
The objects of this Act are: (a) to promote the protection of the privacy of individuals with respect to their personal information; and (aa) to recognise the public interest in protecting privacy; and (b) to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities; and (c) to provide the basis for nationally consistent regulation of privacy and the handling of personal information; and (d) to promote responsible and transparent handling of personal information by entities; and (e) to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected; and (f) to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected; and (g) to provide a means for individuals to complain about an alleged interference with their privacy; and (h) to implement Australia's international obligations in relation to privacy.
[ CCH Note: S 2A will be amended by No 128 of 2024, s 3 and Sch 2 item 1, by inserting "(1)" before "The objects", effective 10 June 2025.]
Hide history note[ CCH Note: S 2A(2) will be inserted by No 128 of 2024, s 3 and Sch 2 item 2, effective 10 June 2025. S 2A(2) will read:
]
2A(2)
This section does not apply to Schedule 2.Note:
See also clause 1 of Schedule 2 (objects).
It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
Note:
Such a law can have effect for the purposes of the provisions of the Australian Privacy Principles that regulate the handling of personal information by organisations by reference to the effect of other laws.
[ CCH Note: S 3 will be amended by No 128 of 2024, s 3 and Sch 2 item 3, by inserting "(1)" before "It is", effective 10 June 2025.]
[ CCH Note: S 3(2) will be inserted by No 128 of 2024, s 3 and Sch 2 item 4, effective 10 June 2025. S 3(2) will read:
]
3(2)
This section does not apply to Schedule 2.Note:
See also clause 21 of Schedule 2 (saving of other laws).
Chapter 2 of the Criminal Code (except Part 2.5) applies to all offences against this Act.
Note:
Chapter 2 of the Criminal Code sets out the general principles of criminal responsibility.
This Act binds the Crown in right of the Commonwealth, of each of the States, of the Australian Capital territory and of the Northern Territory.
4(2)
Nothing in this Act renders the Crown in right of the Commonwealth, of a State, of the Australian Capital Territory or of the Northern Territory liable to be prosecuted for an offence.
4(3)
Nothing in this Act shall be taken to have the effect of making the Crown in right of a State, of the Australian Capital Territory or of the Northern Territory an agency for the purposes of this Act.
5 (Repealed) SECTION 5 INTERPRETATION OF INFORMATION PRIVACY PRINCIPLES
(Repealed by No 197 of 2012) SECTION 5A 5A EXTENSION TO EXTERNAL TERRITORIES
This Act extends to all external Territories.
[ CCH Note: S 5A will be amended by No 128 of 2024, s 3 and Sch 2 item 5, by inserting "(1)" before "This Act", effective 10 June 2025.]
[ CCH Note: S 5A(2) will be inserted by No 128 of 2024, s 3 and Sch 2 item 6, effective 10 June 2025. S 5A(2) will read:
]
5A(2)
This section does not apply to Schedule 2.
Agencies
5B(1)
This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an agency.
Note:
The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
Organisations and small business operators
5B(1A)
This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link.
Note:
The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).
Australian link
5B(2)
An organisation or small business operator has an Australian link if the organisation or operator is: (a) an Australian citizen; or (b) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or (c) a partnership formed in Australia or an external Territory; or (d) a trust created in Australia or an external Territory; or (e) a body corporate incorporated in Australia or an external Territory; or (f) an unincorporated association that has its central management and control in Australia or an external Territory.
5B(3)
An organisation or small business operator also has an Australian link if all of the following apply: (a) the organisation or operator is not described in subsection (2); (b) the organisation or operator carries on business in Australia or an external Territory.
Power to deal with complaints about overseas acts and practices
5B(4)
Part V of this Act has extra-territorial operation so far as that Part relates to complaints and investigation concerning acts and practices to which this Act extends because of subsection (1) or (1A).
Note:
This lets the Commissioner take action overseas to investigate complaints and lets the ancillary provisions of Part V operate in that context.
[ CCH Note: S 5B(5) will be inserted by No 128 of 2024, s 3 and Sch 2 item 7, effective 10 June 2025. S 5B(5) will read:
]
Application
5B(5)
This section does not apply to Schedule 2.
In this Act, unless the contrary intention appears:
ACC
means the Australian Crime Commission.
access seeker
has the meaning given by subsection 6L(1).
ACT enactment
has the same meaning as
enactment
has in the Australian Capital Territory (Self-Government) Act 1988;
advice related functions
has the meaning given by subsection 28B(1).
affected information recipient
means:
(a) a mortgage insurer; or
(b) a trade insurer; or
(c) a body corporate referred to in paragraph 21G(3)(b); or
(d) a person referred to in paragraph 21G(3)(c); or
(e) an entity or adviser referred to in paragraph 21N(2)(a).
(a) a Minister; or
(b) a Department; or
(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth law, not being:
(i) an incorporated company, society or association; or
(ii) an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation; or
(ca) a body (whether incorporated or not), or a tribunal, established for a public purpose by or under a law (other than a law providing for the incorporation of companies, societies or associations) of a State or Territory as in force in an external Territory, other than a body exempted by the Minister under subsection (5A); or
(d) a body established or appointed by the Governor-General, or by a Minister, otherwise than by or under a Commonwealth law; or
(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth law, other than a person who, by virtue of holding that office, is the Secretary of a Department; or
(ea) a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory as in force in an external Territory, other than an office or appointment exempted by the Minister under subsection (5A); or
(f) a person holding or performing the duties of an appointment, being an appointment made by the Governor-General, or by a Minister, otherwise than under a Commonwealth law; or
(g) a federal court; or
(h) the Australian Federal Police; or
(ha) a court of Norfolk Island; or
(i) (Repealed by No 197 of 2012)
(j) (Repealed by No 92 of 2017)
(k) an eligible hearing service provider; or
(l) the service operator under the Healthcare Identifiers Act 2010.
alternative complaint body
has the meaning given by subsection 50(1).
amount of credit
has the meaning given by subsection 6M(2).
annual turnover
of a business has the meaning given by section 6DA.
APP code
has the meaning given by section 26C.
(a) an APP entity; or
(b) a group of APP entities; or
(c) a body or association representing one or more APP entities.
APP complaint
means a complaint about an act or practice that, if established, would be an interference with the privacy of an individual because it breached an Australian Privacy Principle.
APP entity
means an agency or organisation.
APP privacy policy
has the meaning given by Australian Privacy Principle 1.3.
approved privacy code
(Repealed by No 197 of 2012)
at risk
from an eligible data breach has the meaning given by section 26WE.
(a) an Act of the Commonwealth or of a State or Territory; or
(b) regulations, or any other instrument, made under such an Act; or
(c) any other law in force in the Jervis Bay Territory or an external Territory; or
(d) a rule of common law or equity.
Australian link
has the meaning given by subsections 5B(2) and (3).
Australian Privacy Principle
has the meaning given by section 14.
authorised agent
of a reporting entity means a person authorised to act on behalf of the reporting entity as mentioned in section 37 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
(a) the Reserve Bank of Australia; or
(b) a body corporate that is an ADI (authorised deposit-taking institution) for the purposes of the Banking Act 1959; or
(c) a person who carries on State banking within the meaning of paragraph 51(xiii) of the Constitution;
Bankruptcy Act
means the Bankruptcy Act 1966.
ban period
has the meaning given by subsection 20K(3).
Board of the ACC
means the Board of the Australian Crime Commission established under section 7B of the Australian Crime Commission Act 2002.
(a) in relation to an Australian Privacy Principle, has the meaning given by section 6A; and
(b) in relation to a registered APP code, has the meaning given by section 6B; and
(c) in relation to the registered CR code, has the meaning given by section 6BA.
breach an approved privacy code
(Repealed by No 197 of 2012)
breach an Information Privacy Principle
(Repealed by No 197 of 2012)
breach a National Privacy Principle
(Repealed by No 197 of 2012)
building society
(Repealed by Act No 44 of 1999)
Cabinet
(Repealed by No 59 of 2015)
child
means an individual who has not reached 18 years.
Children's Online Privacy Code
: see section 26GC.
civil penalty order
(Repealed by No 124 of 2017, s 3 and Sch 13 item 1.)
civil penalty provision
has the same meaning as in the Regulatory Powers Act.
class member
, in relation to a representative complaint, means any of the persons on whose behalf the complaint was lodged, but does not include a person who has withdrawn under section 38B;
[ Commissioner's Note: Section 16(3) of Law and Justice Legislation Amendment Act 1993 Act No 13 of 1994 provides that amendments made by Act No 13 of 1994 relating to representative complaints do not apply to complaints lodged before the commencement of the amendment.]
code complaint
means a complaint about an act or practice that, if established, would be an interference with the privacy of an individual because it breached a registered APP code.
Code of Conduct
(Repealed by No 197 of 2012)
Codes Register
has the meaning given by subsection 26U(1).
collects
: an entity
collects
personal information only if the entity collects the personal information for inclusion in a record or generally available publication.
commercial credit
means credit (other than consumer credit) that is applied for by, or provided to, a person.
commercial credit related purpose
of a credit provider in relation to a person means the purpose of:
(a) assessing an application for commercial credit made by the person to the provider; or
(b) collecting payments that are overdue in relation to commercial credit provided by the provider to the person.
Commissioner
means the Information Commissioner within the meaning of the Australian Information Commissioner Act 2010.
Commissioner of Police
means the Commissioner of Police appointed under the Australian Federal Police Act 1979;
(a) the Commission of inquiry within the meaning of the Quarantine Act 1908 (as in force immediately before its repeal); or
(b) a Commission of inquiry within the meaning of the Offshore Petroleum and Greenhouse Gas Storage Act 2006.
committee of management
of an unincorporated association means a body (however described) that governs, manages or conducts the affairs of the association.
Commonwealth contract
means a contract, to which the Commonwealth or an agency is or was a party, under which services are to be, or were to be, provided to an agency.
Note: See also subsection (9) about provision of services to an agency.
Commonwealth enactment
(Repealed by No 154 of 2020, s 3 and Sch 3 item 55, effective 17 June 2021. For application provisions, see note under s 6(5).)
Commonwealth law
means the following:
(a) an Act other than:
(i) the Northern Territory (Self-Government) Act 1978; or
(ii) an Act providing for the administration or government of an external Territory; or
(iii) the Australian Capital Territory (Self-Government) Act 1988;
(b) an Ordinance of the Australian Capital Territory or of an external Territory;
(c) a law continued in force by section 16 or 16A of the Norfolk Island Act 1979;
(d) an instrument (including rules, regulations or by-laws) made under:
(i) an Act to which paragraph (a) applies; or
(ii) an Ordinance to which paragraph (b) applies; or
(iii) a law to which paragraph (c) applies;
(e) any other legislation that applies as a law of the Commonwealth, other than legislation in so far as it is applied:
(i) by an Act referred to in subparagraph (a)(i) or (ii); or
(ii) as a law of the Australian Capital Territory, to the extent that it operates as such a law.
Commonwealth officer
means a person who holds office under, or is employed by, the Commonwealth, and includes:
(a) a person appointed or engaged under the Public Service Act 1999;
(b) a person (other than a person referred to in paragraph (a)) permanently or temporarily employed by, or in the service of, an agency;
(c) a member of the Defence Force; and
(d) a member, staff member or special member of the Australian Federal Police;
but does not include a person permanently or temporarily employed in the Australian Capital Territory Government Service or in the Public Service of the Northern Territory;
Commonwealth record
has the same meaning as in the Archives Act 1983.
communication device
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(a), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
consent
means express consent or implied consent;
(a) for which an application has been made by an individual to a credit provider, or that has been provided to an individual by a credit provider, in the course of the provider carrying on a business or undertaking as a credit provider; and
(b) that is intended to be used wholly or primarily:
(i) for personal, family or household purposes; or
(ii) to acquire, maintain, renovate or improve residential property for investment purposes; or
(iii) to refinance consumer credit that has been provided wholly or primarily to acquire, maintain, renovate or improve residential property for investment purposes.
consumer credit liability information
: if a credit provider provides consumer credit to an individual, the following information about the consumer credit is
consumer credit liability information
about the individual:
(a) the name of the provider;
(b) whether the provider is a licensee;
(c) the type of consumer credit;
(d) the day on which the consumer credit is entered into;
(e) the terms or conditions of the consumer credit:
(i) that relate to the repayment of the amount of credit; and
(ii) that are prescribed by the regulations;
(f) the maximum amount of credit available under the consumer credit;
(g) the day on which the consumer credit is terminated or otherwise ceases to be in force.
consumer credit related purpose
of a credit provider in relation to an individual means the purpose of:
(a) assessing an application for consumer credit made by the individual to the provider; or
(b) collecting payments that are overdue in relation to consumer credit provided by the provider to the individual.
consumer data rules
has the same meaning as in the Competition and Consumer Act 2010.
contact tracing
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(b), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
contracted service provider
, for a government contract, means:
(a) an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to an agency or a State or Territory authority under the government contract; or
(b) a subcontractor for the government contract.
corporation
means a body corporate that:
(a) is a foreign corporation;
(b) is a trading corporation formed within the limits of Australia or is a financial corporation so formed; or
(c) is incorporated in a Territory, other than the Northern Territory;
court proceedings information
about an individual means information about a judgement of an Australian court:
(a) that is made, or given, against the individual in proceedings (other than criminal proceedings); and
(b) that relates to any credit that has been provided to, or applied for by, the individual.
court/tribunal order
means an order, direction or other instrument made by:
(a) a court; or
(b) a tribunal; or
(c) a judge (including a judge acting in a personal capacity) or a person acting as a judge; or
(d) a magistrate (including a magistrate acting in a personal capacity) or a person acting as a magistrate; or
(e) a member or an officer of a tribunal;
and includes an order, direction or other instrument that is of an interim or interlocutory nature.
COVID app data
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(c), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
COVIDSafe
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(d), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
COVIDSafe user
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(e), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
CP derived information
about an individual means any personal information (other than sensitive information) about the individual:
(a) that is derived from credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; and
(b) that has any bearing on the individual's credit worthiness; and
(c) that is used, has been used or could be used in establishing the individual's eligibility for consumer credit.
CRB derived information
about an individual means any personal information (other than sensitive information) about the individual:
(a) that is derived by a credit reporting body from credit information about the individual that is held by the body; and
(b) that has any bearing on the individual's credit worthiness; and
(c) that is used, has been used or could be used in establishing the individual's eligibility for consumer credit.
CR code
has the meaning given by section 26N.
(a) an entity that is subject to Part IIIA; or
(b) a group of entities that are subject to Part IIIA; or
(c) a body or association representing one or more entities that are subject to Part IIIA.
credit
has the meaning given by subsections 6M(1) and (3).
credit card
means any article of a kind commonly known as a credit card, charge card or any similar article intended for use in obtaining cash, goods or services by means of credit, and includes any article of a kind commonly issued by persons carrying on business to customers or prospective customers of those persons for use in obtaining goods or services from those persons by means of credit;
credit eligibility information
about an individual means:
(a) credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or
(b) CP derived information about the individual.
credit enhancement
, in relation to credit, means:
(a) the process of insuring risk associated with purchasing or funding the credit by means of a securitisation arrangement; or
(b) any other similar process related to purchasing or funding the credit by those means;
credit guarantee purpose
of a credit provider in relation to an individual means the purpose of assessing whether to accept the individual as a guarantor in relation to:
(a) credit provided by the provider to a person other than the individual; or
(b) credit for which an application has been made to the provider by a person other than the individual.
credit information
has the meaning given by section 6N.
credit information file
(Repealed by No 197 of 2012)
credit provider
has the meaning given by sections 6G to 6K, and, for the purposes of sections 7 and 8 and Parts III, IIIB, IV and V, is taken to include a mortgage insurer and a trade insurer;
credit report
(Repealed by No 197 of 2012)
credit reporting agency
(Repealed by No 197 of 2012)
(a) an organisation; or
(b) an agency prescribed by the regulations;
that carries on a credit reporting business.
credit reporting business
has the meaning given by section 6P.
credit reporting complaint
means a complaint about an act or practice that, if established, would be an interference with the privacy of an individual because:
(a) it breached the registered CR code; or
(b) it breached a provision of Part IIIA;
credit reporting information
about an individual means credit information, or CRB derived information, about the individual.
credit reporting infringement
(Repealed by No 197 of 2012)
credit union
(Repealed by Act No 44 of 1999)
credit worthiness
of an individual means the individual's:
(a) eligibility to be provided with consumer credit; or
(b) history in relation to consumer credit; or
(c) capacity to repay an amount of credit that relates to consumer credit.
current credit provider
(Repealed by No 197 of 2012)
data store administrator
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(f), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
de facto partner
of an individual has the meaning given by the Acts Interpretation Act 1901.
default information
has the meaning given by section 6Q.
Defence Department
means the Department of State that deals with defence and that is administered by the Minister administering section 1 of the Defence Act 1903.
Defence Force
includes the Australian Defence Force Cadets.
de-identified
: personal information is
de-identified
if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.
Department
means an Agency within the meaning of the Public Service Act 1999.
eligible case manager
(Repealed by No 197 of 2012)
eligible communications service
(Repealed by No 197 of 2012)
eligible data breach
has the meaning given by Division 2 of Part IIIC.
eligibledata breach declaration
means a declaration under subsection 26X(1).
eligible hearing service provider
means an entity (within the meaning of the Hearing Services Administration Act 1997);
(a) that is, or has at any time been, engaged under Part 3 of the Hearing Services Administration Act 1997 to provide hearing services; and
(b) that is not covered by paragraph (a), (b), (c), (d), (e), (f), (g) or (h) of the definition of agency .
employee record
, in relation to an employee, means a record of personal information relating to the employment of the employee. Examples of personal information relating to the employment of the employee are health information about the employee and personal information about all or any of the following:
(a) the engagement, training, disciplining or resignation of the employee;
(b) the termination of the employment of the employee;
(c) the terms and conditions of employment of the employee;
(d) the employee's personal and emergency contact details;
(e) the employee's performance or conduct;
(f) the employee's hours of employment;
(g) the employee's salary or wages;
(h) the employee's membership of a professional or trade association;
(i) the employee's trade union membership;
(j) the employee's recreation, long service, sick, personal, maternity, paternity or other leave;
(k) the employee's taxation, banking or superannuation affairs.
enactment
(Repealed by No 154 of 2020, s 3 and Sch 3 item 57(a), effective 17 June 2021. For application provisions, see note under s 6(5).)
(a) the Australian Federal Police; or
(aa) the National Anti-Corruption Commissioner; or
(ab) the Inspector of the National Anti-Corruption Commission; or
(b) the ACC; or
(ba) (Repealed by No 45 of 2016)
(c) Sport Integrity Australia; or
(ca) the Immigration Department; or
(d) the Australian Prudential Regulation Authority; or
(e) the Australian Securities and Investments Commission; or
(ea) the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or
(f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or
(g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or
(h) a police force or service of a State or a Territory; or
(i) the New South Wales Crime Commission; or
(j) the Independent Commission Against Corruption of New South Wales; or
(k) the Law Enforcement Conduct Commission of New South Wales; or
(ka) the Independent Broad-based Anti-corruption Commission of Victoria; or
(l) the Crime and Corruption Commission of Queensland; or
(la) the Corruption and Crime Commission of Western Australia; or
(lb) the Independent Commission Against Corruption of South Australia; or
(m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or
(n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or
(o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.
enforcement related activity
means:
(a) the prevention, detection, investigation, prosecution or punishment of:
(i) criminal offences; or
(ii) breaches of a law imposing a penalty or sanction; or
(b) the conduct of surveillance activities, intelligence gathering activities or monitoring activities; or
(c) the conduct of protective or custodial activities; or
(d) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(e) the protection of the public revenue; or
(f) the prevention, detection, investigation or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations; or
(g) the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of court/tribunal orders.
(a) an agency; or
(b) an organisation; or
(c) a small business operator.
Federal Circuit Court
(Repealed by No 13 of 2021, s 3 and Sch 2 item 697, effective 1 September 2021.)
Federal Court
means the Federal Court of Australia;
file number complaint
means a complaint about an act or practice that, if established, would be an interference with the privacy of an individual:
(a) because it breached a rule issued under section 17; or
(b) because it involved an unauthorised requirement or request for disclosure of a tax file number;
financial corporation
means a financial corporation within the meaning of paragraph 51(xx) of the Constitution;
financial hardship arrangement
has the meaning given by subsection 6QA(1).
financial hardship information
has the meaning given by subsection 6QA(4).
foreign corporation
means a foreign corporation within the meaning of paragraph 51(xx) of the Constitution;
former COVIDSafe user
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(g), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
Freedom of Information Act
means the Freedom of Information Act 1982;
generally available publication
means a magazine, book, article, newspaper or other publication that is, or will be, generally available to members of the public:
(a) whether or not it is published in print, electronically or in any other form; and
(b) whether or not it is available on the payment of a fee.
genetic relative
of an individual (the
first individual
) means another individual who is related to the first individual by blood, including but not limited to a sibling, a parent or a descendant of the first individual.
government contract
means a Commonwealth contract or a State contract.
government related identifier
of an individual means an identifier of the individual that has been assigned by:
(a) an agency; or
(b) a State or Territory authority; or
(c) an agent of an agency, or a State or Territory authority, acting in its capacity as agent; or
(d) a contracted service provider for a Commonwealth contract, or a State contract, acting in its capacity as contracted service provider for that contract.
guarantee
includes an indemnity given against the default of a person in making a payment in relation to credit that has been applied for by, or provided to, the person.
guidance related functions
has the meaning given by subsection 28(1).
healthcare identifier
has the meaning given by the Healthcare Identifiers Act 2010.
healthcare identifier offence
means:
(a) an offence against section 26 of the Healthcare Identifiers Act 2010; or
(b) an offence against section 6 of the Crimes Act 1914 that relates to an offence mentioned in paragraph (a) of this definition.
Note:
For ancillary offences, see section 11.6 of the Criminal Code.
Health Department
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(h), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
health information
has the meaning given by section 6FA.
Health Minister
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(i), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
health service
has the meaning given by section 6FB.
hearing services
has the same meaning as in the Hearing Services Administration Act 1997.
holds
: an entity
holds
personal information if the entity has possession or control of a record that contains the personal information.
Note:
See section 10 for when an agency is taken to hold a record.
identification information
about an individual means:
(a) the individual's full name; or
(b) an alias or previous name of the individual; or
(c) the individual's date of birth; or
(d) the individual's sex; or
(e) the individual's current or last known address, and 2 previous addresses (if any); or
(f) the name of the individual's current or last known employer; or
(g) if the individual holds a driver's licence - the individual's driver's licence number.
identifier
of an individual means a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual, but does not include:
(a) the individual's name; or
(b) the individual's ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999); or
(c) anything else prescribed by the regulations.
Immigration Department
means the Department administered by the Minister administering the Migration Act 1958.
in contact
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(j), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
individual
means a natural person;
individual concerned
(Repealed by No 197 of 2012)
Information Privacy Principle
(Repealed by No 197 of 2012)
information request
has the meaning given by section 6R.
Integrity Commissioner
(Repealed by No 89 of 2022, s 3 and Sch 1 item 153, effective 1 July 2023.)
(a) the Australian Security Intelligence Organisation;
(b) the Australian Secret Intelligence Service; or
(ba) the Australian Signals Directorate; or
(c) the Office of National Intelligence.
interested party
has the meaning given by subsections 20T(3) and 21V(3).
interference with the privacy of an individual
has the meaning given by sections 13 to 13F.
IPP complaint
(Repealed by No 197 of 2012)
licensee
has the meaning given by the National Consumer Credit Protection Act 2009.
loan
(Repealed by No 197 of 2012)
managing credit
does not include the act of collecting overdue payments in relation to credit.
media organisation
means an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of the following material for the purpose of making it available to the public:
(a) material having the character of news, current affairs, information or a documentary;
(b) material consisting of commentary or opinion on, or analysis of, news, current affairs, information or a documentary.
medical research
includes epidemiological research;
member of the staff of the Commissioner
means a person referred to in section 23 of the Australian Information Commissioner Act 2010.
misconduct
includes fraud, negligence, default, breach of trust, breach of duty, breach of discipline or any other misconduct in the course of duty.
monitoring related functions
has the meaning given by subsections 28A(1) and (2).
mortgage credit
means consumer credit:
(a) that is provided in connection with the acquisition, maintenance, renovation or improvement of real property; and
(b) in relation to which the real property is security.
mortgage insurance purpose
of a mortgage insurer in relation to an individual is the purpose of assessing:
(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in relation to mortgage credit:
(i) provided by the provider to the individual; or
(ii) for which an application to the provider has been made by the individual; or
(b) the risk of the individual defaulting on mortgage credit in relation to which the insurer has provided insurance to a credit provider; or
(c) the risk of the individual being unable to meet a liability that might arise under a guarantee provided, or proposed to be provided, in relation to mortgage credit provided by a credit provider to another person.
mortgage insurer
means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to mortgage credit provided by providers to other persons.
National COVIDSafe Data Store
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(k), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
National Credit Code
has the same meaning as in the National Consumer Credit Protection Act 2009.
national emergency declaration
has the same meaning as in the National Emergency Declaration Act 2020.
National Personal Insolvency Index
has the meaning given by the Bankruptcy Act.
National Privacy Principle
(Repealed by No 197 of 2012)
new arrangement information
has the meaning given by section 6S.
nominated AGHS company
(Repealed by No 92 of 2017, s 3 and Sch 3 item 7.)
non-participating credit provider
means a credit provider to which all of the following apply:
(a) the credit provider has not disclosed credit reporting information or credit eligibility information about an individual to a credit reporting body or another credit provider;
(b) the credit provider is not likely to disclose credit reporting information or credit eligibility information about an individual to a credit reporting body or another credit provider;
(c) the credit provider has not collected credit reporting information or credit eligibility information about an individual from a credit reporting body or another credit provider.
non-profit organisation
means an organisation:
(a) that is a non-profit organisation; and
(b) that engages in activities for cultural, recreational, political, religious, philosophical, professional, trade or trade union purposes.
Norfolk Island agency
(Repealed by No 154 of 2020, s 3 and Sch 3 item 57(b), effective 17 June 2021. For application provisions, see note under s 6(5).)
Norfolk Island enactment
(Repealed by No 154 of 2020, s 3 and Sch 3 item 57(c), effective 17 June 2021. For application provisions, see note under s 6(5).)
Norfolk Island Justice Minister
(Repealed by No 59 of 2015)
Norfolk Island Minister
(Repealed by No 59 of 2015)
NPP complaint
(Repealed by No 197 of 2012)
offence against this Act
includes an offence against section 6 of the Crimes Act 1914, or section 11.1, 11.2, 11.2A, 11.4 or 11.5 of the Criminal Code, that relates to an offence against this Act.
Ombudsman
means the Commonwealth Ombudsman;
organisation
has the meaning given by section 6C.
overseas recipient
, in relation to personal information, has the meaning given by Australian Privacy Principle 8.1.
payment information
has the meaning given by section 6T.
penalty unit
has the meaning given by section 4AA of the Crimes Act 1914.
pending correction request
in relation to credit information or CRB derived information means:
(a) a request made under subsection 20T(1) in relation to the information if a notice has not been given under subsection 20U(2) or (3) in relation to the request; or
(b) a request made under subsection 21V(1) in relation to the information if:
(i) the credit reporting body referred to in subsection 20V(3) has been consulted about the request under subsection 21V(3); and
(ii) a notice has not been given under subsection 21W(2) or (3) in relation to the request.
pending dispute
in relation to credit information or CRB derived information means:
(a) a complaint made under section 23A that relates to the information if a decision about the complaint has not been made under subsection 23B(4); or
(b) a matter that relates to the information and that is still being dealt with by a recognised external dispute resolution scheme; or
(c) a complaint made to the Commissioner under Part V that relates to the information and that is still being dealt with.
permitted CP disclosure
has the meaning given by sections 21J to 21N.
permitted CP use
has the meaning given by section 21H.
permitted CRB disclosure
has the meaning given by section 20F.
permitted general situation
has the meaning given by section 16A.
permitted health situation
has the meaning given by section 16B.
personal information
means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Note:
Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act.
personal insolvency information
has the meaning given by section 6U.
pre-screening assessment
means an assessment made under paragraph 20G(2)(d).
principal executive
, of an agency, has a meaning affected by section 37.
privacy code
(Repealed by No 197 of 2012)
purchase
, in relation to credit, includes the purchase of rights to receive payments relating to the credit.
recognised external dispute resolution scheme
means an external dispute resolution scheme recognised under section 35A.
(a) a document; or
(b) an electronic or other device;
(c) (Repealed by No 197 of 2012)
but does not include:
(d) a generally available publication; or
(e) anything kept in a library, art gallery or museum for the purposes of reference, study or exhibition; or
(f) Commonwealth records as defined by subsection 3(1) of the Archives Act 1983 that are in the open access period for the purposes of that Act; or
(fa) records (as defined in the Archives Act 1983) in the care (as defined in that Act) of the National Archives of Australia in relation to which the Archives has entered into arrangements with a person other than a Commonwealth institution (as defined in that Act) providing for the extent to which the Archives or other persons are to have access to the records; or
(g) documents placed by or on behalf of a person (other than an agency) in the memorial collection within the meaning of the Australian War Memorial Act 1980; or
(h) letters or other articles in the course of transmission by post;
Note:
For document , see section 2B of the Acts Interpretation Act 1901.
registered APP code
has the meaning given by section 26B.
registered CR code
has the meaning given by section 26M.
registered political party
means a political party registered under Part XI of the Commonwealth Electoral Act 1918.
registration data
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(l), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
regulated information
of an affected information recipient means:
(a) if the recipient is a mortgage insurer or trade insurer - personal information disclosed to the recipient under Division 2 or 3 of Part IIIA; or
(b) if the recipient is a body corporate referred to in paragraph 21G(3)(b) - credit eligibility information disclosed to the recipient under that paragraph; or
(c) if the recipient is a person referred to in paragraph 21G(3)(c) - credit eligibility information disclosed to the recipient under that paragraph; or
(d) if the recipient is an entity or adviser referred to in paragraph 21N(2)(a) - credit eligibility information disclosed to the recipient under subsection 21N(2).
Regulatory Powers Act
means the Regulatory Powers (Standard Provisions) Act 2014.
related body corporate
: see subsection (8).
repayment history information
has the meaning given by subsection 6V(1).
reporting entity
has the same meaning as in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
representative complaint
means a complaint where the persons on whose behalf the complaint was made include persons other than the complainant, but does not include a complaint that the Commissioner has determined should no longer be continued as a representative complaint;
[ Commissioner's Note: Section 16(3) of Law and Justice Legislation Amendment Act 1993 Act No 13 of 1994 provides that amendments made by Act No 13 of 1994 relating to representative complaints do not apply to complaints lodged before the commencement of the amendment.]
residential property
has the meaning given by section 204 of the National Credit Code.
respondent
for a complaint made under section 23A means the credit reporting body or credit provider to which the complaint is made.
responsible person
has the meaning given by section 6AA.
retention period
has the meaning given by sections 20W and 20X.
Secretary
means an Agency Head within the meaning of the Public Service Act 1999.
securitisation arrangement
means an arrangement:
(a) involving the funding, or proposed funding, of:
(i) credit that has been, or is to be, provided by a credit provider; or
by issuing instruments or entitlements to investors; and
(ii) the purchase of credit by a credit provider;
(b) under which payments to investors in respect of such instruments or entitlements are principally derived, directly or indirectly, from such credit;
securitisation related purpose
of a credit provider in relation to an individual is the purpose of:
(a) assessing the risk in purchasing, by means of a securitisation arrangement, credit that has been provided to, or applied for by:
(i) the individual; or
(ii) a person for whom the individual is, or is proposing to be, a guarantor; or
(b) assessing the risk in undertaking credit enhancement in relation to credit:
(i) that is, or is proposed to be, purchased or funded by means of a securitisation arrangement; and
(ii) that has been provided to, or applied for by, the individual or a person for whom the individual is, or is proposing to be, a guarantor.
(a) information or an opinion about an individual's:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
that is also personal information; or
(ix) criminal record;
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
serious credit infringement
means:
(a) an act done by an individual that involves fraudulently obtaining consumer credit, or attempting fraudulently to obtain consumer credit; or
(b) an act done by an individual that involves fraudulently evading the individual's obligations in relation to consumer credit, or attempting fraudulently to evade those obligations; or
(c) an act done by an individual if:
(i) a reasonable person would consider that the act indicates an intention, on the part of the individual, to no longer comply with the individual's obligations in relation to consumer credit provided by a credit provider; and
(ii) the provider has, after taking such steps as are reasonable in the circumstances, been unable to contact the individual about the act; and
(iii) at least 6 months have passed since the provider last had contact with the individual.
small business
has the meaning given by section 6D.
small business operator
has the meaning given by section 6D.
solicit
(Repealed by No 197 of 2012)
solicits
: an entity
solicits
personal information if the entity requests another entity to provide the personal information, or to provide a kind of information in which that personal information is included.
staff of the Ombudsman
means the persons appointed or employed for the purposes of section 31 of the Ombudsman Act 1976;
State
includes the Australian Capital Territory and the Northern Territory;
State contract
means a contract, to which a State or Territory or State or Territory authority is or was a party, under which services are to be, or were to be, provided to a State or Territory authority.
Note: See also subsection (9) about provision of services to a State or Territory authority.
State or Territory authority
has the meaning given by section 6C.
State or Territory health authority
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(m), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
State or Territory privacy authority
(Repealed by No 44 of 2020, s 3 and Sch 2 item 2(n), effective 14 November 2022. For transitional provision, see note under Part VIIIA.)
subcontractor
, for a government contract, means an organisation:
(a) that is or was a party to a contract (the subcontract ):
(i) with a contracted service provider for the government contract (within the meaning of paragraph (a) of the definition of contracted service provider ); or
(ii) with a subcontractor for the government contract (under a previous application of this definition); and
(b) that is or was responsible under the subcontract for the provision of services to an agency or a State or Territory authority, or to a contracted service provider for the government contract, for the purposes (whether direct or indirect) of the government contract.
tax file number
means a tax file number as defined in Part VA of the Income Tax Assessment Act 1936;
tax file number information
means information, whether compiled lawfully or unlawfully, and whether recorded in a material form or not, that records the tax file number of a person in a manner connecting it with the person's identity;
temporary APP code
: see section 26GB.
temporary public interest determination
means a determination made under section 80A.
trade insurance purpose
of a trade insurer in relation to an individual is the purpose of assessing:
(a) whether to provide insurance to, or the risk of providing insurance to, a credit provider in relation to commercial credit provided by the provider to the individual or another person; or
(b) the risk of a person defaulting on commercial credit in relation to which the insurer has provided insurance to a credit provider.
trade insurer
means an organisation, or small business operator, that carries on a business or undertaking that involves providing insurance to credit providers in relation to commercial credit provided by providers to other persons.
trading corporation
means a trading corporation within the meaning of paragraph 51(xx) of the Constitution;
use
(Repealed by No 197 of 2012)
6(1A)
In order to avoid doubt, it is declared that an ACT enactment is not a Commonwealth law for the purposes of this Act.
6(2)
(Repealed by No 197 of 2012)
6(3)
For the purposes of this Act, an act or practice breaches a rule issued under section 17 if, and only if, it is contrary to, or inconsistent with, the rule.
6(3A)
(Repealed byNo 197 of 2012)
6(4)
The definition of individual in subsection (1) shall not be taken to imply that references to persons do not include persons other than natural persons.
6(5)
For the purposes of this Act, a person shall not be taken to be an agency merely because the person is the holder of, or performs the duties of: (a) a prescribed office; or (b) an office prescribed by regulations made for the purposes of subparagraph 4(3)(b)(i) of the Freedom of Information Act 1982; or (c) an office established by or under a Commonwealth law, or a law of a State or Territory that applies in an external Territory, for the purposes of an agency;
(ca) (Repealed by No 154 of 2020) (d) a judicial office or of an office of magistrate; or (e) an office of a member of a tribunal:
(i) that is established by or under a Commonwealth law, or a law of a State or Territory that applies in an external Territory; and
(ii) that is prescribed by the regulations for the purposes of this subparagraph.
(f) (Repealed by No 154 of 2020)
6(5A)
The Minister may, by legislative instrument, exempt a body, office or appointment for the purposes of paragraph (ca) or (ea) of the definition of agency in subsection (1).
6(5D)
(Repealed by No 197 of 2012)
6(6)
For the purposes of this Act, the Defence Department shall be taken to include the Defence Force.
6(7)
Nothing in this Act prevents a complaint from: (a) being both a file number complaint and an APP complaint; or (b) being both a file number complaint and a credit reporting complaint; or (c) being both a file number complaint and a code complaint; or (d) (Repealed by No 197 of 2012) (e) being both a code complaint and a credit reporting complaint; or (f) being both an APP complaint and a credit reporting complaint; or (g) being both an APP complaint and a code complaint.
6(8)
For the purposes of this Act, the question whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Act 2001.
6(9)
To avoid doubt, for the purposes of this Act, services provided to an agency or a State or Territory authority include services that consist of the provision of services to other persons in connection with the performance of the functions of the agency or State or Territory authority.
6(10)
For the purposes of this Act, a reference to family in the definition of consumer credit in subsection 6(1), and in sections 6D and 16, in relation to any individual is taken to include the following (without limitation): (a) a de facto partner of the individual; (b) someone who is the child of the person, or of whom the person is the child, because of the definition of child in subsection (11); (c) anyone else who would be a member of the individual's family if someone mentioned in paragraph (a) or (b) is taken to be a member of the individual's family.
6(10A)
For the purposes of this Act, the Supreme Court of Norfolk Island is taken not to be a federal court.
6(11)
In this section:
child:
without limiting who is a child of a person for the purposes of subsection (10), someone is the
child
of a person if he or she is a child of the person within the meaning of the Family Law Act 1975.
SECTION 6AA MEANING OF RESPONSIBLE PERSON 6AA(1)
A responsible person for an individual is:
(a) a parent of the individual; or
(b) a child or sibling of the individual if the child or sibling is at least 18 years old; or
(c) a spouse or de facto partner of the individual; or
(d) a relative of the individual if the relative is:
(i) at least 18 years old; and
(ii) a member of the individual's household; or
(e) a guardian of the individual; or
(f) a person exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or
(g) a person who has an intimate personal relationship with the individual; or
(h) a person nominated by the individual to be contacted in case of emergency.
6AA(2)
In this section:
child
: without limiting who is a child of an individual for the purposes of subsection (1), each of the following is a
child
of an individual:
(a) an adopted child, stepchild, exnuptial child or foster child of the individual;
(b) someone who is a child of the individual within the meaning of the Family Law Act 1975.
parent
: without limiting who is a parent of an individual for the purposes of subsection (1), someone is a
parent
of an individual if the individual is his or her child because of the definition of
child
in this subsection.
relative
, of an individual (the
first individual
) means a grandparent, grandchild, uncle, aunt, nephew or niece of the first individual and for this purpose, relationships to the first individual may also be traced to or through another individual who is:
(a) a de facto partner of the first individual; or
(b) the child of the first individual because of the definition of child in this subsection.
sibling
of an individual includes:
(a) a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister of the individual; and
(b) another individual if a relationship referred to in paragraph (a) can be traced through a parent of either or both of the individuals.
stepchild
: without limiting who is a stepchild of an individual, someone is a
stepchild
of an individual if he or she would be the individual's stepchild except that the individual is not legally married to the individual's de facto partner.
For the purposes of this Act, an act or practice breaches an Australian Privacy Principle if, and only if, it is contrary to, or inconsistent with, that principle.
6A(2) No breach - contracted service provider.
An act or practice does not breach an Australian Privacy Principle if:
(a) the act is done, or the practice is engaged in:
(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(ii) for the purposes of meeting (directly or indirectly) an obligation under the contract; and
(b) the act or practice is authorised by a provision of the contract that is inconsistent with the principle.
[
CCH Note:
Sch 1 of No 155 of 2000, effective 21 December 2001, contains the following application provision:
37 Application
]
Under subsection 6A(2) or 6B(2) of the Privacy Act 1988 (as amended by this Schedule), a Commonwealth contract may prevent an act or practice from being a breach of a National Privacy Principle or an approved privacy code (as appropriate) regardless of whether the contract was made before or after the commencement of that subsection.
An act or practice does not breach an Australian Privacy Principle if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
An act or practice does not breach an Australian Privacy Principle if:
(a) the act is done, or the practice is engaged in, outside Australia and the external Territories; and
(b) the act or practice is required by an applicable law of a foreign country.
Subsections (2), (3) and (4) have effect despite subsection (1).
For the purposes of this Act, an act or practice breaches a registered APP code if, and only if, it is contrary to, or inconsistent with, the code.
An act or practice does not breach a registered APP code if:
(a) the act is done, or the practice is engaged in:
(i) by an organisation that is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(ii) for the purposes of meeting (directly or indirectly) an obligation under the contract; and
(b) the act or practice is authorised by a provision of the contract that is inconsistent with the code.
[
CCH Note:
Sch 1 of No 155 of 2000, effective 21 December 2001, contains the following application provision:
37 Application
]
37
Under subsection 6A(2) or 6B(2) of the Privacy Act 1988 (as amended by this Schedule), a Commonwealth contract may prevent an act or practice from being a breach of a National Privacy Principle or an approved privacy code (as appropriate) regardless of whether the contract was made before or after the commencement of that subsection.
An act or practice does not breach a registered APP code if the act or practice involves the disclosure by an organisation of personal information in a record (as defined in the Archives Act 1983) solely for the purposes of enabling the National Archives of Australia to decide whether to accept, or to arrange, care (as defined in that Act) of the record.
An act or practice does not breach a registered APP code if:
(a) the act is done, or the practice is engaged in, outside Australia and the external Territories; and
(b) the act or practice is required by an applicable law of a foreign country.
Subsections (2), (3) and (4) have effect despite subsection (1).
For the purposes of this Act, an act or practice breaches the registered CR code if, and only if, it is contrary to, or inconsistent with, the code.
In this Act:
(a) an individual; or
(b) a body corporate; or
(c) a partnership; or
(d) any other unincorporated association; or
(e) a trust;
that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.
Note 1:
Under section 187LA of the Telecommunications (Interception and Access) Act 1979, service providers are, in relation to their activities relating to retained data, treated as organisations for the purposes of this Act.
Note 2:
Regulations may prescribe an instrumentality by reference to one or more classes of instrumentality. See subsection 13(3) of the Legislation Act 2003.
Example: Regulations may prescribe an instrumentality of a State or Territory that is an incorporated company, society or association and therefore not a State or Territory authority.
A legal person can have a number of different capacities in which the person does things. In each of those capacities, the person is taken to be a differentorganisation .
Example: In addition to his or her personal capacity, an individual may be the trustee of one or more trusts. In his or her personal capacity, he or she is one organisation. As trustee of each trust, he or she is a different organisation.
6C(3) What is a State or Territory authority ?In this Act:
State or Territory authority
means:
(a) a State or Territory Minister; or
(b) a Department of State of a State or Territory; or
(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a law of a State or Territory, other than:
(i) an incorporated company, society or association; or
(ii) an association of employers or employees that is registered or recognised under a law of a State or Territory dealing with the resolution of industrial disputes; or
(d) a body established or appointed, otherwise than by or under a law of a State or Territory, by:
(i) a Governor of a State; or
(ii) the Australian Capital Territory Executive; or
(iii) the Administrator of the Northern Territory; or
(iv) (Repealed by No 59 of 2015)
(v) a State or Territory Minister; or
(vi) (Repealed by No 139 of 2010)
(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory, other than the office of head of a State or Territory Department (however described); or
(f) a person holding or performing the duties of an appointment made, otherwise than under a law of a State or Territory, by:
(i) a Governor of a State; or
(ii) the Australian Capital Territory Executive; or
(iii) the Administrator of the Northern Territory; or
(iv) (Repealed by No 59 of 2015)
(v) a State or Territory Minister; or
(vi) (Repealed by No 139 of 2010)
(g) a State or Territory court.
Before the Governor-General makes regulations prescribing an instrumentality of a State or Territory for the purposes of the definition of organisation in subsection (1), the Minister must:
(a) be satisfied that the State or Territory has requested that the instrumentality be prescribed for those purposes; and
(b) consider:
(i) whether treating the instrumentality as an organisation for the purposes of this Act adversely affects the government of the State or Territory; and
(ii) the desirability of regulating under this Act the collection, holding, use, correction and disclosure of personal information by the instrumentality; and
(iii) whether the law of the State or Territory regulates the collection, holding, use, correction and disclosure of personal information by the instrumentality to a standard that is at least equivalent to the standard that would otherwise apply to the instrumentality under this Act; and
(c) consult the Commissioner about the matters mentioned in subparagraphs (b)(ii) and (iii).
In this section:
State
does not include the Australian Capital Territory or the Northern Territory (despite subsection 6(1)).
A business is a small business at a time (the test time ) in a financial year (the current year ) if its annual turnover for the previous financial year is $3,000,000 or less.
6D(2) Test for new business.However, if there was no time in the previous financial year when the business was carried on, the business is a small business at the test time only if its annual turnover for the current year is $3,000,000 or less.
6D(3) What is a small business operator ?A small business operator is an individual, body corporate, partnership, unincorporated association or trust that:
(a) carries on one or more small businesses; and
(b) does not carry on a business that is not a small business. 6D(4) Entities that are not small business operators.
However, an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if he, she or it:
(a) carries on a business that has had an annual turnover of more than $3,000,000 for a financial year that has ended after the later of the following:
(i) the time he, she or it started to carry on the business;
(ii) the commencement of this section; or
(b) provides a health service to another individual and holds any health information except in an employee record; or
(c) discloses personal information about another individual to anyone else for a benefit, service or advantage; or
(d) provides a benefit, service or advantage to collect personal information about another individual from anyone else; or
(e) is a contracted service provider for a Commonwealth contract (whether or not a party to the contract); or
(f) is a credit reporting body.
Subsection (4) does not prevent an individual from being a small business operator merely because he or she does something described in paragraph (4)(b), (c) or (d):
(a) otherwise than in the course of a business he or she carries on; and
(b) only for the purposes of, or in connection with, his or her personal, family or household affairs. 6D(6) Non-business affairs of other small business operators.
Subsection (4) does not prevent a body corporate, partnership, unincorporated association or trust from being a small business operator merely because it does something described in paragraph (4)(b), (c) or (d) otherwise than in the course of a business it carries on.
6D(7) Disclosure compelled or made with consent.Paragraph (4)(c) does not prevent an individual, body corporate, partnership, unincorporated association or trust from being a small business operator only because he, she or it discloses personal information about another individual:
(a) with the consent of the other individual; or
(b) as required or authorised by or under legislation. 6D(8) Collection with consent or under legislation.
Paragraph (4)(d) does not prevent an individual, body corporate, partnership, unincorporated association or trust from being a small business operator only because he, she or it:
(a) collects personal information about another individual from someone else:
(i) with the consent of the other individual; or
(ii) as required or authorised by or under legislation; and
(b) provides a benefit, service or advantage to be allowed to collect the information. 6D(9) Related bodies corporate.
Despite subsection (3), a body corporate is not a small business operator if it is related to a body corporate that carries on a business that is not a small business.
The annual turnover of a business for a financial year is the total of the following that is earned in the year in the course of the business:
(a) the proceeds of sales of goods and/or services;
(b) commission income;
(c) repair and service income;
(d) rent, leasing and hiring income;
(e) government bounties and subsidies;
(f) interest, royalties and dividends;
(g) other operating income.
Note: The annual turnover for a financial year of a business carried on by an entity that does not carry on another business will often be similar to the total of the instalment income the entity notifies to the Commissioner of Taxation for the 4 quarters in the year (or for the year, if the entity pays tax in annual instalments).
6DA(2) [Business carried out for only part of a financial year]However, if a business has been carried on for only part of a financial year, its annual turnover for the financial year is the amount worked out using the formula:
| Amount that would be the
annual turnover of the business under subsection (1) if the part were a whole financial year |
× | Number of days in the
whole financial year Number of days in the part |
If a small business operator is a reporting entity or an authorised agent of a reporting entity because of anything done in the course of a small business carried on by the small business operator, this Act applies, with the prescribed modifications (if any), in relation to the activities carried on by the small business operator for the purposes of, or in connection with, activities relating to:
(a) the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; or
(b) regulations or AML/CTF Rules under that Act;
as if the small business operator were an organisation.
Note:
The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
If a small business operator is the protected action ballot agent for a protected action ballot conducted under Part 3-3 of the Fair Work Act 2009, this Act applies, with the prescribed modifications (if any), in relation to the activities carried on by the small business operator for the purpose of, or in connection with, the conduct of the protected action ballot, as if the small business operator were an organisation.
Note:
The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
If a small business operator is an association of employees that is registered or recognised under the Fair Work (Registered Organisations) Act 2009, this Act applies, with the prescribed modifications (if any), in relation to the activities carried on by the small business operator, as if the small business operator were an organisation (within the meaning of this Act).
Note:
The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Small business operator that is accredited for the consumer data right regime
6E(1D)
If a small business operator holds an accreditation under subsection 56CA(1) of the Competition and Consumer Act 2010, this Act applies, with the prescribed modifications (if any), in relation to information that:
(a) is personal information; but
(b) is not CDR data (within the meaning of that Act);
as if the small business operator were an organisation.
Note: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
6E(1) Regulations treating a small business operator as an organisation.
This Act applies, with the prescribed modifications (if any), in relation to a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.
Note 1: The regulations may prescribe different modifications of the Act for different small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe a small business operator by reference to one or more classes of small business operator. See subsection 13(3) of the Legislation Act 2003.
This Act also applies, with the prescribed modifications (if any), in relation to the prescribed acts or practices of a small business operator prescribed for the purposes of this subsection as if the small business operator were an organisation.
Note 1: The regulations may prescribe different modifications of the Act for different acts, practices or small business operators. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe an act, practice or small business operator by reference to one or more classes of acts, practices or small business operators. See subsection 13(3) of the Legislation Act 2003.
Definition
6E(3)
In this section:
modifications
(Repealed by No 46 of 2011)
protected action ballot agent
means a person (other than the Australian Electoral Commission) that conducts a protected action ballot under Part 3-3 of the Fair Work Act 2009.
6E(4) Making regulations.
Before the Governor-General makes regulations prescribing a small business operator, act or practice for the purposes of subsection (1) or (2), the Minister must:
(a) be satisfied that it is desirable in the public interest to regulate under this Act the small business operator, act or practice; and
(b) consult the Commissioner about the desirability of regulating under this Act the matters described in paragraph (a).
This Act applies in relation to a small business operator as if the operator were an organisation while a choice by the operator to be treated as an organisation is registered under this section.
A small business operator may make a choice in writing given to the Commissioner to be treated as an organisation.
Note:
A small business operator may revoke such a choice by writing given to the Commissioner. See subsection 33(3) of the Acts Interpretation Act 1901.
6EA(3) [Register of operators]If the Commissioner is satisfied that a small business operator has made the choice to be treated as an organisation, the Commissioner must enter in a register of operators who have made such a choice:
(a) the name or names under which the operator carries on business; and
(b) the operator's ABN, if the operator has one under the A New Tax System (Australian Business Number) Act 1999. 6EA(4) [Revocation of choice to be treated as organisation]
If a small business operator revokes a choice to be treated as an organisation, the Commissioner must remove from the register the material relating to the operator.
6EA(5) [Form of register]The Commissioner may decide the form of the register and how it is to be kept.
6EA(6) [Availability to public]The Commissioner must make the register available to the public in the way that the Commissioner determines. However, the Commissioner must not make available to the public in the register information other than that described in subsection (3).
This Act applies, with the prescribed modifications (if any), in relation to a prescribed State or Territory authority or a prescribed instrumentality of a State or Territory (except an instrumentality that is an organisation because of section 6C) as if the authority or instrumentality were an organisation.
Note 1: The regulations may prescribe different modifications of the Act for different authorities or instrumentalities. See subsection 33(3A) of the Acts Interpretation Act 1901.
Note 2: Regulations may prescribe an authority or instrumentality by reference to one or more classes of authority or instrumentality. See subsection 13(3) of the Legislation Act 2003.
(Repealed by No 46 of 2011)
6F(3) Making regulations to treat instrumentality etc. as organisation.
Before the Governor-General makes regulations prescribing a State or Territory authority or instrumentality of a State or Territory for the purposes of subsection (1), the Minister must:
(a) be satisfied that the relevant State or Territory has requested that the authority or instrumentality be prescribed for those purposes; and
(b) consult the Commissioner about the desirability of regulating under this Act the collection, holding, use, correction and disclosure of personal information by the authority or instrumentality.
The following information is health information :
(a) information or an opinion about:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or
(ii) an individual's expressed wishes about the future provision of health services to the individual; or
that is also personal information;
(iii) a health service provided, or to be provided, to an individual;
(b) other personal information collected to provide, or in providing, a health service to an individual;
(c) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
An activity performed in relation to an individual is a health service if the activity is intended or claimed (expressly or otherwise) by the individual or the person performing it:
(a) to assess, maintain or improve the individual's health; or
(b) where the individual's health cannot be maintained or improved - to manage the individual's health; or
(c) to diagnose the individual's illness, disability or injury; or
(d) to treat the individual's illness, disability or injury or suspected illness, disability or injury; or
(e) to record the individual's health for the purposes of assessing, maintaining, improving or managing the individual's health.
6FB(2)
The dispensing on prescription of a drug or medicinal preparation by a pharmacist is a health service .
6FB(3)
To avoid doubt:
(a) a reference in this section to an individual's health includes the individual's physical or psychological health; and
(b) an activity mentioned in subsection (1) or (2) that takes place in the course of providing aged care, palliative care or care for a person with a disability is a health service .
6FB(4)
The regulations may prescribe an activity that, despite subsections (1) and (2) is not to be treated as a health service for the purposes of this Act.
General
6G(1)
Each of the following is a credit provider :
(a) a bank;
(b) an organisation or small business operator if:
(i) the organisation or operator carries on a business or undertaking; and
(ii) a substantial part of the business or undertaking is the provision of credit;
(c) an organisation or small business operator:
(i) that carries on a retail business; and
(ii) that, in the course of the business, issues credit cards to individuals in connection with the sale of goods, or the supply of services, by the organisation or operator (as the case may be);
(d) an agency, organisation or small business operator:
(i) that carries on a business or undertaking that involves providing credit; and
(ii) that is prescribed by the regulations.
Other credit providers
6G(2)
If:
(a) an organisation or small business operator (the supplier ) carries on a business or undertaking in the course of which the supplier provides credit in connection with the sale of goods, or the supply of services, by the supplier; and
(b) the repayment, in full or in part, of the amount of credit is deferred for at least 7 days; and
(c) the supplier is not a credit provider under subsection (1);
then the supplier is a credit provider but only in relation to the credit.
6G(3)
If:
(a) an organisation or small business operator (the lessor ) carries on a business or undertaking in the course of which the lessor provides credit in connection with the hiring, leasing or renting of goods; and
(b) the credit is in force for at least 7 days; and
(c) no amount, or an amount less than the value of the goods, is paid as a deposit for the return of the goods; and
(d) the lessor is not a credit provider under subsection (1);
then the lessor is a credit provider but only in relation to the credit.
6G(4)
An organisation or small business operator is a credit provider if subsection 6H(1), 6J(1) or 6K(1) provides that the organisation or operator is a credit provider.
Exclusions
6G(5)
Despite subsections (1) to (4) of this section, an organisation or small business operator acting in the capacity of:
(a) a real estate agent; or
(b) a general insurer (within the meaning of the Insurance Act 1973); or
(c) an employer of an individual;
is not a credit provider while acting in that capacity.
6G(6)
Despite subsections (1) to (4) of this section, an organisation or small business operator is not a credit provider if it is included in a class of organisations or operators prescribed by the regulations.
If an organisation or small business operator (the agent ) is acting as an agent of a credit provider (the principal ) in performing, on behalf of the principal, a task that is reasonably necessary:
(a) in processing an application for credit made to the principal; or
(b) in managing credit provided by the principal;
then, while the agent is so acting, the agent is a credit provider .
6H(2)
Subsection (1) does not apply if the principal is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
6H(3)
If subsection (1) applies in relation to credit that has been provided by the principal, the credit is taken, for the purposes of this Act, to have been provided by both the principal and the agent.
6H(4)
If subsection (1) applies in relation to credit for which an application has been made to the principal, the application is taken, for the purposes of this Act, to have been made to both the principal and the agent.
If:
(a) an organisation or small business operator (the securitisation entity ) carries on a business that is involved in either or both of the following:
(i) a securitisation arrangement;
(ii) managing credit that is the subject of a securitisation arrangement; and
(b) the securitisation entity performs a task that is reasonably necessary for:
(i) purchasing, funding or managing, or processing an application for, credit by means of a securitisation arrangement; or
(ii) undertaking credit enhancement in relation to credit; and
(c) the credit has been provided by, or is credit for which an application has been made to, a credit provider (the original credit provider );
then, while the securitisation entity performs such a task, the securitisation entity is a credit provider .
6J(2)
Subsection (1) does not apply if the original credit provider is an organisation or small business operator that is a credit provider because of a previous application of that subsection.
6J(3)
If subsection (1) applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by both the original credit provider and the securitisation entity.
6J(4)
If subsection (1) applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to both the original credit provider and the securitisation entity.
If:
(a) an organisation or small business operator (the acquirer ) acquires, whether by assignment, subrogation or any other means, the rights of a credit provider (the original credit provider ) in relation to the repayment of an amount of credit; and
(b) the acquirer is not a credit provider under subsection 6G(1);
then the acquirer is a credit provider but only in relation to the credit.
6K(2)
If subsection (1) of this section applies in relation to credit that has been provided by the original credit provider, the credit is taken, for the purposes of this Act, to have been provided by the acquirer.
6K(3)
If subsection (1) of this section applies in relation to credit for which an application has been made to the original credit provider, the application is taken, for the purposes of this Act, to have been made to the acquirer.
An access seeker in relation to credit reporting information, or credit eligibility information, about an individual is:
(a) the individual; or
(b) a person:
(i) who is assisting the individual to deal with a credit reporting body or credit provider; and
(ii) who is authorised, in writing, by the individual to make a request in relation to the information under subsection 20R(1) or 21T(1).
6L(2)
An individual must not authorise a person under subparagraph (1)(b)(ii) if the person is:
(a) a credit provider; or
(b) a mortgage insurer; or
(c) a trade insurer; or
(d) a person who is prevented from being a credit provider by subsection 6G(5) or (6).
6L(3)
Subparagraph (1)(b)(ii) does not apply to a person who provides the National Relay Service or a person prescribed by the regulations.
Credit is a contract, arrangement or understanding under which:
(a) payment of a debt owed by one person to another person is deferred; or
(b) one person incurs a debt to another person and defers the payment of the debt.
6M(2)
The amount of credit is the amount of the debt that is actually deferred, or that may be deferred, but does not include any fees or charges payable in connection with the deferral of the debt.
6M(3)
Without limiting subsection (1), credit includes:
(a) a hire-purchase agreement; and
(b) a contract, arrangement or understanding of a kind referred to in that subsection that is for the hire, lease or rental of goods, or for the supply of services, other than a contract, arrangement or understanding under which:
(i) full payment is made before, or at the same time as, the goods or services are provided; and
(ii) in the case of goods - an amount greater than, or equal to, the value of the goods is paid as a deposit for the return of the goods.
Credit information about an individual is personal information (other than sensitive information) that is: (a) identification information about the individual; or (b) consumer credit liability information about the individual; or (c) repayment history information about the individual; or (ca) financial hardship information about the individual; or (d) a statement that an information request has been made in relation to the individual by a credit provider, mortgage insurer or trade insurer; or (e) the type of consumer credit or commercial credit, and the amount of credit, sought in an application:
(i) that has been made by the individual to a credit provider; and
(f) default information about the individual; or (g) payment information about the individual; or (h) new arrangement information about the individual; or (i) court proceedings information about the individual; or (j) personal insolvency information about the individual; or (k) publicly available information about the individual:
(ii) in connection with which the provider has made an information request in relation to the individual; or
(i) that relates to the individual's activities in Australia or the external Territories and the individual's credit worthiness; and
(ii) that is not court proceedings information about the individual or information about the individual that is entered or recorded on the National Personal Insolvency Index; or
[ CCH Note: Para 6N(k) is applicable in relation to activities done before or after 12 March 2014.]
A credit reporting business is a business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual.
6P(2)
Subsection (1) applies whether or not the information about the credit worthiness of an individual is:
(a) provided for profit or reward; or
(b) provided, or intended to be provided, for the purposes of assessing an application for consumer credit.
6P(3)
In determining whether a business or undertaking carried on by a credit provider is a credit reporting business, disregard the provision of information about the credit worthiness of an individual to a related body corporate by the provider.
6P(4)
Despite subsection (1), a business or undertaking is not a credit reporting business if the business or undertaking is included in a class of businesses or undertakings prescribed by the regulations.
Consumer credit defaults
6Q(1)
Default information about an individual is information about a payment (including a payment that is wholly or partly a payment of interest) that the individual is overdue in making in relation to consumer credit that has been provided by a credit provider to the individual if: (a) the individual is at least 60 days overdue in making the payment; and (b) the provider has given a written notice to the individual informing the individual of the overdue payment and requesting that the individual pay the amount of the overdue payment; and (c) the provider is not prevented by a statute of limitations from recovering the amount of the overdue payment; and (d) the amount of the overdue payment is equal to or more than:
(i) $150; or
(ii) such higher amount as is prescribed by the regulations.
Guarantor defaults
6Q(2)
Default information about an individual is information about a payment that the individual is overdue in making as a guarantor under a guarantee given against any default by a person (the borrower ) in repaying all or any of the debt deferred under consumer credit provided by a credit provider to the borrower if: (a) the provider has given the individual written notice of the borrower's default that gave rise to the individual's obligation to make the overdue payment; and (b) the notice requests that the individual pay the amount of the overdue payment; and (c) at least 60 days have passed since the day on which the notice was given; and (d) in addition to giving the notice, the provider has taken other steps to recover the amount of the overdue payment from the individual; and (e) the provider is not prevented by a statute of limitations from recovering the amount of the overdue payment.
Financial hardship arrangement
6QA(1)
If: (a) a credit provider provides consumer credit to an individual; and (b) the National Credit Code applies to the provision of the credit; and (c) the individual is or will be unable to meet the individual's obligations in relation to the consumer credit; and (d) as a result of the inability, an arrangement covered by subsection (3) affecting the monthly payment obligations of the individual is made between the credit provider and the individual which is either:
(i) a permanent variation to the terms of the consumer credit; or
(ii) a temporary relief from or deferral of the individual's obligations in relation to the consumer credit;
then the arrangement is a financial hardship arrangement .
Note:
Financial hardship arrangements affect repayment history information: see subsection 6V(1A).
6QA(2)
For the purposes of this section, it does not matter whether the arrangement was initiated by the credit provider or the individual.
6QA(3)
This subsection covers any kind of agreement, arrangement or understanding, whether formal or informal, whether express or implied and whether or not enforceable, or intended to be enforceable, by legal proceedings.
Examples: An arrangement might involve a credit provider agreeing to:
(a) defer or reduce required monthly payments for a temporary period; or (b) accept interest-only payments for a temporary period; or (c) extend the term of a loan to reduce monthly payments.
Financial hardship information
6QA(4)
If subsection 6V(1A) (about financial hardship arrangements) applies in determining repayment history information about an individual, then the following information is financial hardship information about the individual: (a) for an arrangement referred to in subparagraph (1)(d)(i) (about permanent variations) - information, relating only to the first monthly payment affected by the arrangement, that indicates that the monthly payment is the first monthly payment affected by a financial hardship arrangement of that kind; (b) for an arrangement referred to in subparagraph (1)(d)(ii) (about temporary relief or deferral of obligations) - information, relating to each monthly payment affected by the arrangement, that indicates that the monthly payment was affected by a financial hardship arrangement of that kind.
Note:
Paragraph (b) may apply even if, under the arrangement, the individual is not required to make a payment for a month: see subsection 6V(1B).
6QA(5)
Paragraph (4)(b) does not apply in relation to a monthly payment under a financial hardship arrangement if: (a) the individual met the obligation to make the monthly payment, as affected by the arrangement; and (b) the amount paid was equal to, or greater than, the amount the individual would have been obliged to pay apart from the arrangement.
Credit provider
6R(1)
A credit provider has made an information request in relation to an individual if the provider has sought information about the individual from a credit reporting body:
(a) in connection with an application for consumer credit made by the individual to the provider; or
(b) in connection with an application for commercial credit made by a person to the provider; or
(c) for a credit guarantee purpose of the provider in relation to the individual; or
(d) for a securitisation related purpose of the provider in relation to the individual.
Mortgage insurer
6R(2)
A mortgage insurer has made an information request in relation to an individual if:
(a) the insurer has sought information about the individual from a credit reporting body; and
(b) the information was sought in connection with the provision of insurance to a credit provider in relation to mortgage credit provided by the provider to:
(i) the individual; or
(ii) a person for whom the individual is, or is proposing to be, a guarantor.
Trade insurer
6R(3)
A trade insurer has made an information request in relation to an individual if:
(a) the insurer has sought information about the individual from a credit reporting body; and
(b) the information was sought in connection with the provision of insurance to a credit provider in relation to commercial credit provided by the provider to the individual or another person.
Consumer credit defaults
6S(1)
If:
(a) a credit provider has disclosed default information about an individual to a credit reporting body; and
(b) the default information relates to a payment that the individual is overdue in making in relation to consumer credit (the original consumer credit ) that has been provided by the provider to the individual; and
(c) because of the individual being so overdue:
(i) the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or
(ii) the individual is provided with other consumer credit (the new consumer credit ) by a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.
Serious credit infringements
6S(2)
If:
(a) a credit provider is of the opinion that an individual has committed a serious credit infringement in relation to consumer credit (the original consumer credit ) provided by the provider to the individual; and
(b) the provider has disclosed the opinion to a credit reporting body; and
(c) because of the provider having that opinion:
(i) the terms or conditions of the original consumer credit that relate to the repayment of the amount of credit are varied; or
(ii) the individual is provided with other consumer credit (the new consumer credit ) by a credit provider that relates, wholly or in part, to that amount of credit;
then new arrangement information about the individual is a statement that those terms or conditions of the original consumer credit have been varied, or that the individual has been provided with the new consumer credit.
If:
(a) a credit provider has disclosed default information about an individual toa credit reporting body; and
(b) on a day after the default information was disclosed, the amount of the overdue payment to which the information relates is paid;
then payment information about the individual is a statement that the amount of the overdue payment has been paid on that day.
Personal insolvency information about an individual is information:
(a) that is entered or recorded in the National Personal Insolvency Index; and
(b) that relates to:
(i) a bankruptcy of the individual; or
(ii) a debt agreement proposal given by the individual; or
(iii) a debt agreement made by the individual; or
(iv) a personal insolvency agreement executed by the individual; or
(v) a direction given, or an order made, under section 50 of the Bankruptcy Act that relates to the property of the individual; or
(vi) an authority signed under section 188 of that Act that relates to the property of the individual.
6U(2)
Despite subparagraph (1)(b)(i), personal insolvency information about an individual must not relate to:
(a) the presentation of a creditor's petition against the individual; or
(b) an administration under Part XI of the Bankruptcy Act of the individual's estate.
6U(3)
An expression used in paragraph (1)(b) or (2)(a) that is also used in the Bankruptcy Act has the same meaning in that paragraph as it has in that Act.
If a credit provider provides consumer credit to an individual, the following information about the consumer credit is repayment history information about the individual: (a) whether or not the individual has met an obligation to make a monthly payment that is due and payable in relation to the consumer credit; (b) the day on which the monthly payment is due and payable; (c) if the individual makes the monthly payment after the day on which the payment is due and payable - the day on which the individual makes that payment.
6V(1A)
If an obligation of the individual to make a monthly payment is, or is taken by subsection (1B) to be, affected by a financial hardship arrangement, then repayment history information is to be determined by reference to that obligation as so affected.
Note:
In this case, there may be financial hardship information: see subsections 6QA(4) and (5).
6V(1B)
If, under a financial hardship arrangement, an individual is not required to make a monthly payment for a month, then, for the purposes of subsections (1) and (1A) and section 6QA: (a) a monthly payment is taken to have been due and payable on the day on which it would have been due and payable apart from the arrangement; and (b) the individual is taken to have met the obligation to make the monthly payment; and (c) the obligation to make the monthly payment is taken to be affected by the arrangement.
6V(2)
The regulations may make provision in relation to: (a) whether or not an individual has met an obligation to make a monthly payment that is due and payable in relation to consumer credit; and (b) whether or not a payment is a monthly payment.
Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice is a reference to: (a) an act done, or a practice engaged in, as the case may be, by an agency (other than an eligible hearing service provider), a file number recipient, a credit reporting body or a credit provider other than:
(i) an agency specified in any of the following provisions of the Freedom of Information Act 1982:
(A) Schedule 1;
(B) Division 1 of Part I of Schedule 2;
(C) Division 1 of Part II of Schedule 2; or
(ii) a federal court; or
(iia) a court of Norfolk Island; or
(iii) a Minister; or
(iiiaa) (Repealed by No 59 of 2015)
(iiia) the National Anti-Corruption Commissioner; or
(iiib) the Inspector of the National Anti-Corruption Commission; or
(iv) the ACC; or
(v) a Royal Commission; or
(b) an act done, or a practice engaged in, as the case may be, by a federal court, or by an agency specified in Schedule 1 to the Freedom of Information Act 1982, being an act done, or a practice engaged in, in respect of a matter of an administrative nature; or (ba) an act done, or a practice engaged in, as the case may be, by a court of Norfolk Island, being an act done, or a practice engaged in, in respect of a matter of an administrative nature; or (c) an act done, or a practice engaged in, as the case may be, by an agency specified in Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982, other than an act done, or a practice engaged in, in relation to a record in relation to which the agency is exempt from the operation of that Act; or (ca) an act done, or a practice engaged in, as the case may be, by a part of the Defence Department specified in Division 2 of Part I of Schedule 2 to the Freedom of Information Act 1982, other than an act done, or a practice engaged in, in relation to the activities of that part of the Department; or (cb) (Repealed by No 197 of 2012) (cc) an act done, or a practice engaged in, as the case may be, by an eligible hearing service provider in connection with the provision of hearing services under an agreement made under Part 3 of the Hearing Services Administration Act 1997; or (d) an act done, or a practice engaged in, as the case may be, by a Minister in relation to the affairs of an agency (other than an eligible hearing service provider), not being an act done, or a practice engaged in, in relation to an existing record; or (e) an act done, or a practice engaged in, as the case may be, by a Minister in relation to a record that is in the Minister's possession in his or her capacity as a Minister and relates to the affairs of an agency (other than an eligible hearing service provider); or
(vi) a Commission of inquiry; or
(eaa)-(eab) (Repealed by No 59 of 2015)
(ea)-(eb) (Repealed by No 197 of 2012) (ec) an act done, or a practice engaged in, as the case may be, by a Minister in relation to the affairs of an eligible hearing service provider, being affairs in connection with the provision of hearing services under an agreement made under Part 3 of the Hearing Services Administration Act 1997; or (ed) an act done, or a practice engaged in, as the case may be, by a Minister in relation to a record that is in the Minister's possession in his or her capacity as a Minister and relates to the affairs of an eligible hearing service provider, being affairs in connection with the provision of hearing services under an agreement made under Part 3 of the Hearing Services Administration Act 1997; or (ee) an act done, or a practice engaged in, by an organisation, other than an exempt act or exempt practice (see sections 7B and 7C);
but does not include a reference to an act done, or a practice engaged in, in relation to a record that has originated with, or has been received from:
(f) an intelligence agency; (g) the Defence Intelligence Organisation or the Australian Geospatial-Intelligence Organisation; or (ga) the National Anti-Corruption Commissioner or another staff member of the NACC (within the meaning of the National Anti-Corruption Commission Act 2022); or (gb) the Inspector of the National Anti-Corruption Commission or a person assisting the Inspector (within the meaning of the National Anti-Corruption Commission Act 2022); or (h) the ACC or the Board of the ACC.7(1A)
Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice so far as it involves the disclosure of personal information to: (a) the Australian Security Intelligence Organisation; or (b) the Australian Secret Intelligence Service; or (c) the Australian Signals Directorate.
7(1B)
Despite subsections (1) and (2), a reference in this Act (other than section 8) to an act or to a practice does not include a reference to the act or practice by an agency with an intelligence role or function (within the meaning of the Office of National Intelligence Act 2018) so far as it involves the disclosure of personal information to the Office of National Intelligence.
7(2)
Except so far as the contrary intention appears, a reference in this Act (other than section 8) to an act or to a practice includes, in the application of this Act otherwise than in respect of the Australian Privacy Principles, a registered APP code and the performance of the Commissioner's functions in relation to the principles and such a code, a reference to an act done, or a practice engaged in, as the case may be, by an agency specified in Part I of Schedule 2 to the Freedom of Information Act 1982 or in Division 1 of Part II of that Schedule other than: (a) an intelligence agency; (b) the Defence Intelligence Organisation or the Australian Geospatial-Intelligence Organisation; or (c) the ACC or the Board of the ACC.
7(3)
Except so far as the contrary intention appears, a reference in this Act to doing an act includes a reference to: (a) doing an act in accordance with a practice; or (b) refusing or failing to do an act.
7(3A)
(Repealed by No 197 of 2012)
7(4)
For the purposes of section 28, of paragraphs 28A(2)(a) to (e), of subsection 31(2) and of Part VI, this section has effect as if a reference in subsection (1) of this section to an act done, or to a practice engaged in, included a reference to an act that is proposed to be done, or to a practice that is proposed to be engaged in, as the case may be.
SECTION 7A ACTS OF CERTAIN AGENCIES TREATED AS ACTS OF ORGANISATION 7A(1) [Application]
This Act applies, with the prescribed modifications (if any), in relation to an act or practice described in subsection (2) or (3) as if:
(a) the act or practice were an act done, or practice engaged in, by an organisation; and
(b) the agency mentioned in that subsection were the organisation. 7A(2) [Prescribed agencies]
Subsection (1) applies to acts done, and practices engaged in, by a prescribed agency. Regulations for this purpose may prescribe an agency only if it is specified in Part I of Schedule 2 to the Freedom of Information Act 1982.
7A(3) [Additional acts and practices]Subsection (1) also applies to acts and practices that:
(a) are done or engaged in by an agency specified in Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982 in relation to documents in respect of its commercial activities or the commercial activities of another entity; and
(b) relate to those commercial activities. 7A(4) [Effect]
This section has effect despite subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2).
7A(5)(Repealed by No 46 of 2011)
An act done, or practice engaged in, by an organisation that is an individual is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, other than in the course of a business carried on by the individual.
Note: See also section 16 which provides that the Australian Privacy Principles do not apply for the purposes of, or in connection with, an individual's personal, family or household affairs.
An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:
(a) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(b) the organisation would be a small business operator if it were not a contracted service provider for a Commonwealth contract; and
(c) the act is done, or the practice is engaged in, otherwise than for the purposes of meeting (directly or indirectly) an obligation under a Commonwealth contract for which the organisation is the contracted service provider.
Note:
This puts the organisation in the same position as a small business operator as far as its activities that are not for the purposes of a Commonwealth contract are concerned, so the organisation need not comply with the Australian Privacy Principles, or a registered APP code that binds the organisation, in relation to those activities.
An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:
(a) a current or former employment relationship between the employer and the individual; and
(b) an employee record held by the organisation and relating to the individual. 7B(4) Journalism.
An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:
(a) by the organisation in the course of journalism; and
(b) at a time when the organisation is publicly committed to observe standards that:
(i) deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and
7B(5) Organisation acting under State contract.
(ii) have been published in writing by the organisation or a person or body representing a class of media organisations.
An act done, or practice engaged in, by an organisation is exempt for the purposes of paragraph 7(1)(ee) if:
(a) the organisation is a contracted service provider for a State contract (whether or not the organisation is a party to the contract); and
(b) the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.
An act done, or practice engaged in, by an organisation (the political representative ) consisting of a member of a Parliament, or a councillor (however described) of a local government authority, is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in, for any purpose in connection with:
(a) an election under an electoral law; or
(b) a referendum under a law of the Commonwealth or a law of a State or Territory; or
(c) the participation by the political representative in another aspect of the political process. 7C(2) Contractors for political representatives etc.
An act done, or practice engaged in, by an organisation (the contractor ) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:
(a) for the purposes of meeting an obligation under a contract between the contractor and a registered political party or a political representative described in subsection (1); and
(b) for any purpose in connection with one or more of the following:
(i) an election under an electoral law;
(ii) a referendum under a law of the Commonwealth or a law of a State or Territory;
(iii) the participation in another aspect of the political process by the registered political party or political representative;
7C(3) Subcontractors for organisations covered by subsection (1) etc.
(iv) facilitating acts or practices of the registered political party or political representative for a purpose mentioned in subparagraph (i), (ii) or (iii) of this paragraph.
An act done, or practice engaged in, by an organisation (the subcontractor ) is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in:
(a) for the purposes of meeting an obligation under a contract between the subcontractor and a contractor described in subsection (2); and
(b) for a purpose described in paragraph (2)(b). 7C(4) Volunteers for registered political parties.
An act done voluntarily, or practice engaged in voluntarily, by an organisation for or on behalf of a registered political party and with the authority of the party is exempt for the purposes of paragraph 7(1)(ee) if the act is done or the practice is engaged in for any purpose in connection with one or more of the following:
(a) an election under an electoral law;
(b) a referendum under a law of the Commonwealth or a law of a State or Territory;
(c) the participation in another aspect of the political process by the registered political party;
(d) facilitating acts or practices of the registered political party for a purpose mentioned in paragraph (a), (b) or (c). 7C(5) Effect of subsection (4) on other operation of Act.
Subsection (4) does not otherwise affect the operation of the Act in relation to agents or principals.
7C(6) Meaning of electoral law and Parliament .In this section:
electoral law
means a law of the Commonwealth, or a law of a State or Territory, relating to elections to a Parliament or to a local government authority.
(a) the Parliament of the Commonwealth; or
(b) a State Parliament; or
(c) the legislature of a Territory.
Note: To avoid doubt, this section does not make exempt for the purposes of paragraph 7(1)(ee) an act or practice of the political representative, contractor, subcontractor or volunteer for a registered political party involving the use or disclosure (by way of sale or otherwise) of personal information in a way not covered by subsection (1), (2), (3) or (4) (as appropriate). The rest of this Act operates normally in relation to that act or practice.
For the purposes of this Act: (a) an act done or practice engaged in by, or information disclosed to, a person employed by, or in the service of, an agency, organisation, file number recipient, credit reporting body or credit provider in the performance of the duties of the person's employment shall be treated as having been done or engaged in by, or disclosed to, the agency, organisation, recipient, credit reporting body or credit provider; (b) an act done or practice engaged in by, or information disclosed to, a person on behalf of, or for thepurposes of the activities of, an unincorporated body, being a board, council, committee, sub-committee or other body established by or under a Commonwealth law, or a law of a State or Territory that applies in an external Territory, for the purpose of assisting, or performing functions in connection with, an agency or organisation, shall be treated as having been done or engaged in by, or disclosed to, the agency or organisation; and (c) an act done or practice engaged in by, or information disclosed to, a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member shall be treated as having been done or engaged in by, or disclosed to, the Australian Federal Police.
8(2)
Where: (a) an act done or a practice engaged in by a person, in relation to a record, is to be treated, under subsection (1), as having been done or engaged in by an agency; and (b) that agency does not hold that record;
that act or practice shall be treated as the act or the practice of the agency that holds that record.
8(3)
For the purposes of the application of this Act in relation to an organisation that is a partnership: (a) an act done or practice engaged in by a partner is taken to have been done or engaged in by the organisation; and (b) a communication (including a complaint, notice, request or disclosure of information) made to a partner is taken to have been made to the organisation.
8(4)
For the purposes of the application of this Act in relation to an organisation that is an unincorporated association: (a) an act done or practice engaged in by a member of the committee of management of the association is taken to have been done or engaged in by the organisation; and (b) a communication (including a complaint, notice, request or disclosure of information) made to a member of the committee of management of the association is taken to have been made to the organisation.
8(5)
For the purposes of the application of this Act in relation to an organisation that is a trust: (a) an act done or practice engaged in by a trustee is taken to have been done or engaged in by the organisation; and (b) a communication (including a complaint, notice or request or disclosure of information) made to a trustee is taken to have been made to the organisation.
9 (Repealed) SECTION 9 COLLECTORS
(Repealed by No 197 of 2012) SECTION 10 AGENCIES THAT ARE TAKEN TO HOLD A RECORD 10(1)-(3)
(Repealed by No 197 of 2012)
10(4)
Where:
(a) a record of personal information (not being a record relating to the administration of the National Archives of Australia) is in the care (within the meaning of the Archives Act 1983) of the National Archives of Australia; or
(b) a record of personal information (not being a record relating to the administration of the Australian War Memorial) is in the custody of the Australian War Memorial;
the agency by or on behalf of which the record was placed in that care or custody or, if that agency no longer exists, the agency to whose functions the contents of the record are most closely related, shall be regarded, for the purposes of this Act, to be the agency that holds that record.
10(5)
Where a record of personal information was placed by or on behalf of an agency in the memorial collection within the meaning of the Australian War Memorial Act 1980, that agency or, if that agency no longer exists, the agency to whose functions the contents of the record are most closely related, shall be regarded, for the purposes of this Act, to be the agency that holds that record.
SECTION 11 FILE NUMBER RECIPIENTS 11(1)
A person who is (whether lawfully or unlawfully) in possession or control of a record that contains tax file number information shall be regarded, for the purposes of this Act, as a file number recipient.
11(2)
Subject to subsection (3), where a record that contains tax file number information is in the possession or under the control of a person: (a) in the course of the person's employment in the service of or by a person or body other than an agency; (b) in the course of the person's employment in the service of or by an agency other than the Australian Federal Police; or (c) as a member, staff member or special member of the Australian Federal Police in the performance of his or her duties as such a member, staff member or special member;
then, for the purposes of this Act, the file number recipient in relation to that record shall be taken to be:
(d) if paragraph (a) applies - the person's employer; (e) if paragraph (b) applies - the agency first referred to in that paragraph; and (f) if paragraph (c) applies - the Australian Federal Police.11(3)
Where a record that contains tax file number information is in the possession or under the control of a person for the purposes of the activities of, an unincorporated body, being a board, council, committee, sub-committee or other body established by or under a Commonwealth law, or a law of a State or Territory that applies in an external Territory, for the purpose of assisting, or performing functions connected with, an agency, that agency shall be treated, for the purposes of this Act, as the file number recipient in relation to that record.
11A (Repealed) SECTION 11A CREDIT REPORTING AGENCIES
(Repealed by No 197 of 2012) 11B (Repealed) SECTION 11B CREDIT PROVIDERS
(Repealed by No 197 of 2012) 12 (Repealed) SECTION 12 APPLICATION OF INFORMATION PRIVACY PRINCIPLES TO AGENCY IN POSSESSION
(Repealed by No 197 of 2012) SECTION 12A 12A ACT NOT TO APPLY IN RELATION TO STATE BANKING OR INSURANCE WITHIN THAT STATE
Where, but for this section, a provision of this Act:
(a) would have a particular application; and
(b) by virtue of having that application, would be a law with respect to, or with respect to matters including:
(i) State banking not extending beyond the limits of the State concerned; or
(ii) State insurance not extending beyond the limits of the State concerned;
the provision is not to have that application.
Without limiting its effect apart from this section, this Act has effect in relation to the following (the regulated entities ) as provided by this section: (a) an agency; (b) an organisation; (c) a small business operator; (d) a body politic.
Note:
Subsection 27(4) applies in relation to an investigation of an act or practice referred to in subsection 29(1) of the Healthcare Identifiers Act 2010.
12B(2)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to an operation to give effect to the following: (a) the International Covenant on Civil and Political Rights done at New York on 16 December 1966 ([1980] ATS 23), and in particular Articles 17 and 24(1) of the Covenant; (b) Article 16 of the Convention on the Rights of the Child done at New York on 20 November 1989 ([1991] ATS 4).
Note:
In 2012, the text of the Covenant and Convention in the Australian Treaty Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).
12B(3)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices covered by section 5B (which deals with acts and practices outside Australia and the external Territories).
12B(4)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to regulated entities that are corporations.
12B(5)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices of regulated entities taking place in the course of, or in relation to, trade or commerce: (a) between Australia and places outside Australia; or (b) among the States; or (c) within a Territory, between a State and a Territory or between 2 Territories.
12B(5A)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices engaged in by regulated entities in the course of: (a) banking (other than State banking not extending beyond the limits of the State concerned); or (b) insurance (other than State insurance not extending beyond the limits of the State concerned).
12B(6)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices of regulated entities taking place using a postal, telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution.
12B(7)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices of regulated entities taking place in a Territory.
12B(8)
This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices of regulated entities taking place in a place acquired by the Commonwealth for public purposes.
[ CCH Note: S 12B(9) will be inserted by No 128 of 2024, s 3 and Sch 2 item 8, effective 10 June 2025. S 12B(9) will read:
]
12B(9)
This section does not apply to Schedule 2.Note:
See also clauses 4 and 5 of Schedule 2 (constitutional basis and additional operation).
APP entities
13(1)
An act or practice of an APP entity is an interference with the privacy of an individual if:
(a) the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual; or
(b) the act or practice breaches a registered APP code that binds the entity in relation to personal information about the individual.
Credit reporting
13(2)
An act or practice of an entity is an interference with the privacy of an individual if:
(a) the act or practice breaches a provision of Part IIIA in relation to personal information about the individual; or
(b) the act or practice breaches the registered CR code in relation to personal information about the individual and the code binds the entity.
Contracted service providers
13(3)
An act or practice of an organisation is an interference with the privacy of an individual if:
(a) the act or practice relates to personal information about the individual; and
(b) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(c) the act or practice does not breach:
(i) an Australian Privacy Principle; or
in relation to the personal information because of a provision of the contract that is inconsistent with the principle or code; and
(ii) a registered APP code that binds the organisation;
(d) the act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision.
Note:
See subsections 6A(2) and 6B(2) for when an act or practice does not breach an Australian Privacy Principle or a registered APP code.
Tax file numbers
13(4)
An act or practice is an interference with the privacy of an individual if:
(a) it is an act or practice of a file number recipient and the act or practice breaches a rule issued under section 17 in relation to tax file number information that relates to the individual; or
(b) the act or practice involves an unauthorised requirement or request for disclosure of the tax file number of the individual.
Notification of eligible data breaches etc.
13(4A)
If an entity (within the meaning of Part IIIC) contravenes subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), the contravention is taken to be an act that is an interference with the privacy of an individual .
Other interferences with privacy
13(5)
An act or practice is an interference with the privacy of an individual if the act or practice:
(a) constitutes a breach of Part 2 of the Data-matching Program (Assistance and Tax) Act 1990 or the rules issued under section 12 of that Act; or
(b) constitutes a breach of the rules issued under section 135AA of the National Health Act 1953.
Note:
Other Acts may provide that an act or practice is an interference with the privacy of an individual. For example, see the Healthcare Identifiers Act 2010, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Personal Property Securities Act 2009.
(Repealed by No 197 of 2012) SECTION 13B RELATED BODIES CORPORATE
Acts or practices that are not interferences with privacy
13B(1)
Despite subsection 13(1), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual :
(a) the collection of personal information (other than sensitive information) about the individual by the body corporate from a related body corporate;
(b) the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate.
Note:
Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, there is an interference with privacy if:
13B(1A)
However, paragraph (1)(a) does not apply to the collection by a body corporate of personal information (other than sensitive information) from:
(a) a related body corporate that is not an organisation; or
(b) a related body corporate whose disclosure of the information to the body corporate is an exempt act or exempt practice for the purposes of paragraph 7(1)(ee); or
(c) a related body corporate whose disclosure of the information to the body corporate is not an interference with privacy because of section 13D.
Note:
The effect of subsection (1A) is that a body corporate's failure to comply with the Australian Privacy Principles, or a registered APP code that binds the body, in collecting personal information about an individual from a related body corporate covered by that subsection is an interference with the privacy of the individual.
Relationship with subsection 13(3)
13B(2)
Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(3).
Acts or practices that are not interferences with privacy
13C(1)
If:
(a) an organisation (the new partnership ) that is a partnership forms at the same time as, or immediately after, the dissolution of another partnership (the old partnership ); and
(b) at least one person who was a partner in the old partnership is a partner in the new partnership; and
(c) the new partnership carries on a business that is the same as, or similar to, a business carried on by the old partnership; and
(d) the new partnership holds, immediately after its formation, personal information about an individual that the old partnership held immediately before its dissolution;
neither the disclosure (if any) by the old partnership, nor the collection (if any) by the new partnership, of the information that was necessary for the new partnership to hold the information immediately after its formation constitutes an interference with the privacy of the individual .
Note:
Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the Australian Privacy Principles and a registered APP code that binds them. For example, the new partnership's use of personal information collected from the old partnership may constitute an interference with privacy if it breaches Australian Privacy Principle 6.
Effect of subsection (1)
13C(2)
Subsection (1) has effect despite subsections 13(1) and (3).
An act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country.
Effect of subsection (1)
13D(2)
Subsection (1) has effect despite subsections 13(1) and (3).
Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(2), (4) or (5).
An act or practice that is not covered by section 13 is not an interference with the privacy of an individual .
Civil penalty provision
13G(1)
An entity contravenes this subsection if: (a) the entity does an act, or engages in a practice, that is an interference with the privacy of an individual; and (b) the interference with privacy is serious.
Note:
The court may determine that an entity has contravened section 13H if the court is satisfied of paragraph (a) but not paragraph (b) (see section 13J).
13G(1A)
Subsection (1) is a civil penalty provision.
Note: Section 80U deals with civil penalty provisions in this Act.
Factors that may be taken into account in determining if interference with privacy is serious
13G(1B)
In determining whether an interference with privacy is serious, a court may have regard to any of the following matters: (a) the particular kind or kinds of information involved in the interference with privacy; (b) the sensitivity of the personal information of the individual; (c) the consequences, or potential consequences, of the interference with privacy for the individual; (d) the number of individuals affected by the interference with privacy; (e) whether the individual affected by the interference with privacy is a child or person experiencing vulnerability; (f) whether the act was done, or the practice engaged in, repeatedly or continuously; (g) whether the contravening entity failed to take steps to implement practices, procedures and systems to comply with their obligations in relation to privacy in a way that contributed to the interference with privacy; (h) any other relevant matter.
Maximum pecuniary penalty
13G(2)
The amount of the penalty for a contravention of subsection (1) by a person other than a body corporate is an amount not more than $2,500,000.
13G(3)
The amount of the penalty for a contravention of subsection (1) by a body corporate is an amount not more than the greatest of the following: (a) $50,000,000; (b) if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention - 3 times the value of that benefit; (c) if the court cannot determine the value of that benefit - 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
13G(4)
Subsection (3) applies despite paragraph 82(5)(a) of the Regulatory Powers Act.
Meaning of adjusted turnover
13G(5)
For the purposes of paragraph (3)(c), the adjusted turnover of a body corporate during a period is the sum of the values of all the supplies that the body corporate, and any related body corporate, have made, or are likely to make, during the period, other than: (a) supplies made from any of those bodies corporate to any other of those bodies corporate; or (b) supplies that are input taxed; or (c) supplies that are not for consideration (and are not taxable supplies under section 72-5 of the A New Tax System (Goods and Services Tax) Act 1999); or (d) supplies that are not made in connection with an enterprise that the body corporate carries on; or (e) supplies that are not connected with the indirect tax zone.
13G(6)
Expressions used in subsection (5) that are also used in the A New Tax System (Goods and Services Tax) Act 1999 have the same meaning as in that Act.
Meaning of breach turnover period
13G(7)
For the purposes of paragraph (3)(c), the breach turnover period for a contravention means the longer of the following periods: (a) the period of 12 months ending at the end of the month in which the contravention ceased, or proceedings in relation to the contravention were instituted (whichever is earlier); (b) the period:
(i) starting at the beginning of the month in which the contravention occurred or began occurring; and
(ii) ending at the same time as the period determined under paragraph (a).
Civil penalty provision
13H(1)
An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of an individual.
13H(2)
Subsection (1) is a civil penalty provision.
Note:
Section 80U deals with civil penalty provisions in this Act.
Maximum pecuniary penalty
13H(3)
The amount of the penalty payable by a person in respect of a contravention of subsection (1) must not exceed 2,000 penalty units.
If, in proceedings for an order in relation to a contravention of section 13G, the court: (a) is satisfied that the entity has done an act, or engaged in a practice, that is an interference with the privacy of an individual; but (b) is not satisfied that the interference with privacy is serious;
the court may make a pecuniary penalty order against the entity for contravening section 13H, instead of section 13G.
Civil penalty provision for breaching Australian Privacy Principles
13K(1)
An entity contravenes this subsection if: (a) the entity does an act, or engages in a practice; and (b) the act or practice breaches any of the following Australian Privacy Principles:
(i) Australian Privacy Principle 1.3 (requirement to have APP privacy policy);
(ii) Australian Privacy Principle 1.4 (contents of APP privacy policy);
(iii) Australian Privacy Principle 2.1 (individuals may choose not to identify themselves in dealing with entities);
(iv) Australian Privacy Principle 6.5 (written notice of certain uses or disclosures);
(v) Australian Privacy Principle 7.2(c) or 7.3(c) (simple means for individuals to opt out of direct marketing communications);
(vi) Australian Privacy Principle 7.3(d) (requirement to draw attention to ability to opt out of direct marketing communications);
(vii) Australian Privacy Principle 7.7(a) (giving effect to request in reasonable period);
(viii) Australian Privacy Principle 7.7(b) (notification of source of information);
(ix) Australian Privacy Principle 13.5 (dealing with requests);
(x) any other Australian Privacy Principle prescribed by the regulations.
Note:
Conduct that contravenes this section may also contravene section 13G or 13H.
[ CCH Note: S 13K(1) will be amended by No 128 of 2024, s 3 and Sch 1 item 87, by inserting para (b)(iia), effective 10 December 2026. Para (b)(iia) will read:
]
(iia) Australian Privacy Principle 1.7 (contents of APP privacy policy - automated decisions);
Civil penalty provision for non-compliant eligible data breach statement
13K(2)
An entity contravenes this subsection if: (a) the entity prepares a statement under section 26WK (eligible data breaches); and (b) the statement does not comply with subsection 26WK(3).
Civil penalty provisions
13K(3)
Subsections (1) and (2) are civil penalty provisions.
Note:
Section 80U deals with civil penalty provisions in this Act.
Maximum pecuniary penalty
13K(4)
The amount of the penalty payable by a person in respect of a contravention of subsection (1) or (2) must not exceed 200 penalty units.
The Australian Privacy Principles are set out in the clauses of Schedule 1.
14(2)
A reference inany Act to an Australian Privacy Principle by a number is a reference to the Australian Privacy Principle with that number.
An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.
(Repealed by No 197 of 2012) SECTION 16 16 PERSONAL, FAMILY OR HOUSEHOLD AFFAIRS
Nothing in the Australian Privacy Principles applies to:
(a) the collection, holding, use or disclosure of personal information by an individual; or
(b) personal information held by an individual;
only for the purposes of, or in connection with, his or her personal, family or household affairs.
A permitted general situation exists in relation to the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier of an individual, if:
(a) the entity is an entity of a kind specified in an item in column 1 of the table; and
(b) the item in column 2 of the table applies to the information or identifier; and
(c) such conditions as are specified in the item in column 3 of the table are satisfied.
| Permitted general situations | |||
| Item |
Column 1
Kind of entity |
Column 2
Item applies to |
Column 3
Condition(s) |
| 1 | APP entity | (a) personal information; or
(b) a government related identifier. |
(a) it is unreasonable or impracticable to obtain the individual's consent to the collection, use or disclosure; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. |
| 2 | APP entity | (a) personal information; or
(b) a government related identifier. |
(a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity's functions or activities has been, is being or may be engaged in; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter. |
| 3 | APP entity | Personal information | (a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and
(b) the collection, use or disclosure complies with the rules made under subsection (2). |
| 4 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim. |
| 5 | APP entity | Personal information | The collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process. |
| 6 | Agency | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for the entity's diplomatic or consular functions or activities. |
| 7 | Defence Force | Personal information | The entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories:
(a) war or warlike operations; (b) peacekeeping or peace enforcement; (c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief. |
16A(2)
The Commissioner may, by legislative instrument, make rules relating to the collection, use or disclosure of personal information that apply for the purposes of item 3 of the table in subsection (1).
Collection - provision of a health service
16B(1)
A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:
(a) the information is necessary to provide a health service to the individual; and
(b) either:
(i) the collection is required or authorised by or under an Australian law (other than this Act); or
(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.
16B(1A)
A permitted health situation exists in relation to the collection by an organisation of health information about an individual (the third party ) if:
(a) it is necessary for the organisation to collect the family, social or medical history of an individual (the patient ) to provide a health service to the patient; and
(b) the health information about the third party is part of the family, social or medical history necessary for the organisation to provide the health service to the patient; and
(c) the health information is collected by the organisation from the patient or, if the patient is physically or legally incapable of giving the information, a responsible person for the patient.
Collection - research etc.
16B(2)
A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:
(a) the collection is necessary for any of the following purposes:
(i) research relevant to public health or public safety;
(ii) the compilation or analysis of statistics relevant to public health or public safety;
(iii) the management, funding or monitoring of a health service; and
(b) that purpose cannot be served by the collection of information about the individual that is de-identified information; and
(c) it is impracticable for the organisation to obtain the individual's consent to the collection; and
(d) any of the following apply:
(i) the collection is required by or under an Australian law (other than this Act);
(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation;
(iii) the information is collected in accordance with guidelines approved under section 95A for the purposes of this subparagraph.
Use or disclosure - research etc.
16B(3)
A permitted health situation exists in relation to the use or disclosure by an organisation of health information about an individual if:
(a) the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and
(b) it is impracticable for the organisation to obtain the individual's consent to the use or disclosure; and
(c) the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes of this paragraph; and
(d) in the case of disclosure - the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.
Use or disclosure - genetic information
16B(4)
A permitted health situation exists in relation to the use or disclosure by an organisation of genetic information about an individual (the first individual ) if:
(a) the organisation has obtained the information in the course of providing a health service to the first individual; and
(b) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual; and
(c) the use or disclosure is conducted in accordance with guidelines approved under section 95AA; and
(d) in the case of disclosure - the recipient of the information is a genetic relative of the first individual.
Disclosure - responsible person for an individual
16B(5)
A permitted health situation exists in relation to the disclosure by an organisation of health information about an individual if:
(a) the organisation provides a health service to the individual; and
(b) the recipient of the information is a responsible person for the individual; and
(c) the individual:
(i) is physically or legally incapable of giving consent to the disclosure; or
(ii) physically cannot communicate consent to the disclosure; and
(d) another individual (the carer ) providing the health service for the organisation is satisfied that either:
(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(e) the disclosure is not contrary to any wish:
(i) expressed by the individual before the individual became unable to give or communicate consent; and
(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and
(f) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d).
This section applies if:
(a) an APP entity discloses personal information about an individual to an overseas recipient; and
(b) Australian Privacy Principle 8.1 applies to the disclosure of the information; and
(c) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and
(d) the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice.
16C(2)
The act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act:
(a) to have been done, or engaged in, by the APP entity; and
(b) to be a breach of those Australian Privacy Principles by the APP entity.
(Repealed by No 197 of 2012) 16E (Repealed) SECTION 16E PERSONAL, FAMILY OR HOUSEHOLD AFFAIRS
(Repealed by No 197 of 2012) 16F (Repealed) SECTION 16F INFORMATION UNDER COMMONWEALTH CONTRACT NOT TO BE USED FOR DIRECT MARKETING
(Repealed by No 197 of 2012) Division 4 - Tax file number information
The Commissioner must, by legislative instrument, issue rules concerning the collection, storage, use and security of tax file number information.
A file number recipient shall not do an act, or engage in a practice, that breaches a rule issued under section 17.
(Repealed by No 197 of 2012) 18B (Repealed) SECTION 18B CREDIT REPORTING AGENCIES AND CREDIT PROVIDERS TO COMPLY WITH CODE OF CONDUCT
(Repealed by No 197 of 2012) (Repealed) PART IIIAA - PRIVACY CODES
(Repealed by No 197 of 2012) 18BAA (Repealed) SECTION 18BAA PRIVACY CODES MAY COVER EXEMPT ACTS OR PRACTICES
(Repealed by No 197 of 2012) 18BB (Repealed) SECTION 18BB COMMISSIONER MAY APPROVE PRIVACY CODE
(Repealed by No 197 of 2012) 18BC (Repealed) SECTION 18BC WHEN APPROVAL TAKES EFFECT
(Repealed by No 197 of 2012) 18BD (Repealed) SECTION 18BD VARYING AN APPROVED PRIVACY CODE
(Repealed by No 197 of 2012) 18BE (Repealed) SECTION 18BE REVOKING THE APPROVAL OF AN APPROVED PRIVACY CODE
(Repealed by No 197 of 2012) 18BF (Repealed) SECTION 18BF GUIDELINES ABOUT PRIVACY CODES
(Repealed by No 197 of 2012) 18BG (Repealed) SECTION 18BG REGISTER OF APPROVED PRIVACY CODES
(Repealed by No 197 of 2012) 18BH (Repealed) SECTION 18BH REVIEW OF OPERATION OF APPROVED PRIVACY CODE
(Repealed by No 197 of 2012) 18BI (Repealed) SECTION 18BI REVIEW OF ADJUDICATOR'S DECISION UNDER APPROVED PRIVACY CODE
(Repealed by No 197 of 2012) PART IIIA - CREDIT REPORTING
In general, this Part deals with the privacy of information relating to credit reporting.
Divisions 2 and 3 contain rules that apply to credit reporting bodies and credit providers in relation to their handling of information relating to credit reporting.
Division 4 contains rules that apply to affected information recipients in relation to their handling of their regulated information.
Division 5 deals with complaints to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.
Division 6 deals with entities that obtain credit reporting information or credit eligibility information by false pretence, or when they are not authorised to do so under this Part.
Division 7 provides for compensation orders, and other orders, to be made by the Federal Court or Federal Circuit and Family Court of Australia (Division 2).
This Division sets out rules that apply to credit reporting bodies in relation to their handling of the following:
The rules apply in relation to that kind of information or assessment instead of the Australian Privacy Principles.
This Division applies to a credit reporting body in relation to the following:
(a) credit reporting information;
(b) CP derived information;
(c) credit reporting information that is de-identified;
(d) a pre-screening assessment.
20A(2)
The Australian Privacy Principles do not apply to a credit reporting body in relation to personal information that is:
(a) credit reporting information; or
(b) CP derived information; or
(c) a pre-screening assessment.
Note:
The Australian Privacy Principles apply to the credit reporting body in relation to other kinds of personal information.
Subdivision B - Consideration of information privacy
The object of this section is to ensure that credit reporting bodies manage credit reporting information in an open and transparent way.
Compliance with this Division etc.
20B(2)
A credit reporting body must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the credit reporting business of the body that:
(a) will ensure that the body complies with this Division and the registered CR code; and
(b) will enable the body to deal with inquiries or complaints from individuals about the body's compliance with this Division or the registered CR code.
Policy about the management of credit reporting information
20B(3)
A credit reporting body must have a clearly expressed and up-to-date policy about the management of credit reporting information by the body.
20B(4)
Without limiting subsection (3), the policy of the credit reporting body must contain the following information:
(a) the kinds of credit information that the body collects and how the body collects that information;
(b) the kinds of credit reporting information that the body holds and how the body holds that information;
(c) the kinds of personal information that the body usually derives from credit information that the body holds;
(d) the purposes for which the body collects, holds, uses and discloses credit reporting information;
(e) information about the effect of section 20G (which deals with direct marketing) and how the individual may make a request under subsection (5) of that section;
(f) how an individual may access credit reporting information about the individual that is held by the body and seek the correction of such information;
(g) information about the effect of section 20T (which deals with individuals requesting the correction of credit information etc.);
(h) how an individual may complain about a failure of the body to comply with this Division or the registered CR code and how the body will deal with such a complaint.
Availability of policy etc.
20B(5)
A credit reporting body must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note:
A credit reporting body will usually make the policy available on the body's website.
20B(6)
If a person or body requests a copy, in a particular form, of the policy of a credit reporting body, the credit reporting body must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Prohibition on collection
20C(1)
A credit reporting body must not collect credit information about an individual.
Civil penalty: 2,000 penalty units.
Exceptions
20C(2)
Subsection (1) does not apply if the collection of the credit information is required or authorised by or under an Australian law or a court/tribunal order.
20C(3)
Subsection (1) does not apply if: (a) the credit reporting body collects the credit information about the individual from a credit provider who is permitted under section 21D to disclose the information to the body; and (b) the body collects the information in the course of carrying on a credit reporting business; and (c) if the information is identification information about the individual - the body also collects from the provider, or already holds, credit information of another kind about the individual.
20C(4)
Subsection (1) does not apply if: (a) the credit reporting body:
(i) collects the credit information about the individual from an entity (other than a credit provider) in the course of carrying on a credit reporting business; and
(b) the information does not relate to an act, omission, matter or thing that occurred or existed before the individual turned 18; and (c) if the information relates to consumer credit or commercial credit - the credit is or has been provided, or applied for, in Australia; and (d) if the information is identification information about the individual - the body also collects from the entity, or already holds, credit information of another kind about the individual; and (e) if the information is repayment history information or financial hardship information about the individual - the body collects the information from another credit reporting body that has an Australian link.
(ii) knows, or believes on reasonable grounds, that the individual is at least 18 years old; and
20C(5)
Paragraph (4)(b) does not apply to identification information about the individual.
20C(6)
Despite paragraph (4)(b), consumer credit liability information about the individual may relate to consumer credit that was entered into on a day before the individual turned 18, so long as the consumer credit was not terminated, or did not otherwise cease to be in force, on a day before the individual turned 18.
Means of collection
20C(7)
A credit reporting body must collect credit information only by lawful and fair means.
Solicited credit information
20C(8)
This section applies to the collection of credit information that is solicited by a credit reporting body.
If:
(a) a credit reporting body receives credit information about an individual; and
(b) the body did not solicit the information;
the body must, within a reasonable period after receiving the information, determine whether or not the body could have collected the information under section 20C if the body had solicited the information.
20D(2)
The credit reporting body may use or disclose the credit information for the purposes of making the determination under subsection (1).
20D(3)
If the credit reporting body determines that it could have collected the credit information, sections 20E to 20ZA apply in relation to the information as if the body had collected the information under section 20C.
20D(4)
If the credit reporting body determines that it could not have collected the credit information, the body must, as soon as practicable, destroy the information.
Civil penalty: 1,000 penalty units.
20D(5)
Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
Prohibition on use or disclosure
20E(1)
If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information.
Civil penalty: 2,000 penalty units.
Permitted uses
20E(2)
Subsection (1) does not apply to the use of credit reporting information about the individual if: (a) the credit reporting body uses the information in the course of carrying on the body's credit reporting business; or (b) the use is required or authorised by or under an Australian law (other than the consumer data rules) or a court/tribunal order; or (c) the use is a use prescribed by the regulations.
Permitted disclosures
20E(3)
Subsection (1) does not apply to the disclosure of credit reporting information about the individual if: (a) the disclosure is a permitted CRB disclosure in relation to the individual; or (b) the disclosure is to another credit reporting body that has an Australian link; or (c) both of the following apply:
(i) the disclosure is for the purposes of a recognised external dispute resolution scheme;
(d) both of the following apply:
(ii) a credit reporting body or credit provider is a member of or subject to the scheme; or
(i) the disclosure is to an enforcement body;
(e) the disclosure is required or authorised by or under an Australian law (other than the consumer data rules) or a court/tribunal order; or (f) the disclosure is a disclosure prescribed by the regulations.
(ii) the credit reporting body is satisfied that the body, or another enforcement body, believes on reasonable grounds that the individual has committed a serious credit infringement; or
20E(4)
However, if the credit reporting information is, or was derived from, repayment history information or financial hardship information about the individual, the credit reporting body must not disclose the information under paragraph (3)(a) or (f) unless the recipient of the information is: (a) a credit provider who is a licensee or is prescribed by the regulations; or (b) a mortgage insurer.
Civil penalty: 2,000 penalty units.
20E(4A)
Despite subsection (3), if the credit reporting information is, or was derived from, financial hardship information about the individual, the credit reporting body must not disclose the information under paragraph (3)(a) or (f) to a credit provider or mortgage insurer if the provider or insurer requested the information for the purpose of: (a) in the case of a credit provider:
(i) collecting payments that are overdue in relation to consumer credit provided by the provider to the individual; or
(ii) collecting payments that are overdue in relation to commercial credit provided by the provider to a person; or
(b) in the case of a mortgage insurer - assessing the risk of the individual defaulting on mortgage credit in relation to which the insurer has provided insurance to a credit provider.
(iii) assessing whether to accept the individual as a guarantor in relation to credit for which an application has been made to the provider by a person other than the individual; or
Civil penalty: 2,000 penalty units.
20E(5)
If a credit reporting body discloses credit reporting information under this section, the body must make a written note of that disclosure.
Civil penalty: 500 penalty units.
Note:
Other Acts may provide that the note must not be made (see for example the Australian Crime Commission Act 2002 and the National Anti-Corruption Commission Act 2022).
No use or disclosure for the purposes of direct marketing
20E(6)
This section does not apply to the use or disclosure of credit reporting information for the purposes of direct marketing.
Note:
Section 20G deals with the use or disclosure of credit reporting information for the purposes of direct marketing.
No disclosure of financial hardship information as part of credit score
20E(7)
Subsection (3) does not apply to the disclosure of CRB derived information which contains or takes the form of a credit score where the credit information from which the credit score is derived includes financial hardship information.
A disclosure by a credit reporting body of credit reporting information about an individual is a permitted CRB disclosure in relation to the individual if:
(a) the disclosure is to an entity that is specified in an item of the table and that has an Australian link; and
(b) such conditions as are specified for the item are satisfied.
| Permitted CRB disclosures | ||
| Item | If the disclosure is to ... | the condition or conditions are ... |
| 1 | a credit provider | the provider requests the information for a consumer credit related purpose of the provider in relation to the individual. |
| 2 | a credit provider | (a) the provider requests the information for a commercial credit related purpose of the provider in relation to a person; and
(b) the individual expressly consents to the disclosure of the information to the provider for that purpose. |
| 3 | a credit provider | (a) the provider requests the information for a credit guarantee purpose of the provider in relation to the individual; and
(b) the individual expressly consents, in writing, to the disclosure of the information to the provider for that purpose. |
| 4 | a credit provider | the credit reporting body is satisfied that the provider, or another credit provider, believes on reasonable grounds that the individual has committed a serious credit infringement. |
| 5 | a credit provider | (a) the credit reporting body holds consumer credit liability information that relates to consumer credit provided by the provider to the individual; and
(b) the consumer credit has not been terminated, or has not otherwise ceased to be in force. |
| 6 | a credit provider under subsection 6J(1) | the provider requests the information for a securitisation related purpose of the provider in relation to the individual. |
| 7 | a mortgage insurer | the insurer requests the information for a mortgage insurance purpose of the insurer in relation to the individual. |
| 8 | a trade insurer | (a) the insurer requests the information for a trade insurance purpose of the insurer in relation to the individual; and
(b) the individual expressly consents, in writing, to the disclosure of the information to the insurer for that purpose. |
20F(2)
The consent of the individual under paragraph (b) of item 2 of the table in subsection (1) must be given in writing unless:
(a) the credit provider referred to in that item requests the information for the purpose of assessing an application for commercial credit made by a person to the provider; and
(b) the application has not been made in writing.
Prohibition on direct marketing
20G(1)
If a credit reporting body holds credit reporting information about an individual, the body must not use or disclose the information for the purposes of direct marketing.
Civil penalty: 2,000 penalty units.
Permitted use for pre-screening
20G(2)
Subsection (1) does not apply to the use by the credit reporting body of credit information about the individual for the purposes of direct marketing by, or on behalf of, a credit provider if: (a) the provider has an Australian link and is a licensee; and (b) the direct marketing is about consumer credit that the provider provides in Australia; and (c) the information is not consumer credit liability information, repayment history information, or financial hardship information about the individual; and (d) the body uses the information to assess whether or not the individual is eligible to receive the direct marketing communications of the credit provider; and (e) the individual has not made a request under subsection (5); and (f) the body complies with any requirements that are set out in the registered CR code.
20G(3)
In assessing under paragraph (2)(d) whether or not the individual is eligible to receive the direct marketing communications of the credit provider, the credit reporting body must have regard to the eligibility requirements nominated by the provider.
20G(4)
An assessment under paragraph (2)(d) is not credit reporting information about the individual.
Request not to use information for pre-screening
20G(5)
An individual may request a credit reporting body that holds credit information about the individual not to use the information under subsection (2).
20G(6)
If the individual makes a request under subsection (5), the credit reporting body must not charge the individual for the making of the request or to give effect to the request.
Written note of use
20G(7)
If a credit reporting body uses credit information under subsection (2), the body must make a written note of that use.
Civil penalty: 500 penalty units.
Use or disclosure by credit reporting bodies
20H(1)
If a credit reporting body makes a pre-screening assessment in relation to direct marketing by, or on behalf of, a credit provider, the body must not use or disclose the assessment.
Civil penalty: 2,000 penalty units.
20H(2)
Subsection (1) does not apply if:
(a) the credit reporting body discloses the pre-screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider; and
(b) the recipient of the assessment is an entity (other than the provider) that has an Australian link.
20H(3)
If the credit reporting body discloses the pre-screening assessment under subsection (2), the body must make a written note of that disclosure.
Civil penalty: 500 penalty units.
Use or disclosure by recipients
20H(4)
If the credit reporting body discloses the pre-screening assessment under subsection (2), the recipient must not use or disclose the assessment.
Civil penalty: 1,000 penalty units.
20H(5)
Subsection (4) does not apply if the recipient uses the pre-screening assessment for the purposes of the direct marketing by, or on behalf of, the credit provider.
20H(6)
If the recipient uses the pre-screening assessment under subsection (5), the recipient must make a written note of that use.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
20H(7)
If the recipient is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in relation to a pre-screening assessment.
If an entity has possession or control of a pre-screening assessment, the entity must destroy the assessment if:
(a) the entity no longer needs the assessment for any purpose for which it may be used or disclosed under section 20H; and
(b) the entity is not required by or under an Australian law, or a court/tribunal order, to retain the assessment.
Civil penalty: 1,000 penalty units.
20J(2)
If the entity is an APP entity but not a credit reporting body, Australian Privacy Principle 11.2 does not apply to the entity in relation to the pre-screening assessment.
If:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the individual believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud (including identity fraud); and
(c) the individual requests the body not to use or disclose the information under this Division;
then, despite any other provision of this Division, the body must not use or disclose the information during the ban period for the information.
Civil penalty: 2,000 penalty units.
20K(2)
Subsection (1) does not apply if:
(a) the individual expressly consents, in writing, to the use or disclosure of the credit reporting information under this Division; or
(b) the use or disclosure of the credit reporting information is required by or under an Australian law or a court/tribunal order.
Ban period
20K(3)
The ban period for credit reporting information about an individual is the period that:
(a) starts when the individual makes a request under paragraph (1)(c); and
(b) ends:
(i) 21 days after the day on which the request is made; or
(ii) if the period is extended under subsection (4) - on the day after the extended period ends.
20K(4)
if:
(a) there is a ban period for credit reporting information about an individual that is held by a credit reporting body; and
(b) before the ban period ends, the individual requests the body to extend that period; and
(c) the body believes on reasonable grounds that the individual has been, or is likely to be, a victim of fraud (including identity fraud);
the body must:
(d) extend the ban period by such period as the body considers is reasonable in the circumstances; and
(e) give the individual written notification of the extension.
Civil penalty: 1,000 penalty units.
20K(5)
A ban period for credit reporting information may be extended more than once under subsection (4).
No charge for request etc.
20K(6)
If an individual makes a request under paragraph (1)(c) or (4)(b), a credit reporting body must not charge the individual for the making of the request or to give effect to the request.
If:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the information is a government related identifier of the individual;
the body must not adopt the government related identifier as its own identifier of the individual.
Civil penalty: 2,000 penalty units.
20L(2)
Subsection (1) does not apply if the adoption of the government related identifier is required or authorised by or under an Australian law or a court/tribunal order.
Use or disclosure
20M(1)
If:
(a) a credit reporting body holds credit reporting information; and
(b) the information (the de-identified information ) is de-identified;
the body must not use or disclose the de-identified information.
20M(2)
Subsection (1) does not apply to the use or disclosure of the de-identified information if:
(a) the use or disclosure is for the purposes of conducting research in relation to credit; and
(b) the credit reporting body complies with the rules made under subsection (3).
Commissioner may make rules
20M(3)
The Commissioner may, by legislative instrument, make rules relating to the use or disclosure by a credit reporting body of de-identified information for the purposes of conducting research in relation to credit.
20M(4)
Without limiting subsection (3), the rules may relate to the following matters:
(a) the kinds of de-identified information that may or may not be used or disclosed for the purposes of conducting the research;
(b) whether or not the research is research in relation to credit;
(c) the purposes of conducting the research;
(d) consultation about the research;
(e) how the research is conducted.
A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit information the body collects is accurate, up-to-date and complete.
20N(2)
A credit reporting body must take such steps as are reasonable in the circumstances to ensure that the credit reporting information the body uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
20N(3)
Without limiting subsections (1) and (2), a credit reporting body must:
(a) enter into agreements with credit providers that require the providers to ensure that credit information that they disclose to the body under section 21D is accurate, up-to-date and complete; and
(b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and
(c) identify and deal with suspected breaches of those agreements.
Offence
20P(1)
A credit reporting body commits an offence if:
(a) the body uses or discloses credit reporting information under this Division (other than subsections 20D(2) and 20T(4)); and
(b) the information is false or misleading in a material particular.
Penalty: 200 penalty units.
Civil penalty
20P(2)
A credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D(2) and 20T(4)) if the information is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
If a credit reporting body holds credit reporting information, the body must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure.
20Q(2)
Without limiting subsection (1), a credit reporting body must: (a) enter into agreements with credit providers that require the providers to protect credit reporting information that is disclosed to them under this Division:
(i) from misuse, interference and loss; and
(b) ensure that regular audits are conducted by an independent person to determine whether those agreements are being complied with; and (c) identify and deal with suspected breaches of those agreements.
(ii) from unauthorised access, modification or disclosure; and
20Q(3)
Without limiting subsection (1), if a credit reporting body holds credit reporting information, the body must store the information: (a) either:
(i) in Australia or an external Territory; or
(b) in accordance with any security requirements prescribed by the regulations.
(ii) in accordance with any security requirements prescribed by the regulations for storing the information outside of Australia and the external Territories; and
Note:
Requirements prescribed for paragraph (b) apply wherever the information is stored.
Access
20R(1)
If a credit reporting body holds credit reporting information about an individual, the body must, on request by an access seeker in relation to the information, give the access seeker access to: (a) the information; and (b) if the body is a corporation to which paragraph 51(xx) of the Constitution applies, and the credit reporting business of the body involves deriving CRB derived information about individuals in the form of a rating (a credit rating ) of the individuals on a credit score scale or range - the information referred to in subsection (1A).
20R(1A)
The information is: (a) the credit rating of the individual, as derived by the body after the request is made; and (b) information that identifies the particular credit information that is held by the body and from which the credit rating was derived; and (c) information about the relative weighting of the credit information described in paragraph (b) in deriving the credit rating; and (d) information about what the other ratings on the scale or rangeare, and how the individual's credit rating relates to those other ratings.
Exceptions to access
20R(2)
Despite subsection (1), the credit reporting body is not required to give the access seeker access to the credit reporting information to the extent that: (a) giving access would be unlawful; or (b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or (c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or (d) for information referred to in subsection (1A) - the credit information about the individual that is held by the body is insufficient for the body to be able to derive the credit rating of the individual in the ordinary course of its credit reporting business within the period referred to in subsection (3).
Dealing with requests for access
20R(3)
The credit reporting body must respond to the request within a reasonable period, but not longer than 10 days, after the request is made.
Means of access
20R(4)
If the credit reporting body gives access to the credit reporting information, the access must be given in the manner set out in the registered CR code.
Access charges
20R(5)
If a request under subsection (1) in relation to the individual has not been made to the credit reporting body in the previous 3 months, the body must not charge the access seeker for the making of the request or for giving access to the information.
20R(6)
If subsection (5) does not apply, any charge by the credit reporting body for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
20R(7)
If the credit reporting body refuses to give access to the information because of subsection (2), the body must give the access seeker a written notice that: (a) sets out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and (b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the body is a member; or
(ii) make a complaint to the Commissioner under Part V.
If:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the body is satisfied that, having regard to a purpose for which the information is held by the body, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;
the body must take such steps (if any) as are reasonable in the circumstances to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
20S(2)
If:
(a) the credit reporting body corrects credit reporting information under subsection (1); and
(b) the body has previously disclosed the information under this Division (other than subsections 20D(2) and 20T(4));
the body must, within a reasonable period, give each recipient of the information written notice of the correction.
20S(3)
Subsection (2) does not apply if:
(a) it is impracticable for the credit reporting body to give the notice under that subsection; or
(b) the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
Request
20T(1)
An individual may request a credit reporting body to correct personal information about the individual if:
(a) the personal information is:
(i) credit information about the individual; or
(ii) CRB derived information about the individual; or
(iii) CP derived information about the individual; and
(b) the body holds at least one kind of the personal information referred to in paragraph (a).
Correction
20T(2)
If the credit reporting body is satisfied that the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the body must take such steps (if any) as are reasonable in the circumstances to correct the information within:
(a) the period of 30 days that starts on the day on which the request is made; or
(b) such longer period as the individual has agreed to in writing.
Consultation
20T(3)
If the credit reporting body considers that the body cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party ):
(a) another credit reporting body that holds or held the information and that has an Australian link;
(b) a credit provider that holds or held the information and that has an Australian link;
the body must consult that interested party, or those interested parties, about the individual's request.
20T(4)
The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
No charge
20T(5)
The credit reporting body must not charge the individual for the making of the request or for correcting the information.
This section applies if an individual requests a credit reporting body to correct personal information under subsection 20T(1).
Notice of correction etc.
20U(2)
If the credit reporting body corrects the personal information under subsection 20T(2), the body must, within a reasonable period:
(a) give the individual written notice of the correction; and
(b) if the body consulted an interested party under subsection 20T(3) about the individual's request - give the party written notice of the correction; and
(c) if the correction relates to information that the body has previously disclosed under this Division (other than subsections 20D(2) and 20T(4)) - give each recipient of the information written notice of the correction.
20U(3)
If the credit reporting body does not correct the personal information under subsection 20T(2), the body must, within a reasonable period, give the individual written notice that:
(a) states that the correction has not been made; and
(b) sets out the body's reasons for not correcting the information (including evidence substantiating the correctness of the information); and
(c) states that, if the individual is not satisfied with the response to the request, the individual may:
(i) access a recognised external dispute resolution scheme of which the body is a member; or
(ii) make a complaint to the Commissioner under Part V.
Exceptions
20U(4)
Paragraph (2)(c) does not apply if it is impracticable for the credit reporting body to give the notice under that paragraph.
20U(5)
Subsection (2) or (3) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
This section applies if:
(a) a credit reporting body holds credit information about an individual; and
(b) the retention period for the information ends.
Note:
There is no retention period for identification information or credit information of a kind referred to in paragraph 6N(k).
Destruction etc. of credit information
20V(2)
The credit reporting body must destroy the credit information, or ensure that the information is de-identified, within 1 month after the retention period for the information ends.
Civil penalty: 1,000 penalty units.
20V(3)
Despite subsection (2), the credit reporting body must neither destroy the credit information nor ensure that the information is de-identified, if immediately before the retention period ends:
(a) there is a pending correction request in relation to the information; or
(b) there is a pending dispute in relation to the information.
Civil penalty: 500 penalty units.
20V(4)
Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit information.
Destruction etc. of CRB derived information
20V(5)
The credit reporting body must destroy any CRB derived information about the individual that was derived from the credit information, or ensure that the CRB derived information is de-identified:
(a) if:
(i) the CRB derived information was derived from 2 or more kinds of credit information; and
at the same time that the body does that thing to that credit information; or
(ii) the body is required to do a thing referred to in subsection (2) to one of those kinds of credit information;
(b) otherwise - at the same time that the body is required to do a thing referred to in subsection (2) to the credit information from which the CRB derived information was derived.
Civil penalty: 1,000 penalty units.
20V(6)
Despite subsection (5), the credit reporting body must neither destroy the CRB derived information nor ensure that the information is de-identified, if immediately before the retention period ends:
(a) there is a pending correction request in relation to the information; or
(b) there is a pending dispute in relation to the information.
Civil penalty: 500 penalty units.
20V(7)
Subsection (5) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the CRB derived information.
The following table sets out the retention period for credit information: (a) that is information of a kind referred to in an item of the table; and (b) that is held by a credit reporting body.
| Retention period | ||
| Item | If the credit information is ... | the retention period for the information is ... |
| 1 | consumer credit liability information | the period of 2 years that starts on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force. |
| 2 | repayment history information | the period of 2 years that starts on the day on which the monthly payment to which the information relates is due and payable. |
| 2A | financial hardship information | the period of 1 year that starts on the day on which the monthly payment to which the information relates is due and payable. |
| 3 | information of a kind referred to in paragraph 6N(d) or (e) | the period of 5 years that starts on the day on which the information request to which the information relates is made. |
| 4 | default information | the period of 5 years that starts on the day on which the credit reporting body collects the information. |
| 5 | payment information | the period of 5 years that starts on the day on which the credit reporting body collects the default information to which the payment information relates. |
| 6 | new arrangement information within the meaning of subsection 6S(1) | the period of 2 years that starts on the day on which the credit reporting body collects the default information referred to in that subsection. |
| 7 | new arrangement information within the meaning of subsection 6S(2) | the period of 2 years that starts on the day on which the credit reporting body collects the information about the opinion referred to in that subsection. |
| 8 | court proceedings information | the period of 5 years that starts on the day on which the judgement to which the information relates is made or given. |
| 9 | information of a kind referred to in paragraph 6N(l) | the period of 7 years that starts on the day on which the credit reporting body collects the information. |
The following table has effect:
| Item | If personal insolvency information relates to ... | the retention period for the information is whichever of the following periods ends later ... |
| 1 | a bankruptcy of an individual | (a) the period of 5 years that starts on the day on which the individual becomes a bankrupt;
(b) the period of 2 years that starts on the day the bankruptcy ends. |
| 2 | a personal insolvency agreement to which item 3 of this table does not apply | (a) the period of 5 years that starts on the day on which the agreement is executed;
(b) the period of 2 years that starts on the day the agreement is terminated or set aside under the Bankruptcy Act. |
| 3 | a personal insolvency agreement in relation to which a certificate has been signed under section 232 of the Bankruptcy Act | (a) the period of 5 years that starts on the day on which the agreement is executed;
(b) the period that ends on the day on which the certificate is signed. |
| 4 | a debt agreement to which item 5 of this table does not apply | (a) the period of 5 years that starts on the day on which the agreement is made;
(b) the period of 2 years that starts on the day: (i) the agreement is terminated under the Bankruptcy Act; or (ii) an order declaring that all the agreement is void is made under that Act. |
| 5 | a debt agreement that ends under section 185N of the Bankruptcy Act | (a) the period of 5 years that starts on the day on which the agreement is made;
(b) the period that ends on the day on which the agreement ends. |
Debt agreement proposals
20X(2)
If personal insolvency information relates to a debt agreement proposal, the retention period for the information is the period that ends on the day on which:
(a) the proposal is withdrawn; or
(b) the proposal is not accepted under section 185EC of the Bankruptcy Act; or
(c) the acceptance of the proposal for processing is cancelled under section 185ED of that Act; or
(d) the proposal lapses under section 185G of that Act.
Control of property
20X(3)
If personal insolvency information relates to a direction given, or an order made, under section 50 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the control of the property to which the direction or order relates ends.
Note:
See subsection 50(1B) of the Bankruptcy Act for when the control of the property ends.
20X(4)
If the personal insolvency information relates to an authority signed under section 188 of the Bankruptcy Act, the retention period for the information is the period that ends on the day on which the property to which the authority relates is no longer subject to control under Division 2 of Part X of that Act.
Interpretation
20X(5)
An expression used in this section that is also used in the Bankruptcy Act has the same meaning in this section as it has in that Act.
This section applies if:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) the information relates to consumer credit that has been provided by a credit provider to the individual, or a person purporting to be the individual; and
(c) the body is satisfied that:
(i) the individual has been a victim of fraud (including identity fraud); and
(ii) the consumer credit was provided as a result of that fraud.
Destruction of credit reporting information
20Y(2)
The credit reporting body must:
(a) destroy the credit reporting information; and
(b) within a reasonable period after the information is destroyed:
(i) give the individual a written notice that states that the information has been destroyed and sets out the effect of subsection (4); and
(ii) give the credit provider a written notice that states that the information has been destroyed.
Civil penalty: 1,000 penalty units.
20Y(3)
Subsection (2) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, to retain the credit reporting information.
Notification of destruction to third parties
20Y(4)
If:
(a) a credit reporting body destroys credit reporting information about an individual under subsection (2); and
(b) the body has previously disclosed the information to one or more recipients under Subdivision D of this Division;
the body must, within a reasonable period after the destruction, notify those recipients of the destruction and the matters referred to in paragraph (1)(c).
Civil penalty: 500 penalty units.
20Y(5)
Subsection (4) does not apply if the credit reporting body is required by or under an Australian law, or a court/tribunal order, not to give the notification.
This section applies if a credit reporting body holds credit reporting information about an individual and either:
(a) subsection 20V(3) applies in relation to the information; or
(b) subsection 20V(6) applies in relation to the information.
Notification of Commissioner
20Z(2)
The credit reporting body must, as soon as practicable, notify in writing the Commissioner of the matter referred to in paragraph (1)(a) or (b) of this section.
Civil penalty: 1,000 penalty units.
Use or disclosure
20Z(3)
The credit reporting body must not use or disclose the information under Subdivision D of this Division.
Civil penalty: 2,000 penalty units.
20Z(4)
However, the credit reporting body may use or disclose the information under this subsection if:
(a) the use or disclosure is for the purposes of the pending correction request, or pending dispute, in relation to the information; or
(b) the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
20Z(5)
If the credit reporting body uses or discloses the information under subsection (4), the body must make a written note of the use or disclosure.
Civil penalty: 500 penalty units.
Direction to destroy information etc.
20Z(6)
The Commissioner may, by legislative instrument, direct the credit reporting body to destroy the information, or ensure that the information is de-identified, by a specified day.
20Z(7)
If the Commissioner gives a direction under subsection (6) to the credit reporting body, the body must comply with the direction.
Civil penalty: 1,000 penalty units.
20Z(8)
To avoid doubt, section 20M applies in relation to credit reporting information that is de-identified as a result of the credit reporting body complying with the direction.
This section applies if a credit reporting body is not required:
(a) to do a thing referred to in subsection 20V(2) to credit information because of subsection 20V(4); or
(b) to do a thing referred to in subsection 20V(5) to CRB derived information because of subsection 20V(7); or
(c) to destroy credit reporting information under subsection 20Y(2) because of subsection 20Y(3).
Use or disclosure
20ZA(2)
The credit reporting body must not use or disclose the information under Subdivision D of this Division.
Civil penalty: 2,000 penalty units.
20ZA(3)
However, the credit reporting body may use or disclose the information under this subsection if the use or disclosure of the information is required by or under an Australian law or a court/tribunal order.
20ZA(4)
If the credit reporting body uses or discloses the information under subsection (3), the body must make a written note of the use or disclosure.
Civil penalty: 500 penalty units.
Other requirements
20ZA(5)
Subdivision E of this Division (other than section 20Q) does not apply in relation to the use or disclosure of the information.
Note:
Section 20Q deals with the security of credit reporting information.
20ZA(6)
Subdivision F of this Division does not apply in relation to the information.
This Division sets out rules that apply to credit providers in relation to their handling of the following:
If a credit provider is an APP entity, the rules apply in relation to that information in addition to, or instead of, any relevant Australian Privacy Principles.
This Division applies to a credit provider in relation to the following:
(a) credit information;
(b) credit eligibility information;
(c) CRB derived information.
21A(2)
If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection (1) in addition to, or instead of, the Australian Privacy Principles.
The object of this section is to ensure that credit providers manage credit information and credit eligibility information in an open and transparent way.
Compliance with this Division etc.
21B(2)
A credit provider must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the provider's functions or activities as a credit provider that: (a) will ensure that the provider complies with this Division and the registered CR code if it binds the provider; and (b) will enable the provider to deal with inquiries or complaints from individuals about the provider's compliance with this Division or the registered CR code if it binds the provider.
Policy about the management of credit information etc.
21B(3)
A credit provider must have a clearly expressed and up-to-date policy about the management of credit information and credit eligibility information by the provider.
21B(4)
Without limiting subsection (3), the policy of the credit provider must contain the following information: (a) the kinds of credit information that the provider collects and holds, and how the provider collects and holds that information; (b) the kinds of credit eligibility information that the provider holds and how the provider holds that information; (c) the kinds of CP derived information that the provider usually derives from credit reporting information disclosed to the provider by a credit reporting body under Division 2 of this Part; (d) the purposes for which the provider collects, holds, uses and discloses credit information and credit eligibility information; (e) how an individual may access credit eligibility information about the individual that is held by the provider; (f) how an individual may seek the correction of credit information or credit eligibility information about the individual that is held by the provider; (g) how an individual may complain about a failure of the provider to comply with this Division or the registered CR code if it binds the provider; (h) how the provider will deal with such a complaint; (i) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link; (j) if the provider is likely to disclose credit information or credit eligibility information to such entities - the countries in which those entities are likely to be located if it is practicable to specify those countries in the policy.
Availability of policy etc.
21B(5)
A credit provider must take such steps as are reasonable in the circumstances to make the policy available: (a) free of charge; and (b) in such form as is appropriate.
Note:
A credit provider will usually make the policy available on the provider's website.
21B(6)
If a person or body requests a copy, in a particular form, of the policy of a credit provider, the provider must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Interaction with the Australian Privacy Principles
21B(7)
If a credit provider is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the provider in relation to credit information or credit eligibility information.
Exemption for certain non-participating credit providers
21B(8)
This section does not apply to a non-participating credit provider.
At or before the time a credit provider collects personal information about an individual that the provider is likely to disclose to a credit reporting body, the provider must:
(a) notify the individual of the following matters:
(i) the name and contact details of the body;
(ii) any other matter specified in the registered CR code; or
(b) otherwise ensure that the individual is aware of those matters.
21C(2)
If a credit provider is an APP entity, subsection (1) applies to the provider in relation to personal information in addition to AustralianPrivacy Principle 5.
21C(3)
If a credit provider is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is credit information or credit eligibility information:
(a) that the policy (the credit reporting policy ) of the provider that is referred to in subsection 21B(3) contains information about how an individual may access the credit eligibility information about the individual that is held by the provider;
(b) that the credit reporting policy of the provider contains information about how an individual may seek the correction of credit information or credit eligibility information about the individual that is held by the provider;
(c) that the credit reporting policy of the provider contains information about how an individual may complain about a failure of the provider to comply with this Division or the registered CR code if it binds the provider;
(d) that the credit reporting policy of the provider contains information about how the provider will deal with such a complaint;
(e) whether the provider is likely to disclose credit information or credit eligibility information to entities that do not have an Australian link;
(f) if the provider is likely to disclose credit information or credit eligibility information to such entities - the countries in which those entities are likely to be located if it is practicable to specify those countries in the credit reporting policy.
Prohibition on disclosure
21D(1)
A credit provider must not disclose credit information about an individual to a credit reporting body (whether or not the body's credit reporting business is carried on in Australia).
Civil penalty: 2,000 penalty units.
Permitted disclosure
21D(2)
Subsection (1) does not apply to the disclosure of credit information about the individual if: (a) the credit provider:
(i) is a member of or subject to a recognised external dispute resolution scheme or is prescribed by the regulations; and
(b) the credit reporting body is:
(ii) knows, or believes on reasonable grounds, that the individual is at least 18 years old; and
(i) an agency; or
(c) the information meets the requirements of subsection (3).
(ii) an organisation that has an Australian link; and
Note:
Section 21F limits the disclosure of credit information if there is a ban period for the information.
21D(3)
Credit information about an individual meets the requirements of this subsection if: (a) the information does not relate to an act, omission, matter or thing that occurred or existed before the individual turned 18; and (b) if the information relates to consumer credit or commercial credit - the credit is or has been provided, or applied for, in Australia; and (c) if the information is repayment history information or financial hardship information about the individual:
(i) the credit provider is a licensee or is prescribed by the regulations; and
(ii) the consumer credit to which the information relates is consumer credit in relation to which the provider also discloses, or a credit provider has previously disclosed, consumer credit liability information about the individual to the credit reporting body; and
(d) if the information is default information about the individual:
(iii) the provider complies with any requirements relating to the disclosure of the information that are prescribed by the regulations; and
(i) the credit provider has given the individual a notice in writing stating that the provider intends to disclose the information to the credit reporting body; and
(ii) at least 14 days have passed since the giving of the notice.
21D(4)
Paragraph (3)(a) does not apply to identification information about the individual.
21D(5)
Despite paragraph (3)(a), consumer credit liability information about the individual may relate to consumer credit that was entered into on a day before the individual turned 18, so long as the consumer credit was not terminated, or did not otherwise cease to be in force, on a day before the individual turned 18.
Written note of disclosure
21D(6)
If a credit provider discloses credit information under this section, the provider must make a written note of that disclosure.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
21D(7)
If a credit provider is an APP entity, Australian Privacy Principles 6 and 8 do not apply to the disclosure by the provider of credit information to a credit reporting body.
If: (a) a credit provider has disclosed default information about an individual to a credit reporting body under section 21D; and (b) after the default information was disclosed, the amount of the overdue payment to which the information relates is paid;
the provider must, within a reasonable period after the amount is paid, disclose payment information about the amount to the body under that section.
Civil penalty: 500 penalty units.
If: (a) a credit provider discloses to a credit reporting body repayment history information about an individual in relation to a monthly payment under section 21D; and (b) financial hardship information about that individual exists in relation to that monthly payment;
the credit provider must, at the same time, disclose the financial hardship information to the credit reporting body.
Civil penalty: 500 penalty units.
This section applies if:
(a) a credit reporting body holds credit reporting information about an individual; and
(b) a credit provider requests the body to disclose the information to the provider for the purpose of assessing an application for consumer credit made to the provider by the individual, or a person purporting to be the individual; and
(c) the body is not permitted to disclose the information because there is a ban period for the information; and
(d) during the ban period, the provider provides the consumer credit to which the application relates to the individual, or the person purporting to be the individual.
21F(2)
If the credit provider holds credit information about the individual that relates to the consumer credit, the provider must not, despite sections 21D and 21E, disclose the information to a creditreporting body.
Civil penalty: 2,000 penalty units.
21F(3)
Subsection (2) does not apply if the credit provider has taken such steps as are reasonable in the circumstances to verify the identity of the individual.
Prohibition on use or disclosure
21G(1)
If a credit provider holds credit eligibility information about an individual, the provider must not use or disclose the information.
Civil penalty: 2,000 penalty units.
Permitted uses
21G(2)
Subsection (1) does not apply to the use of credit eligibility information about the individual if: (a) the use is for a consumer credit related purpose of the credit provider in relation to the individual; or (b) the use is a permitted CP use in relation to the individual; or (c) both of the following apply:
(i) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement;
(d) the use is required or authorised by or under an Australian law (other than the consumer data rules) or a court/tribunal order; or (e) the use is a use prescribed by the regulations.
(ii) the provider uses the information in connection with the infringement; or
Permitted disclosures
21G(3)
Subsection (1) does not apply to the disclosure of credit eligibility information about the individual if: (a) the disclosure is a permitted CP disclosure in relation to the individual; or (b) the disclosure is to a related body corporate of the credit provider; or (c) the disclosure is to:
(i) a person for the purpose of processing an application for credit made to the credit provider; or
(d) both of the following apply:
(ii) a person who manages credit provided by the credit provider for use in managing that credit; or
(i) the credit provider believes on reasonable grounds that the individual has committed a serious credit infringement;
(e) both of the following apply:
(ii) the provider discloses the information to another credit provider that has an Australian link, or to an enforcement body; or
(i) the disclosure is for the purposes of a recognised external dispute resolution scheme;
(f) the disclosure is required or authorised by or under an Australian law (other than the consumer data rules) or a court/tribunal order; or (g) the disclosure is a disclosure prescribed by the regulations.
(ii) a credit provider or credit reporting body is a member of or subject to the scheme; or
Note:
See section 21NA for additional rules about the disclosure of credit eligibility information under paragraph (3)(b) or (c).
21G(4)
However, if the credit eligibility information about the individual is, or was derived from, repayment history information or financial hardship information about the individual, the credit provider must not disclose the information under subsection (3).
Civil penalty: 2,000 penalty units.
21G(5)
Subsection (4) does not apply if: (a) the recipient of the credit eligibility information is another credit provider who is a licensee; or (b) the disclosure is a permitted CP disclosure within the meaning of section 21L; or (c) the credit provider discloses the credit eligibility information under paragraph (3)(b), (c), (e) or (f); or (d) the credit provider discloses the credit eligibility information under paragraph (3)(d) to an enforcement body.
Written note of use or disclosure
21G(6)
If a credit provider uses or discloses credit eligibility information under this section, the provider must make a written note of that use or disclosure.
Civil penalty: 500 penalty units.
Interaction with the Australian Privacy Principles
21G(7)
If a credit provider is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the provider in relation to credit eligibility information.
21G(8)
If: (a) a credit provider is an APP entity; and (b) the credit eligibility information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the provider in relation to the information.
A use by a credit provider of credit eligibility information about an individual is a permitted CP use in relation to the individual if:
(a) the relevant credit reporting information was disclosed to the provider under a provision specified in column 1 of the table for the purpose (if any) specified in that column; and
(b) the provider uses the credit eligibility information for the purpose specified in column 2 of the table.
| Permitted CP uses | ||
| Column 1 | Column 2 | |
| Item | The relevant credit reporting information was disclosed to the credit provider under ... | The credit provider uses the credit eligibility information for ... |
| 1 | item 1 of the table in subsection 20F(1) for the purpose of assessing an application for consumer credit made by the individual to the provider. | (a) a securitisation related purpose of the provider in relation to the individual; or
(b) the internal management purposes of the provider that are directly related to the provision or management of consumer credit by the provider. |
| 2 | item 2 of the table in subsection 20F(1) for a particular commercial credit related purpose of the provider in relation to the individual. | that particular commercial credit related purpose. |
| 3 | item 2 of the table in subsection 20F(1) for the purpose of assessing an application for commercial credit made by a person to the provider. | the internal management purposes of the provider that are directly related to the provision or management of commercial credit by the provider. |
| 4 | item 3 of the table in subsection 20F(1) for a credit guarantee purpose of the provider in relation to the individual. | (a) the credit guarantee purpose; or
(b) the internal management purposes of the provider that are directly related to the provision or management of any credit by the provider. |
| 5 | item 5 of the table in subsection 20F(1). | the purpose of assisting the individual to avoid defaulting on his or her obligations in relation to consumer credit provided by the provider to the individual. |
| 6 | item 6 of the table in subsection 20F(1) for a particular securitisation related purpose of the provider in relation to the individual. | that particular securitisation related purpose. |
Consent
21J(1)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider (the recipient ) for a particular purpose; and
(b) the recipient has an Australian link; and
(c) the individual expressly consents to the disclosure of the information to the recipient for that purpose.
21J(2)
The consent of the individual under paragraph (1)(c):
(a) must be given in writing unless:
(i) the disclosure of the information to the recipient is for the purpose of assessing an application for consumer credit or commercial credit made to the recipient; and
(ii) the application has not been made in writing; and
(b) must be given to the credit provider or recipient.
Agents of credit providers
21J(3)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the provider is acting as an agent of another credit provider that has an Australian link; and
(b) while the provider is so acting, the provider is a credit provider under subsection 6H(1); and
(c) the provider discloses the information to the other credit provider in the provider's capacity as such an agent.
Securitisation arrangements etc.
21J(4)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the provider is a credit provider under subsection 6J(1) in relation to credit; and
(b) the credit has been provided by, or is credit for which an application has been made to, another credit provider (the original credit provider ) that has an Australian link; and
(c) the original credit provider is not a credit provider under that subsection; and
(d) the information is disclosed to:
(i) the original credit provider; or
(ii) another credit provider that is a credit provider under that subsection in relation to the credit and that has an Australian link; and
(e) the disclosure of the information is reasonably necessary for:
(i) purchasing, funding or managing, or processing an application for, the credit by means of a securitisation arrangement; or
(ii) undertaking credit enhancement in relation to the credit.
Mortgage credit secured by the same real property
21J(5)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to another credit provider that has an Australian link; and
(b) both credit providers have provided mortgage credit to the individual in relation to which the same real property forms all or part of the security; and
(c) the individual is at least 60 days overdue in making a payment in relation to the mortgage credit provided by either provider; and
(d) the information is disclosed for the purpose of either provider deciding what action to take in relation to the overdue payment.
Offer to act as a guarantor etc.
21K(1)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) either:
(i) the provider has provided credit to the individual; or
(ii) the individual has applied to the provider for credit; and
(b) the disclosure is to a person for the purpose of that person considering whether:
(i) to offer to act as a guarantor in relation to the credit; or
(ii) to offer property as security for the credit; and
(c) the person has an Australian link; and
(d) the individual expressly consents to the disclosure of the information to the person for that purpose.
21K(2)
The consent of the individual under paragraph (1)(d) must be given in writing unless:
(a) if subparagraph (1)(a)(i) applies - the application for the credit was not made in writing; or
(b) if subparagraph (1)(a)(ii) applies - the application for the credit has not been made in writing.
Guarantors etc.
21K(3)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a person who:
(i) is a guarantor in relation to credit provided by the provider to the individual; or
(ii) has provided property as security for such credit; and
(b) the person has an Australian link; and
(c) either:
(i) the individual expressly consents to the disclosure of the information to the person; or
(ii) if subparagraph (a)(i) applies - the information is disclosed to the person for a purpose related to the enforcement, or proposed enforcement, of the guarantee.
21K(4)
The consent of the individual under subparagraph (3)(c)(i) must be given in writing unless the application for the credit was not made in writing.
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if the disclosure is to a mortgage insurer that has an Australian link for:
(a) a mortgage insurance purpose of the insurer in relation to the individual; or
(b) any purpose arising under a contract for mortgage insurance that has been entered into between the provider and the insurer.
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a person or body that carries on a business or undertaking that involves the collection of debts on behalf of others; and
(c) the information is disclosed to the person or body for the primary purpose of the person or body collecting payments that are overdue in relation to:
(i) consumer credit provided by the provider to the individual; or
(ii) commercial credit provided by the provider to a person; and
(d) the information is information of a kind referred to in subsection (2).
Note:
See section 21NA for additional rules about the disclosure of credit eligibility information under this subsection.
21M(2)
The information for the purposes of paragraph (1)(d) is:
(a) identification information about the individual; or
(b) court proceedings information about the individual; or
(c) personal insolvency information about the individual; or
(d) if subparagraph (1)(c)(i) applies - default information about the individual if:
(i) the information relates to a payment that the individual is overdue in making in relation to consumer credit that has been provided by the credit provider to the individual; and
(ii) the provider does not hold, or has not held, payment information about the individual that relates to that overdue payment.
Mortgage credit assistance schemes
21N(1)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to a State or Territory authority; and
(b) the functions or responsibilities of the authority include:
(i) giving assistance (directly or indirectly) that facilitates the provision of mortgage credit to individuals; or
(ii) the management or supervision of schemes or arrangements under which such assistance is given; and
(c) the information is disclosed for the purpose of enabling the authority:
(i) to determine the extent of the assistance (if any) to give in relation to the provision of mortgage credit to the individual; or
(ii) to manage or supervise such a scheme or arrangement.
Assignment of debts owed to credit providers etc.
21N(2)
A disclosure by a credit provider of credit eligibility information about an individual is a permitted CP disclosure in relation to the individual if:
(a) the disclosure is to one or more of the following (the recipient ):
(i) an entity;
(ii) a professional legal adviser of the entity;
(iii) a professional financial adviser of the entity; and
(b) the recipient has an Australian link; and
(c) subsection (3) applies to the information.
21N(3)
This subsection applies to the credit eligibility information if the recipient proposes to use the information:
(a) in the process of the entity considering whether to:
(i) accept an assignment of a debt owed to the credit provider; or
(ii) accept a debt owed to the provider as security for credit provided to the provider; or
(iii) purchase an interest in the provider or a related body corporate of the provider; or
(b) in connection with exercising rights arising from the acceptance of such an assignment or debt, or the purchase of such an interest.
Related bodies corporate and credit managers etc.
21NA(1)
Before a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the body or person does not breach the following provisions (the relevant provisions ) in relation to the information:
(a) for a disclosure under paragraph 21G(3)(b) - section 22D;
(b) for a disclosure under paragraph 21G(3)(c) - section 22E;
(c) in both cases - the Australian Privacy Principles (other than Australian Privacy Principles 1, 6, 7, 8 and 9.2).
21NA(2)
If:
(a) a credit provider discloses credit eligibility information under paragraph 21G(3)(b) or (c) to a related body corporate, or person, that does not have an Australian link; and
(b) the relevant provisions do not apply, under this Act, to an act done, or a practice engaged in, by the body or person in relation to the information; and
(c) the body or person does an act, or engages in a practice, in relation to the information that would be a breach of the relevant provisions if those provisions applied to the act or practice;
the act done, or the practice engaged in, by the body or person is taken, for the purposes of this Act, to have been done, or engaged in, by the provider and to be a breach of those provisions by the provider.
Debt collectors
21NA(3)
Before a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link, the provider must take such steps as are reasonable in the circumstances to ensure that the person or body does not breach the Australian Privacy Principles (other than Australian Privacy Principle 1) in relation to the information.
21NA(4)
If:
(a) a credit provider discloses credit eligibility information under subsection 21M(1) to a person or body that does not have an Australian link; and
(b) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the person or body in relation to the information; and
(c) the person or body does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles applied to the act or practice;
the act done, or the practice engaged in, by the person or body is taken, for the purposes of this Act, to have been done, or engaged in, by the provider and to be a breach of those Australian Privacy Principles by the provider.
This section applies if:
(a) a credit provider refuses an application for consumer credit made in Australia:
(i) by an individual; or
(ii) jointly by an individual and one or more other persons (the other applicants ); and
(b) the refusal is based wholly or partly on credit eligibility information about one or more of the following:
(i) the individual;
(ii) a person who is proposing to act as a guarantor in relation to the consumer credit;
(iii) if the application is an application of a kind referred to in subparagraph (a)(ii) - one of the other applicants; and
(c) a credit reporting body disclosed the relevant credit reporting information to the provider for the purposes of assessing the application.
21P(2)
The credit provider must, within a reasonable period after refusing the application, give the individual a written notice that:
(a) states that the application has been refused; and
(b) states that the refusal is based wholly or partly on credit eligibility information about one or more of the persons referred to in paragraph (1)(b); and
(c) if that information is about the individual - sets out:
(i) the name and contact details of the credit reporting body that disclosed the relevant credit reporting information to the provider; and
(ii) any other matter specified in the registered CR code.
A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider collects is accurate, up-to-date and complete.
21Q(2)
A credit provider must take such steps (if any) as are reasonable in the circumstances to ensure that the credit eligibility information the provider uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
21Q(3)
If a credit provider is an APP entity, Australian Privacy Principle 10 does not apply to the provider in relation to credit eligibility information.
Offences
21R(1)
A credit provider commits an offence if:
(a) the provider discloses credit information under section 21D; and
(b) the information is false or misleading in a material particular.
Penalty: 200 penalty units.
21R(2)
A credit provider commits an offence if:
(a) the provider uses or discloses credit eligibility information under this Division; and
(b) the information is false or misleading in a material particular.
Penalty: 200 penalty units.
Civil penalties
21R(3)
A credit provider must not disclose credit information under section 21D if the information is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
21R(4)
A credit provider must not use or disclose credit eligibility information under this Division if the information is false or misleading in a material particular.
Civil penalty: 2,000 penalty units.
If a credit provider holds credit eligibility information, the provider must take such steps as are reasonable in the circumstances to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
21S(2)
If:
(a) a credit provider holds credit eligibility information about an individual; and
(b) the provider no longer needs the information for any purpose for which the information may be used or disclosed by the provider under this Division; and
(c) the provider is not required by or under an Australian law, or a court/tribunal order, to retain the information;
the provider must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
Civil penalty: 1,000 penalty units.
21S(3)
If a credit provider is an APP entity, Australian Privacy Principle 11 does not apply to the provider in relation to credit eligibility information.
Access
21T(1)
If a credit provider holds credit eligibility information about an individual, the provider must, on request by an access seeker in relation to the information, give the access seeker access to the information.
Exceptions to access
21T(2)
Despite subsection (1), the credit provider is not required to give the access seeker access to the credit eligibility information to the extent that: (a) giving access would be unlawful; or (b) denying access is required or authorised by or under an Australian law or a court/tribunal order; or (c) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Dealing with requests for access
21T(3)
The credit provider must respond to the request within a reasonable period after the request is made.
Means of access
21T(4)
If the credit provider gives access to the credit eligibility information, the access must be given in the manner set out in the registered CR code.
Access charges
21T(5)
If the credit provider is an agency, the provider must not charge the access seeker for the making of the request or for giving access to the information.
21T(6)
If a credit provider is an organisation or small business operator, any charge by the provider for giving access to the information must not be excessive and must not apply to the making of the request.
Refusal to give access
21T(7)
If the provider refuses to give access to the information because of subsection (2), the provider must give the access seeker a written notice that: (a) sets out the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and (b) states that, if the access seeker is not satisfied with the response to the request, the access seeker may:
(i) access a recognised external dispute resolution scheme of which the provider is a member or to which it is subject; or
(ii) make a complaint to the Commissioner under Part V.
Interaction with the Australian Privacy Principles
21T(8)
If a credit provider is an APP entity, Australian Privacy Principle 12 does not apply to the provider in relation to credit eligibility information.
If: (a) a credit provider holds credit information or credit eligibility information about an individual; and (b) the provider is satisfied that, having regard to a purpose for which the information is held by the provider, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;
the provider must take such steps (if any) as are reasonable in the circumstances to correct the information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
Notice of correction
21U(2)
If: (a) the credit provider corrects credit information or credit eligibility information under subsection (1); and (b) the provider has previously disclosed the information under:
(i) this Division (other than subsection 21V(4)); or
(ii) the Australian Privacy Principles (other than Australian Privacy Principle 4.2);
the provider must, within a reasonable period, give each recipient of the information written notice of the correction.
21U(3)
Subsection (2) does not apply if: (a) it is impracticable for the credit provider to give the notice under that subsection; or (b) the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
Interaction with the Australian Privacy Principles
21U(4)
If a credit provider is an APP entity, Australian Privacy Principle 13: (a) applies to the provider in relation to credit information or credit eligibility information that is identification information; but (b) does not apply to the provider in relation to any other kind of credit information or credit eligibility information.
Note:
Identification information may be corrected under this section or Australian Privacy Principle 13.
Exemption for certain non-participating credit providers
21U(5)
This section does not apply to a non-participating credit provider.
Request
21V(1)
An individual may request a credit provider to correct personal information about the individual if: (a) the personal information is:
(i) credit information about the individual; or
(ii) CRB derived information about the individual; or
(b) the provider holds at least one kind of the personal information referred to in paragraph (a).
(iii) CP derived information about the individual; and
Correction
21V(2)
If the credit provider is satisfied that the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the provider must take such steps (if any) as are reasonable in the circumstances to correct the information within: (a) the period of 30 days that starts on the day on which the request is made; or (b) such longer period as the individual has agreed to in writing.
Consultation
21V(3)
If the credit provider considers that the provider cannot be satisfied of the matter referred to in subsection (2) in relation to the personal information without consulting either or both of the following (the interested party ): (a) a credit reporting body that holds or held the information and that has an Australian link; (b) another credit provider that holds or held the information and that has an Australian link;
the provider must consult that interested party, or those interested parties, about the individual's request.
21V(4)
The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
No charge
21V(5)
The credit provider must not charge the individual for the making of the request or for correcting the information.
Interaction with the Australian Privacy Principles
21V(6)
If a credit provider is an APP entity, Australian Privacy Principle 13: (a) applies to the provider in relation to personal information referred to in paragraph (1)(a) that is identification information; but (b) does not apply to the provider in relation to any other kind of personal information referred to in that paragraph.
Note:
Identification information may be corrected under this section or Australian Privacy Principle 13.
Exemption for certain non-participating credit providers
21V(7)
This section does not apply to a non-participating credit provider.
This section applies if an individual requests a credit provider to correct personal information under subsection 21V(1).
Notice of correction etc.
21W(2)
If the credit provider corrects personal information about the individual under subsection 21V(2), the provider must, within a reasonable period: (a) give the individual written notice of the correction; and (b) if the provider consulted an interested party under subsection 21V(3) about the individual's request - give the party written notice of the correction; and (c) if the correction relates to information that the provider has previously disclosed under:
(i) this Division (other than subsection 21V(4)); or
give each recipient of the information written notice of the correction.
(ii) the Australian Privacy Principles (other than Australian Privacy Principle 4.2);
21W(3)
If the credit provider does not correct the personal information under subsection 21V(2), the provider must, within a reasonable period, give the individual written notice that: (a) states that the correction has not been made; and (b) sets out the provider's reasons for not correcting the information (including evidence substantiating the correctness of the information); and (c) states that, if the individual is not satisfied with the response to the request, the individual may:
(i) access a recognised external dispute resolution scheme of which the provider is a member or to which it is subject; or
(ii) make a complaint to the Commissioner under Part V.
Exceptions
21W(4)
Paragraph (2)(c) does not apply if it is impracticable for the credit provider to give the notice under that paragraph.
21W(5)
Subsection (2) or (3) does not apply if the credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notice under that subsection.
This Division sets out rules that apply to affected information recipients in relation to their handling of their regulated information.
If an affected information recipient is an APP entity, the rules apply in relation to the regulated information of the recipient in addition to, or instead of, any relevant Australian Privacy Principles.
The object of this section is to ensure that an affected information recipient manages the regulated information of the recipient in an open and transparent way.
Compliance with this Division etc.
22A(2)
An affected information recipient must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the recipient's functions or activities that:
(a) will ensure that the recipient complies with this Division and the registered CR code if it binds the recipient; and
(b) will enable the recipient to deal with inquiries or complaints from individuals about the recipient's compliance with this Division or the registered CR code if it binds the recipient.
Policy about the management of regulated information
22A(3)
An affected information recipient must have a clearly expressed and up-to-date policy about the recipient's management of the regulated information of the recipient.
22A(4)
Without limiting subsection (3), the policy of the affected information recipient must contain the following information:
(a) the kinds of regulated information that the recipient collects and holds, and how the recipient collects and holds that information;
(b) the purposes for which the recipient collects, holds, uses and discloses regulated information;
(c) how an individual may access regulated information about the individual that is held by the recipient and seek the correction of such information;
(d) how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient;
(e) how the recipient will deal with such a complaint.
Availability of policy etc.
22A(5)
An affected information recipient must take such steps as are reasonable in the circumstances to make the policy available:
(a) free of charge; and
(b) in such form as is appropriate.
Note:
An affected information recipient will usually make the policy available on the recipient's website.
22A(6)
If a person or body requests a copy, in a particular form, of the policy of an affected information recipient, the recipient must take such steps as are reasonable in the circumstances to give the person or body a copy in that form.
Interaction with the Australian Privacy Principles
22A(7)
If an affected information recipient is an APP entity, Australian Privacy Principles 1.3 and 1.4 do not apply to the recipient in relation to the regulated information of the recipient.
If an affected information recipient is an APP entity, then the matters for the purposes of Australian Privacy Principle 5.1 include the following matters to the extent that the personal information referred to in that principle is regulated information of the recipient:
(a) that the policy (the credit reporting policy ) of the recipient that is referred to in subsection 22A(3) contains information about how an individual may access the regulated information about the individual that is held by the recipient, and seek the correction of such information;
(b) that the credit reporting policy of the recipient contains information about how an individual may complain about a failure of the recipient to comply with this Division or the registered CR code if it binds the recipient; and
(c) that the credit reporting policy of the recipient contains information about how the recipient will deal with such a complaint.
Prohibition on use or disclosure
22C(1)
If:
(a) a mortgage insurer or trade insurer holds or held personal information about an individual; and
(b) the information was disclosed to the insurer by a credit reporting body or credit provider under Division 2 or 3 of this Part;
the insurer must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 2,000 penalty units.
Permitted uses
22C(2)
Subsection (1) does not apply to the use of the information if:
(a) for a mortgage insurer - the use is for:
(i) a mortgage insurance purpose of the insurer in relation to the individual; or
(ii) any purpose arising under a contract for mortgage insurance that has been entered into between the credit provider and the insurer; or
(b) for a trade insurer - the use is for a trade insurance purpose of the insurer in relation to the individual; or
(c) the use is required or authorised by or under an Australian law or a court/tribunal order.
Permitted disclosure
22C(3)
Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
22C(4)
If the mortgage insurer or trade insurer is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the insurer in relation to the information.
22C(5)
If:
(a) the mortgage insurer or trade insurer is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the insurer in relation to the information.
Prohibition on use or disclosure
22D(1)
If:
(a) a body corporate holds or held credit eligibility information about an individual; and
(b) the information was disclosed to the body by a credit provider under paragraph 21G(3)(b);
the body must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted use or disclosure
22D(2)
Subsection (1) does not apply to the use or disclosure of the information by the body corporate if the body would be permitted to use or disclose the information under section 21G if the body were the credit provider.
22D(3)
In determining whether the body corporate would be permitted to use or disclose the information under section 21G, assume that the body is whichever of the following is applicable:
(a) the credit provider that has provided the relevant credit to the individual;
(b) the credit provider to which the relevant application for credit was made by the individual.
Interaction with the Australian Privacy Principles
22D(4)
If the body corporate is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the body in relation to the information.
22D(5)
If:
(a) the body corporate is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the body in relation to the information.
Prohibition on use or disclosure
22E(1)
If:
(a) a person holds or held credit eligibility information about an individual; and
(b) the information was disclosed to the person by a credit provider under paragraph 21G(3)(c);
the person must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted uses
22E(2)
Subsection (1) does not apply to the use of the information if:
(a) the person uses the information for the purpose for which it was disclosed to the person under paragraph 21G(3)(c); or
(b) the use is required or authorised by or under an Australian law (other than the consumer data rules) or a court/tribunal order.
Permitted disclosure
22E(3)
Subsection (1) does not apply to the disclosure of the information if:
(a) the disclosure is to the credit provider; or
(b) the disclosure is required or authorised by or under an Australian law (other than the consumer data rules) or a court/tribunal order.
Interaction with the Australian Privacy Principles
22E(4)
If the person is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the person in relation to the information.
22E(5)
If:
(a) the person is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the person in relation to the information.
Prohibition on use or disclosure
22F(1)
If:
(a) any of the following (the recipient ) holds or held credit eligibility information about an individual:
(i) an entity;
(ii) a professional legal adviser of the entity;
(iii) a professional financial adviser of the entity; and
(b) the information was disclosed to the recipient by a credit provider under subsection 21N(2);
the recipient must not use or disclose the information, or any personal information about the individual derived from that information.
Civil penalty: 1,000 penalty units.
Permitted uses
22F(2)
Subsection (1) does not apply to the use of the information if:
(a) for a recipient that is the entity - the information is used for a matter referred to in subsection 21N(3); or
(b) for a recipient that is the professional legal adviser, or professional financial adviser, of the entity - the information is used:
(i) in the adviser's capacity as an adviser of the entity; and
(ii) in connection with advising the entity about a matter referred to in subsection 21N(3); or
(c) the use is required or authorised by or under an Australian law or a court/tribunal order.
Permitted disclosure
22F(3)
Subsection (1) does not apply to the disclosure of the information if the disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Interaction with the Australian Privacy Principles
22F(4)
If the recipient is an APP entity, Australian Privacy Principles 6, 7 and 8 do not apply to the recipient in relation to the information.
22F(5)
If:
(a) the recipient is an APP entity; and
(b) the information is a government related identifier of the individual;
Australian Privacy Principle 9.2 does not apply to the recipient in relation to the information.
This Division deals with complaints about credit reporting bodies or credit providers.
Individuals may complain to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.
If a complaint is made, the respondent for the complaint must investigate the complaint and make a decision about the complaint.
Complaint
23A(1)
An individual may complain to a credit reporting body about an act or practice engaged in by the body that may be a breach of either of the following provisions in relation to the individual:
(a) a provision of this Part (other than section 20R or 20T);
(b) a provision of the registered CR code (other than a provision that relates to that section).
Note:
A complaint about a breach of section 20R or 20T, or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.
23A(2)
An individual may complain to a credit provider about an act or practice engaged in by the provider that may be a breach of either of the following provisions in relation to the individual:
(a) a provision of this Part (other than section 21T or 21V);
(b) a provision of the registered CR code (other than a provision that relates to that section) if it binds the credit provider.
Note:
A complaint about a breach of section 21T or 21V, or a provision of the registered CR code that relates to that section, may be made to the Commissioner under Part V.
Nature of complaint
23A(3)
If an individual makes a complaint, the individual must specify the nature of the complaint.
23A(4)
The complaint may relate to personal information that has been destroyed or de-identified.
No charge
23A(5)
The credit reporting body or credit provider must not charge the individual for the making of the complaint or for dealing with the complaint.
If an individual makes a complaint under section 23A, the respondent for the complaint: (a) must, within 7 days after the complaint is made, give the individual a written notice that:
(i) acknowledges the making of the complaint; and
(b) must investigate the complaint.
(ii) sets out how the respondent will deal with the complaint; and
Consultation about the complaint
23B(2)
If the respondent for the complaint considers that it is necessary to consult a credit reporting body or credit provider about the complaint, the respondent must consult the body or provider.
23B(3)
The use or disclosure of personal information about the individual for the purposes of the consultation is taken, for the purposes of this Act, to be a use or disclosure that is authorised by this subsection.
Decision about the complaint
23B(4)
After investigating the complaint, the respondent must, within the period referred to in subsection (5), make a decision about the complaint and give the individual a written notice that: (a) sets out the decision; and (b) states that, if the individual is not satisfied with the decision, the individual may:
(i) access a recognised external dispute resolution scheme of which the respondent is a member or to which it is subject; or
(ii) make a complaint to the Commissioner under Part V.
23B(5)
The period for the purposes of subsection (4) is: (a) the period of 30 days that starts on the day on which the complaint is made; or (b) such longer period as the individual has agreed to in writing.
This section applies if an individual makes a complaint under section 23A about an act or practice that may breach section 20S or 21U (which deal with the correction of personal information by credit reporting bodies and credit providers).
Notification of complaint etc.
23C(2)
If:
(a) the respondent for the complaint is a credit reporting body; and
(b) the complaint relates to credit information or credit eligibility information that a credit provider holds;
the respondent must, in writing:
(c) notify the provider of the making of the complaint as soon as practicable after it is made; and
(d) notify the provider of the making of a decision about the complaint under subsection 23B(4) as soon as practicable after it is made.
23C(3)
If:
(a) the respondent for the complaint is a credit provider; and
(b) the complaint relates to:
(i) credit reporting information that a credit reporting body holds; or
the respondent must, in writing:
(ii) credit information or credit eligibility information that another credit provider holds;
(c) notify the body or other provider (as the case may be) of the making of the complaint as soon as practicable after it is made; and
(d) notify the body or other provider (as the case may be) of the making of a decision about the complaint under subsection 23B(4) as soon as practicable after it is made.
Notification of recipients of disclosed information
23C(4)
If:
(a) a credit reporting body discloses credit reporting information to which the complaint relates under Division 2 of this Part; and
(b) at the time of the disclosure, a decision about the complaint under subsection 23B(4) has not been made;
the body must, at that time, notify in writing the recipient of the information of the complaint.
23C(5)
If:
(a) a credit provider discloses personal information to which the complaint relates under Division 3 of this Part or under the Australian Privacy Principles; and
(b) at the time of the disclosure, a decision about the complaint under subsection 23B(4) has not been made;
the provider must, at that time, notify in writing the recipient of the information of the complaint.
Exceptions
23C(6)
Subsection (2), (3), (4) or (5) does not apply if:
(a) it is impracticable for the credit reporting body or credit provider to give the notification under that subsection; or
(b) the credit reporting body or credit provider is required by or under an Australian law, or a court/tribunal order, not to give the notification under that subsection.
Offences
24(1)
An entity commits an offence if:
(a) the entity obtains credit reporting information; and
(b) the information is obtained from a credit reporting body; and
(c) the entity is not:
(i) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(ii) an access seeker for the information.
Penalty: 200 penalty units.
24(2)
An entity commits an offence if:
(a) the entity obtains credit reporting information; and
(b) the information is obtained from a credit reporting body; and
(c) the information is obtained by false pretence.
Penalty: 200 penalty units.
Civil penalties
24(3)
An entity must not obtain credit reporting information from a credit reporting body if the entity is not:
(a) an entity to which the body is permitted to disclose the information under Division 2 of this Part; or
(b) an access seeker for the information.
Civil penalty: 2,000 penalty units.
24(4)
An entity must not obtain, by false pretence, credit reporting information from a credit reporting body.
Civil penalty: 2,000 penalty units.
Offences
24A(1)
An entity commits an offence if:
(a) the entity obtains credit eligibility information; and
(b) the information is obtained from a credit provider; and
(c) the entity is not:
(i) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(ii) an access seeker for the information.
Penalty: 200 penalty units.
24A(2)
An entity commits an offence if:
(a) the entity obtains credit eligibility information; and
(b) the information is obtained from a credit provider; and
(c) the information is obtained by false pretence.
Penalty: 200 penalty units.
Civil penalties
24A(3)
An entity must not obtain credit eligibility information from a credit provider if the entity is not:
(a) an entity to which the provider is permitted to disclose the information under Division 3 of this Part; or
(b) an access seeker for the information.
Civil penalty: 2,000 penalty units.
24A(4)
An entity must not obtain, by false pretence, credit eligibility information from a credit provider.
Civil penalty: 2,000 penalty units.
The Federal Court or the Federal Circuit and Family Court of Australia (Division 2) may order an entity to compensate a person for loss or damage (including injury to the person's feelings or humiliation) suffered by the person if: (a) either:
(i) a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of this Part; or
(b) that loss or damage resulted from the contravention or commission of the offence.
(ii) the entity is found guilty of an offence against this Part; and
The order must specify the amount of compensation.
25(2)
The court may make the order only if: (a) the person applies for an order under this section; and (b) the application is made within 6 years of the day the cause of action that relates to the contravention or commission of the offence accrued.
25(3)
If the court makes the order, the amount of compensation specified in the order that is to be paid to the person may be recovered as a debt due to the person.
This section applies if: (a) either:
(i) a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of this Part; or
(b) a person has suffered, or is likely to suffer, loss or damage (including injury to the person's feelings or humiliation) as a result of the contravention or commission of the offence.
(ii) an entity is found guilty of an offence against this Part; and
25A(2)
The Federal Court or the Federal Circuit and Family Court of Australia (Division 2) may make such order as the Court considers appropriate against the entity to: (a) compensate the person, in whole or in part, for that loss or damage; or (b) prevent or reduce that loss or damage suffered, or likely to be suffered, by the person.
25A(3)
Without limiting subsection (2), examples of orders the court may make include: (a) an order directing the entity to perform any reasonable act, or carry out any reasonable course of conduct, to redress the loss or damage suffered by the person; and (b) an order directing the entity to pay the person a specified amount to reimburse the person for expenses reasonably incurred by the person in connection with the contravention or commission of the offence; and (c) an order directing the defendant to pay to the person the amount of loss or damage the plaintiff suffered.
25A(4)
The court may make the order only if: (a) the person applies for an order under this section; and (b) the application is made within 6 years of the day the cause of action that relates to the contravention or commission of the offence accrued.
25A(5)
If the court makes an order that the entity pay an amount to the person, the person may recover the amount as a debt due to the person.
The Minister must cause an independent review to be conducted of the operation of this Part.
25B(2)
The persons who conduct the review must complete it, and give the Minister a written report of the review, before 1 October 2024.
25B(3)
The Minister must cause a copy of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the report is given to the Minister.
This Part deals with privacy codes.
Division 2 deals with codes of practice about information privacy, called APP codes. APP code developers or the Commissioner may develop APP codes, which:
If the Commissioner includes an APP code on the Codes Register, an APP entity bound by the code must not breach it. A breach of a registered APP code is an interference with the privacy of an individual.
Division 3 deals with a code of practice about credit reporting, called a CR code. CR code developers or the Commissioner may develop a CR code, which:
If the Commissioner includes a CR code on the Codes Register, an entity bound by the code must not breach it. A breach of the registered CR code is an interference with the privacy of an individual.
Division 4 deals with the Codes Register, guidelines relating to codes and the review of the operation of registered codes.
An APP entity must not do an act, or engage in a practice, that breaches a registered APP code that binds the entity.
A registered APP code is an APP code:
(a) that is included on the Codes Register; and
(b) that is in force.
26B(2)
A registered APP code is a legislative instrument.
26B(3)
Subsection 12(2) (retrospective application of legislative instruments) of the Legislation Act 2003 does not apply to a registered APP code.
Note:
An APP code cannot come into force before it is included on the Codes Register: see paragraph 26C(2)(c).
An APP code is a written code of practice about information privacy.
26C(2)
An APP code must: (a) set out how one or more of the Australian Privacy Principles are to be applied or complied with; and (b) specify the APP entities that are bound by the code, or a way of determining the APP entities that are bound by the code; and (c) set out the period during which the code is in force (which must not start before the day the code is registered under section 26H).
26C(3)
An APP code may do one or more of the following: (a) impose additional requirements to those imposed by one or more of the Australian Privacy Principles, so long as the additional requirements are not contrary to, or inconsistent with, those principles; (b) cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3); (c) deal with the internal handling of complaints; (d) provide for the reporting to the Commissioner about complaints; (e) deal with any other relevant matters.
26C(4)
An APP code may be expressed to apply to any one or more of the following: (a) all personal information or a specified type of personal information; (b) a specified activity, or a specified class of activities, of an APP entity; (c) a specified industry sector or profession, or a specified class of industry sectors or professions; (d) APP entities that use technology of a specified kind.
26C(4A)
Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, an APPcode may provide differently for different: (a) classes of entities; and (b) classes of personal information; and (c) classes of activities of entities.
26C(5)
An APP code is not a legislative instrument.
If a registered APP code covers an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3), this Act applies in relation to the code as if that act or practice were not exempt.
Own initiative
26E(1)
An APP code developer may develop an APP code.
At the Commissioner's request
26E(2)
The Commissioner may, in writing, request an APP code developer to develop an APP code, and apply to the Commissioner for the code to be registered, if the Commissioner is satisfied it is in the public interest for the code to be developed.
26E(3)
The request must:
(a) specify the period within which the request must be complied with; and
(b) set out the effect of section 26A.
26E(4)
The period:
(a) must run for at least 120 days from the date the request is made; and
(b) may be extended by the Commissioner.
26E(5)
The request may:
(a) specify one or more matters that the APP code must deal with; and
(b) specify the APP entities, or a class of APP entities, that should be bound by the code.
26E(6)
Despite paragraph (5)(a), the Commissioner must not require an APP code to cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). However, the APP code that is developed by the APP code developer may cover such an act or practice.
26E(7)
The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.
If an APP code developer develops an APP code, the developer may apply to the Commissioner for registration of the code.
26F(2)
Before making the application, the APP code developer must:
(a) make a draft of the APP code publicly available; and
(b) invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
26F(3)
The application must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
26F(4)
The APP code developer may vary the APP code at any time before the Commissioner registers the code, but only with the consent of the Commissioner.
This section applies if the Commissioner made a request under subsection 26E(2) and either: (a) the request has not been complied with; or (b) the request has been complied with but the Commissioner has decided not to register, under section 26H, the APP code that was developed as requested.
26G(2)
The Commissioner may develop an APP code if the Commissioner is satisfied that it is in public interest to develop the code. However, despite subsection 26C(3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
26G(3)
Before registering the APP code under section 26H, the Commissioner must: (a) make a draft of the code publicly available; and (b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 28 days); and (c) give consideration to any submissions made within the specified period.
Minister may give direction
26GA(1)
The Minister may, in writing, direct the Commissioner to develop an APP code if the Minister is satisfied that it is in the public interest: (a) to develop the code; and (b) for the Commissioner to develop the code.
26GA(2)
Without limiting subsection (1), a direction under that subsection may: (a) specify one or more matters that the code must deal with; and (b) specify the APP entities, or a class of APP entities, that are to be bound by the code.
26GA(3)
A direction under subsection (1) is not a legislative instrument.
Commissioner must develop and register code
26GA(4)
The Commissioner must develop and register an APP code if the Minister has given the Commissioner a direction under subsection (1) to develop the code.
Matters covered by code
26GA(5)
Despite paragraph 26C(3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
Consultation etc.
26GA(6)
In developing the APP code, the Commissioner may consult any person the Commissioner considers appropriate.
26GA(7)
Before registering the APP code under section 26H, the Commissioner must: (a) make a draft of the code publicly available; and (b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 40 days); and (c) give consideration to any submissions made within the specified period.
Minister may give direction
26GB(1)
The Minister may, in writing, direct the Commissioner to develop an APP code (a temporary APP code ) if the Minister is satisfied that: (a) it is in the public interest:
(i) to develop the code; and
(b) the code should be developed urgently.
(ii) for the Commissioner to develop the code; and
26GB(2)
Without limiting subsection (1), a direction under that subsection may: (a) specify one or more matters that the code must deal with; and (b) specify the APP entities, or a class of APP entities, that should be bound by the code.
26GB(3)
A direction under subsection (1) is not a legislative instrument.
Commissioner must develop and register code
26GB(4)
The Commissioner must develop and register a temporary APP code if the Minister has given the Commissioner a direction under subsection (1) to develop the code.
Matters covered by code
26GB(5)
However, despite paragraph 26C(3)(b), the temporary APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
Consultation etc.
26GB(6)
In developing the temporary APP code, the Commissioner may consult any person the Commissioner considers appropriate.
Period code is in force
26GB(7)
The period set out for the temporary APP code for the purposes of paragraph 26C(2)(c) must not be longer than 12 months.
Note:
Paragraph 26C(2)(c) deals with the period during which the code is in force.
Disallowance
26GB(8)
Section 42 (disallowance) of the Legislation Act 2003 does not apply to a temporary APP code that is a registered APP code.
Note:
A registered APP code is a legislative instrument: see subsection 26B(2).
Children's Online Privacy Code
26GC(1)
The Commissioner must develop an APP code (the Children's Online Privacy Code ) about online privacy for children.
26GC(2)
The other provisions of this Division (including section 26C) apply in relation to the Children's Online Privacy Code subject to this section.
Note:
Section 26C deals with requirements for APP codes generally.
Matters covered by code
26GC(3)
For the purposes of paragraph 26C(2)(a), the Children's Online Privacy Code must set out how one or more of the Australian Privacy Principles are to be applied or complied with in relation to the privacy of children.
26GC(4)
For the purposes of subsections 26C(3) and (4), the Children's Online Privacy Code may provide for one or more of the matters mentioned in those subsections in relation to the privacy of children. However, despite paragraph 26C(3)(b), the code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
Note:
Codes may provide differently for different things: see subsection 26C(4A).
Entities bound by code
26GC(5)
Subject to subsection (7), an APP entity is bound by the Children's Online Privacy Code if: (a) all of the following apply:
(i) the entity is a provider of a social media service, relevant electronic service or designated internet service (all within the meaning of the Online Safety Act 2021);
(ii) the service is likely to be accessed by children;
(b) the entity is an APP entity, or an APP entity in a class of entities, specified in the code for the purposes of this paragraph.
(iii) the entity is not providing a health service; or
Note:
In relation to subparagraph (a)(ii), see subsection (11).
26GC(6)
Paragraph 26C(2)(b) does not apply in relation to the Children's Online Privacy Code.
Specified entities not bound by code
26GC(7)
Despite subsection (5), an APP entity is not bound by the Children's Online Privacy Code if the entity is an APP entity, or an APP entity in a class of entities, specified in the code for the purposes of this subsection.
Requirements
26GC(8)
In developing the Children's Online Privacy Code, the Commissioner may: (a) consult with:
(i) children; and
(ii) relevant organisations or bodies concerned with children's welfare; and
(iia) industry organisations or bodies representing the interests of one or more entities that may potentially be bound by the Code;
(iii) the eSafety Commissioner; and
(b) consult any other person the Commissioner considers appropriate.
(iv) the National Children's Commissioner; and
26GC(9)
Before registering the Children's Online Privacy Code under section 26H, the Commissioner must: (a) make a draft of the code publicly available; and (b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 60 days); and (c) give consideration to any submissions made within the specified period; and (d) consult with:
(i) the eSafety Commissioner; and
(ii) the National Children's Commissioner.
Time by which code must be made
26GC(10)
The Commissioner must develop and register the Children's Online Privacy Code within the period of 24 months beginning on the day the Privacy and Other Legislation Amendment Act 2024 receives the Royal Assent.
Services likely to be accessed by children
26GC(11)
The Commissioner may make written guidelines to assist entities to determine if a service is likely to be accessed by children for the purposes of subparagraph (5)(a)(ii).
26GC(12)
The Commissioner may publish any such guidelines on the Commissioner's website.
26GC(13)
Guidelines under subsection (11) are not a legislative instrument.
If: (a) an application for registration of an APP code is made under section 26F; or (b) the Commissioner develops an APP code under section 26G, 26GA or 26GB; or (c) the Commissioner develops a Children's Online Privacy Code under section 26GC;
the Commissioner may register the code by including it on the Codes Register.
26H(2)
In deciding whether to register the APP code, the Commissioner may: (a) consult any person the Commissioner considers appropriate; and (b) consider the matters specified in any relevant guidelines made under section 26V.
26H(3)
If the Commissioner decides not to register an APP code developed by an APP code developer, the Commissioner must give written notice of the decision to the developer, including reasons for the decision.
The Commissioner may, in writing, approve a variation of a registered APP code:
(a) on his or her own initiative; or
(b) on application by an APP entity that is bound by the code; or
(c) on application by a body or association representing one or more APP entities that are bound by the code.
26J(2)
An application under paragraph (1)(b) or (c) must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
26J(3)
If the Commissioner varies a registered APP code on his or her own initiative, then, despite subsection 26C(3)(b), the variation must not deal with an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
26J(4)
Before deciding whether to approve a variation, the Commissioner must:
(a) make a draft of the variation publicly available; and
(b) consult any person the Commissioner considers appropriate about the variation; and
(c) consider the extent to which members of the public have been given an opportunity to comment on the variation.
26J(5)
In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.
26J(6)
If the Commissioner approves a variation of a registered APP code (the original code ), the Commissioner must:
(a) remove the original code from the Codes Register; and
(b) register the APP code, as varied, by including it on the Register.
26J(7)
If the Commissioner approves a variation, the variation comes into effect on the day specified in the approval, which must not be before the day on which the APP code, as varied, is included on the Codes Register.
26J(8)
An approval is not a legislative instrument.
Note:
The APP code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26B.
The Commissioner may remove a registered APP code from the Codes Register:
(a) on his or her own initiative; or
(b) on application by an APP entity that is bound by the code; or
(c) on application by a body or association representing one or more APP entities that are bound by the code.
26K(2)
An application under paragraph (1)(b) or (c) must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
26K(3)
Before deciding whether to remove the registered APP code, the Commissioner must:
(a) consult any person the Commissioner considers appropriate about the proposed removal; and
(b) consider the extent to which members of the public have been given an opportunity to comment on the proposed removal.
26K(4)
In deciding whether to remove the registered APP code, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.
If an entity is bound by the registered CR code, the entity must not do an act, or engage in a practice, that breaches the code.
Note:
There must always be one, and only one, registered CR code at all times after this Part commences: see subsection 26S(4).
The registered CR code is the CR code that is included on the Codes Register.
26M(2)
The registered CR code is a legislative instrument.
26M(3)
Subsection 12(2) (retrospective application of legislative instruments) of the Legislation Act 2003 does not apply to the registered CR code.
A CR code is a written code of practice about credit reporting.
26N(2)
A CR code must:
(a) set out how one or more of the provisions of Part IIIA are to be applied or complied with; and
(b) make provision for, or in relation to, matters required or permitted by Part IIIA to be provided for by the registered CR code; and
(c) bind all credit reporting bodies; and
(d) specify the credit providers that are bound by the code, or a way of determining which credit providers are bound; and
(e) specify any other entities subject to Part IIIA that are bound by the code, or a way of determining which of those entities are bound.
26N(3)
A CR code may do one or more of the following:
(a) impose additional requirements to those imposed by Part IIIA, so long as the additional requirements are not contrary to, or inconsistent with, that Part;
(b) deal with the internal handling of complaints;
(c) provide for the reporting to the Commissioner about complaints;
(d) deal with any other relevant matters.
26N(4)
A CR code may be expressed to apply differently in relation to:
(a) classes of entities that are subject to Part IIIA; and
(b) specified classes of credit information, credit reporting information or credit eligibility information; and
(c) specified classes of activities of entities that are subject to Part IIIA.
26N(5)
A CR code is not a legislative instrument.
The Commissioner may, in writing, request a CR code developer to develop a CR code and apply to the Commissioner for the code to be registered.
26P(2)
The request must:
(a) specify the period within which the request must be complied with; and
(b) set out the effect of section 26L.
26P(3)
The period:
(a) must run for at least 120 days from the date the request is made; and
(b) may be extended by the Commissioner.
26P(4)
The request may:
(a) specify one or more matters that the CR code must deal with; and
(b) specify the credit providers, or a class of credit providers, that should be bound by the code; and
(c) specify the other entities, or a class of other entities, subject to Part IIIA that should be bound by the code.
26P(5)
The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.
If a CR code developer develops a CR code, the developer may apply to the Commissioner for registration of the code.
26Q(2)
Before making the application, the CR code developer must:
(a) make a draft of the CR code publicly available; and
(b) invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
26Q(3)
The application must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
26Q(4)
The CR code developer may vary the CR code at any time before the Commissioner registers the code, but only with the consent of the Commissioner.
The Commissioner may develop a CR code if the Commissioner made a request under section 26P and either:
(a) the request has not been complied with; or
(b) the request has been complied with but the Commissioner has decided not to register, under section 26S, the CR code that was developed as requested.
26R(2)
Before registering the CR code under section 26S, the Commissioner must:
(a) make a draft of the code publicly available; and
(b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
If:
(a) an application for registration of a CR code is made under section 26Q; or
(b) the Commissioner develops a CR code under section 26R;
the Commissioner may register the code by including it on the Codes Register.
26S(2)
In deciding whether to register the CR code, the Commissioner may:
(a) consult any person the Commissioner considers appropriate; and
(b) consider the matters specified in any guidelines made under section 26V.
26S(3)
If the Commissioner decides not to register a CR code developed by a CR code developer, the Commissioner must give written notice of the decision to the developer, including reasons for the decision.
26S(4)
The Commissioner must ensure that there is one, and only one, registered CR code at all times after this Part commences.
The Commissioner may, in writing, approve a variation of the registered CR code:
(a) on his or her own initiative; or
(b) on application by an entity that is bound by the code; or
(c) on application by a body or association representing one or more of the entities that are bound by the code.
26T(2)
An application under paragraph (1)(b) or (c) must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
26T(3)
Before deciding whether to approve a variation, the Commissioner must:
(a) make a draft of the variation publicly available; and
(b) consult any person the Commissioner considers appropriate about the variation; and
(c) consider the extent to which members of the public have been given an opportunity to comment on the variation.
26T(4)
In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.
26T(5)
If the Commissioner approves a variation of the registered CR code (the original code ), the Commissioner must:
(a) remove the original code from the Codes Register; and
(b) register the CR code, as varied, by including it on the Register.
26T(6)
If the Commissioner approves a variation, the variation comes into effect on the day specified in the approval, which must not be before the day on which the CR code, as varied, is included on the Codes Register.
26T(7)
An approval is not a legislative instrument.
Note:
The CR code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26M.
View history note