Revised Explanatory Memorandum
(Circulated by authority of the Attorney-General, the Honourable Daryl Williams AM QC MP)Notes on clauses
This clause is a formal provision that provides for the Bill, when enacted, to be cited as the Privacy Amendment (Private Sector) Act 2000 .
2. This clause provides that the Bill, when enacted, will come into operation on the day 12 months after the Bill receives Royal Assent, or 1 July 2001, whichever is later.
3. This clause sets out the broad policy aims of the amendments contained in this Bill. The main object of the Bill is to establish a comprehensive national privacy scheme for private sector organisations and to do so in a way that meets international concerns and Australias international obligations relating to privacy recognising, in particular, individuals interests in protecting their privacy. The clause also recognises that there are important human rights and social interests which compete with privacy, such as the desirability of the free flow of information to the Australian public through the media and otherwise.
4. The provisions in the Privacy Act 1988 (hereafter called the Act) are amended or repealed as set out in Schedule 1 of the Bill. Schedule 2 contains amendments to other Acts, and Schedule 3 contains amendments in relation to disclosures to intelligence bodies (the Australian Security Intelligence Organisation and the Australian Secret Intelligence Service).
Schedule 1 - amendment of the privacy act 1988
5. Item 1 amends existing section 3 of the Act. Section 3 deals with the interaction of the Act with State and Territory laws. While the Bill intends to establish a comprehensive national scheme providing for the appropriate collection, holding, use, correction, disclosure and transfer of personal information by organisations in the private sector, State and Territory laws that make provision for the collection, holding, use, correction, disclosure or transfer of personal information will continue to operate to the extent that they are not inconsistent with the Act.
Item 2. At the end of section 3
6. Item 2 adds a note at the end of section 3 confirming that State and Territory laws will continue to have effect in relation to the interpretation and application of the NPPs.
7. Item 3 adds a new clause 5B to the Act. New clause 5B describes the extra-territorial operation of the Act. The Act will apply to certain acts and practices of organisations which occur outside Australia. This is to ensure that, as far as practicable and appropriate, the legislation applies in an environment where organisations operate across national boundaries and may move information overseas to use and process it.
8. This provision is also intended to ensure that the provisions of the legislation are not avoided simply by moving personal information overseas. The Act will only apply to acts and practices outside Australia in relation to personal information about Australian citizens or those people whose continued presence in Australia is not subject to a limitation as to time imposed by law. Clause 5B draws a distinction between organisations which have a significant organisational link with Australia and organisations which do not have such an organisational link with Australia but which, nevertheless, carry on business in Australia.
9. Sub-clause 5B(2) sets out those organisations which have a significant organisational link with Australia, for example, a partnership formed in Australia, a trust created in Australia, a body corporate incorporated in Australia or an unincorporated association that has its central management and control in Australia. Where such organisations deal with the personal information of Australians, the Act will apply to all acts and practices outside Australia.
10. Sub-clause 5B(3) deals with organisations that do not have this kind of link with Australia, for example, a foreign corporation. Where these other organisations carry on business in Australia and deal with the personal information of Australians, the Act will apply to acts and practices that occur outside Australia where the organisation collects or holds the personal information in Australia. This is to ensure, for example, that where the personal information of Australians is collected in Australia by a foreign organisation doing business in Australia, the information will be handled appropriately whether it is held by the organisation in Australia or overseas. Where a foreign organisation collects personal information about Australians outside Australia, the Act will only apply if the information is transferred into Australia. Once the information is held in Australia, the Act will apply to acts and practices outside Australia in relation to that information.
11. Where a foreign organisation collects personal information about Australians overseas and holds that information overseas, the Act will not apply except to the extent that NPP 9 applies to the transfer of personal information to that organisation from an organisation in Australia.
12. Sub-clause 5B(4) will allow the Privacy Commissioner to take action overseas in relation to complaints received about acts and practices that occur overseas. Sub-clause 5B(1) provides that approved privacy codes apply in relation to acts and practices that occur overseas. In drawing up codes of practice which provide for complaint procedures, organisations will need to consider the powers of code adjudicators in relation to investigating acts and practices which occur overseas.
Item 4. Subsection 6(1) (definition of annual turnover )
13. Item 4 refers to the definition of "annual turnover" in clause 6DA of the Bill.
Item 5. Subsection 6(1) (definition of approved privacy code )
14. Item 5 inserts a definition of "approved privacy code" in subsection 6(1) of the Act. The term "approved privacy code" is defined to mean a privacy code that has been approved by the Privacy Commissioner under clause 18BB, or a code that has been approved by the Privacy Commissioner under clause 18BB with variations approved by the Commissioner under clause 18BD. "Privacy code" is defined at Item 23 to mean a written code regulating acts and practices that affect privacy.
Item 6. Subsection 6(1) (definition of breach an approved privacy code )
15. Item 6 refers to the definition of "breach an approved privacy code" in clause 6B of the Bill.
Item 7. Subsection 6(1) (definition of breach an Information Privacy Principle )
16. Item 7 refers to the definition of "breach an Information Privacy Principle" in existing subsection 6(2) of the Act.
Item 8. Subsection 6(1) (definition of breach a National Privacy Principle )
17. Item 8 refers to the definition of "breach a National Privacy Principle" in clause 6A of the Bill.
Item 9. Subsection 6(1) (definition of code complaint )
18. Item 9 inserts a definition of "code complaint" in subsection 6(1) of the Act. The term "code complaint" is defined to mean a complaint about an act or practice that (if established) would be an interference with privacy because the act or practice breached an approved privacy code.
Item 10. Subsection 6(1) (definition of Commonwealth contract )
19. Item 10 inserts a definition of "Commonwealth contract" in subsection 6(1) of the Act. The definition covers any contract to which the Commonwealth or an agency is or was a party, under which services are or were provided to a Commonwealth agency. The definition therefore includes contracts that have been completed or terminated. When read with Item 35, the definition also extends to the provision of services by the contracted service provider to other persons in connection with the performance of the Commonwealth agencys functions. When read with the definition of "sub-contractor", a Commonwealth contract extends to the provision of services by sub-contractors.
Item 11. Subsection 6(1) (definition of contracted service provider )
20. Item 11 inserts a definition of "contracted service provider" in subsection 6(1) of the Act. When read with the definitions of "government contract", "Commonwealth contract" and "subcontractor", the definition covers any person who, under a contract with the Commonwealth or an "agency" is or was responsible for the provision of services to a Commonwealth agency, either directly or as a subcontractor. When read with the definitions of "government contract", "State contract" and "subcontractor", the definition covers any person who, under a contract with a State or Territory or State or Territory authority, is or was responsible for the provision of services to a State or Territory authority, either directly or as a subcontractor.
21. The use of the past tense in this definition ensures that the provisions concerning contracted service providers continue even after the completion or termination of the contract. It also ensures that complaints about the acts and practices of contracted service providers under a Commonwealth contract may be taken to the Privacy Commissioner under Part V of the Act about breaches of an NPP or an approved privacy code in relation to personal information held under or for the purposes of a Commonwealth contract even after the completion or termination of the contract.
Item 12. Subsection 6(1) (definition of employee record )
22. Item 12 inserts a definition of "employee record" in subsection 6(1) of the Act. The definition is used in relation to the exemption of acts and practices of organisations in respect of their employee records in sub-clause 7B(3). The term "employee record" is defined to mean a record of personal information relating to the employment of an employee. Examples include health information about the employee and personal information about any or all of the following:
- •
- the engagement, training, disciplining or resignation of the employee;
- •
- the termination of the employment of the employee;
- •
- the terms and conditions of employment of the employee;
- •
- the employees personal and emergency contact details;
- •
- the employees performance or conduct;
- •
- the employees hours of employment;
- •
- the employees salary or wages;
- •
- the employees membership of a professional or trade association;
- •
- the employees trade union membership;
- •
- the employees recreation, long service, sick, personal, maternity, paternity or other leave;
- •
- the employees health information;
- •
- the employees taxation, banking or superannuation affairs.
This list of examples of personal information about the employment of an employee is not intended to be exhaustive.
Item 13. Subsection 6(1) (definition of enforcement body )
23. Item 13 inserts a definition of "enforcement body" in subsection 6(1) of the Act. The definition includes all police services (paragraphs (a) and (h)) and other enforcement bodies such as the National Crime Authority, Australian Customs Service, the Australian Securities and Investment Commission, the NSW Crime Commission, the Independent Commission Against Corruption, the NSW Police Integrity Commission and the Queensland Criminal Justice Commission. Other bodies created to conduct criminal investigations and enquiries (similar to the authorities and bodies named above) may be prescribed as an enforcement body at a later date (paragraph (m)).
24. Bodies other than police services are covered to the extent necessary for the performance of law enforcement functions. Agencies and State bodies are included to the extent they are responsible for administering, or performing a function under, a law that imposes a penalty or sanction (such as the Department of Immigration and Multicultural Affairs) or a prescribed law. Prescription of a law for the purposes of paragraphs (f) and (n) will provide clarification that a body is an enforcement body to the extent that it administers a particular law.
25. Paragraphs (g) and (o) include other agencies and State or Territory authorities in the definition only to the extent that they are responsible for administering laws relating to the protection of the public revenue (such as the Australian Taxation Office).
26. The definition of "enforcement body" is particularly relevant for the purposes of NPP 2.1(h) and NPP 6.1(j) and (k). Organisations may disclose personal information to an enforcement body, by virtue of NPP 2.1(h). NPP 6.1(j) and (k) provide that an individual may be denied access to his or her personal information where it would prejudice activities being carried out by an enforcement body or where an enforcement body has requested that there be no access because providing access would be likely to cause damage to the security of Australia.
Item 14. Subsection 6(1) (definition of generally available publication )
27. Item 14 amends the definition of "generally available publication" in subsection 6(1) of the Act. The amendment refers to publications "however published". It is intended that a reference to "generally available publications" includes documents published both through traditional methods, as well as by electronic means.
Item 15. Subsection 6(1) (definition of government contract )
28. Item 15 inserts a definition of "government contract" in subsection 6(1) of the Act. When read with the definition of "Commonwealth contract" the definition covers any contract with the Commonwealth or an agency under which services are or were provided to a Commonwealth agency. When read with the definition of "State contract" the definition covers any contract with a State or Territory or State or Territory authority or an agency under which services are or were provided to that State or Territory.
Item 16. Subsection 6(1) (definition of health information )
29. Item 16 inserts a definition of "health information" in subsection 6(1) of the Act. The definition identifies three types of information that are health information.
30. Paragraph (a) of the definition of health information covers "personal information" (currently defined in subsection 6(1) of the Act) that also has the characteristic of being information or an opinion about any of the following three subjects:
- •
- the health or disability (at any time) of an individual. It is intended that this may include information or opinion about an individuals previous or future physical, mental or psychological health.
- •
- an individuals expressed wishes about the future provision of health services. This is information of a type that may be found, for instance, in enduring powers of attorney.
- •
- a health service provided, or to be provided, to an individual. This is intended to capture, for example, information that an individual has received a particular type of treatment. The definition of health service is set out at Item 17.
31. Whilst paragraph (a) of the definition covers information about an individuals genetic make-up, the NPPs are not intended to specifically address the complex privacy issues that arise in respect of the handling of genetic information.
32. Paragraph (b) of the definition of health information covers other personal information (that is, information of a type not covered by paragraph (a)) collected to provide, or in providing, a health service. It is considered that the sensitive context in which such information is provided merits its protection as "health information". This personal information may be about the recipient of the health service (for example, the recipients financial circumstances) or about another individual (for example, the contact details of the recipients next of kin).
33. Paragraph (c) of the definition covers other personal information (that is, information of a type not covered by paragraphs (a) or (b)) collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances, including blood or bone marrow. Paragraph (c) is intended to capture personal information collected by, for example, pathology services.
34. The definition is not intended to cover information or an opinion about the professional practices of a health service provider whose identity is apparent, or can reasonably be ascertained, from the information or opinion. This type of information is, however, protected under the NPPs as "personal information".
35. This definition is relevant to determining the type of personal information that is subject to the additional protection in the NPPs for "health information". It also enables organisations to ascertain the type of personal information that is "sensitive information" ("health information" is defined as a category of "sensitive information").
Item 17. Subsection 6(1) (definition of health service )
36. Item 17 inserts a definition of "health service" in subsection 6(1) of the Act. The term "health service" is defined to mean either of two activities. Under paragraph (a), a health service is an activity performed in relation to an individual that is intended or claimed by the individual or the person performing it to have one of three purposes:
- •
- to assess, record, maintain or improve the individuals health;
- •
- to diagnose the individuals illness or disability; or
- •
- to treat the individuals illness or disability, whether actual or suspected.
37. Under paragraph (b), a health service is defined to mean the dispensing or prescription of a drug or medicinal preparation by a pharmacist. This is recognised as a sensitive context in which health information is handled. The activity of dispensing is expressly included within the definition because it may be difficult to claim that it is an activity that has one of the three purposes set out in paragraph (a).
38. It is intended that this definition cover disability, aged care or palliative care services and activities for which a Medicare rebate is unavailable (eg, cosmetic surgery) provided that such activities are intended or claimed to meet one of these purposes. The definition is also intended to cover the provision of a health product that is part of, or incidental to, the provision of a health service (for example, the administering of a vaccine). However, the definition is not intended to cover the provision of a health product that occurs independently from the provision of a health service. For example, the mere obtaining of non-prescription drugs or medicinal products from a pharmacist or supermarket is not intended to be considered a health service.
39. This definition is relevant to determining what types of personal information fall within the meaning of sub-paragraphs (a)(ii) and (iii) and paragraph (b) of the definition of "health information" in Item 16. This definition is also relevant to the operation of NPP 10.2, NPP 10.3 and NPP 2.4. These sub-principles concern the collection and disclosure of health information in the context of a "health service".
Item 19. Subsection 6(1) (definition of media organisation )
40. Item 19 inserts a definition of "media organisation" in subsection 6(1) of the Act. The term "media organisation" is defined to mean an organisation whose activities consist of or include the collection, preparation for dissemination or dissemination of specified material for the purpose of making it available to the public. The specified material must have the character of, or consist of commentary or opinion on, or analysis of, news, current affairs, information or a documentary. For example, an organisation that is primarily engaged in promoting and protecting the environment may still be a media organisation for the purposes of the Bill if part of its activities consist of disseminating news and other information about the environment and related issues to the Australian public.
Item 20. Subsection 6(1) (definition of National Privacy Principle)
41. Item 20 inserts a definition of "National Privacy Principle" in subsection 6(1) of the Act. The term "National Privacy Principle" is defined to mean a principle contained in Schedule 3.
Item 21. Subsection 6(1) (definition of NPP complaint)
42. Item 21 inserts a definition of "NPP complaint" in subsection 6(1) of the Act. The term "NPP complaint" is defined to mean a complaint about an act or practice that (if established) would be an interference with privacy because the act or practice breached an NPP.
Item 22. Subsection 6(1) (definition of organisation )
43. Item 22 refers to the definition of "organisation" in clause 6C of the Bill.
Item 22A. Subsection 6(1) (definition of principal executive )
44. Item 22A inserts a definition of "principal executive" in subsection 6(1) of the Act. "Principal executive" is defined to have the same meaning as it has in section 37 of the Act.
Item 23. Subsection 6(1) (definition of privacy code )
45. Item 23 inserts a definition of "privacy code" in subsection 6(1) of the Act. The term "privacy code" is defined to mean a written code regulating acts and practices that affect privacy.
Item 24. Subsection 6(1) (at the end of paragraphs (a), (d), (e) and (f) of the definition of record )
46. Item 24 amends the existing definition of "record" by inserting "or" at the end of the paragraphs (a), (d), (e) and (f). This makes it clear that a record is any of the things listed in paragraphs (a) to (c), but not any one of the things listed in paragraphs (d) to (h).
Item 25. Subsection 6(1) (after paragraph (f) of the definition of record )
47. Item 25 amends the existing definition of "record" by inserting a new paragraph (fa) after existing paragraph (f) of the definition. The paragraph exempts from the definition of "record" any records that are in the custody of the Archives and in relation to which the Archives has entered into arrangements concerning access to those records, with a person other than a Commonwealth institution. The effect of this amendment is that the Information Privacy Principles do not apply to the Archives in respect of such records.
Item 26. Subsection 6(1) (definition of registered political party )
48. Item 26 inserts a definition of "registered political party" in subsection 6(1) of the Act. The term "registered political party" is defined to mean a political party registered under Part XI of the Commonwealth Electoral Act 1918. A "registered political party" is not an organisation for the purposes of the Act (see definition of "organisation" in clause 6C).
Item 27. Subsection 6(1) (definition of sensitive information )
49. Item 27 inserts a definition of "sensitive information" in subsection 6(1) of the Act. The definition is based on that used in the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data and the Privacy Commissioners National Principles for the Fair Handling of Personal Information . "Sensitive information" is a subset of personal information. It is defined to mean information or an opinion about an individuals: racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; criminal record; or health information.
50. This definition is applicable to the operation of a number of provisions. It is relevant in determining the type of personal information that is subject to additional protection under the NPPs that deal with "sensitive information". That additional protection includes NPP 10 (which limits the collection of sensitive information) and the exclusion of "sensitive information" from NPP 2.1(c). Moreover, the definition operates to limit the types of personal information which, under clause 13B, can be collected or disclosed between related bodies corporate without being an interference with the privacy of an individual.
Item 28. Subsection 6(1) (definition of small business )
51. Item 28 refers to the definition of "small business" in clause 6D of the Bill.
Item 29. Subsection 6(1) (definition of small business operator )
52. Item 29 refers to the definition of "small business operator" in clause 6D of the Bill.
Item 30. Subsection 6(1) (definition of State contract )
53. Item 30 inserts a definition of "State contract" in subsection 6(1) of the Act. The definition covers any contract to which a State or Territory or State or Territory authority is or was a party, under which services are or were provided to a State or Territory authority. The definition therefore includes contracts that have been completed or terminated. When read with Item 35, the definition also extends to the provision of services by the contracted service provider to other persons in connection with the performance of the State or Territory authoritys functions. When read with the definition of "sub-contractor", a State contract extends to the provision of services by sub-contractors.
Item 31. Subsection 6(1) (definition of State or Territory authority )
54. Item 31 refers to the definition of "State or Territory authority" in clause 6C of the Bill.
Item 32. Subsection 6(1) (definition of subcontractor )
55. Item 32 inserts a definition of "subcontractor" in subsection 6(1) of the Act. It covers a person who, under a subcontract, is or was responsible for the provision of services to a Commonwealth agency, a State or Territory authority, or a contracted service provider. The definition is necessary to allow for the coverage of subcontractors as contracted service providers. As the definition of "contracted service provider" includes a "subcontractor", the effect of this definition is to apply coverage to all subsequent subcontractors responsible for the provision of services for the purposes of a government contract.
Item 33. Subsection 6(1) (definition of temporary public interest determination )
56. Item 33 inserts a definition of "temporary public interest determination" in subsection 6(1) of the Act. The term "temporary public interest determination" is defined to mean a determination made under clause 80A of the Bill.
Item 34. At the end of subsection 6(7)
57. Item 34 inserts new paragraphs 6(7)(c), (d), (e) and (f). Currently subsection 6(7) provides that complaints may be both a file number complaint and an IPP complaint or a credit reporting complaint.
58. Paragraph 6(7)(c) provides that a complaint may be both a file number complaint and a code complaint. Paragraph 6(7)(d) provides that a complaint may be both a file number complaint and an NPP complaint. Paragraph 6(7)(e) provides that a complaint may be both a code complaint and a credit reporting complaint. Paragraph 6(7)(f) provides that a complaint may be both an NPP complaint and a credit reporting complaint.
59. Organisations that handle credit information and tax file numbers are still required to comply with the NPPs (or approved privacy code). It is possible, therefore, that there may be more than one adverse finding against an organisation, where an investigator finds that more than one set of standards has been breached. A complaint about a bank mishandling credit information may, for example, also involve an investigation into whether the bank complied with its obligations under the NPPs (or, where the bank has a privacy code approved by the Privacy Commissioner, whether the bank complied with its obligations under that code).
60. Item 35 repeals current subsection 6(8) and inserts two new sub-clauses 6(8) and (9). Currently subsection 6(8) determines the question of whether one corporation is related to another corporation in the same way as the question is determined under the Companies Act 1981 . The new sub-clause 6(8) states that the question of whether one body corporate is related to another body corporate is to be determined in the same way as the question is determined under the Corporations Law . The definition is relevant to the credit reporting provisions (specifically sections 18N and 18Q) and in the interpretation of clause 13B, which exempts certain acts and practices from being interferences with privacy when information is collected from and disclosed by related bodies corporate.
61. Sub-clause 6(9) defines what services provided to an agency or State or Territory authority means. New sub-clause 6(9) ensures that "services provided to an agency or a State or Territory authority" (relevant to the definitions of "Commonwealth contract", "contracted service provider", "state contract" and "subcontractor") include the provision of services to third parties on behalf of an agency or a State or Territory authority.
62. Item 36 inserts new clauses 6A, 6B, 6C, 6D, 6E and 6F. New clause 6A covers what it means to breach a NPP. Sub-clause 6A(1) provides that a "breach of a National Privacy Principle" means an act or practice contrary to or inconsistent with that NPP. Sub-clauses 6A(2), (3) and (4) list the circumstances in which an act or practice will not be a breach of an NPP. Sub-clause 6A(5) provides that these sub-clauses have effect despite sub-clause 6A(1).
63. Sub-clause 6A(2) relates to contracted service providers. The sub-clause provides that an act or practice will not breach an NPP if it is done, or engaged in, by an organisation that is a contracted service provider for a Commonwealth contract, it is for the purpose of meeting obligations under that contract and it is authorised by a provision of the contract that is inconsistent with the NPP. The effect of this provision is that a privacy clause in a Commonwealth contract that is inconsistent with an NPP will prevail over that NPP. If a clause in a Commonwealth contract is consistent with an NPP or there is no corresponding clause in the Commonwealth contract, an NPP will apply to the contracted service provider and the general rule regarding breach of an NPP will apply.
64. Sub-clause 6A(3) relates to the provision of information to the Archives. It confirms that disclosing personal information contained in a record to the Archives is allowed (that is, it will not be a breach of the NPPs), where the disclosure is solely for the purpose of enabling the Archives to consider whether or not to accept custody of the record.
65. Sub-clause 6A(4) provides that an act or practice which occurs outside Australia does not breach an NPP if the act or practice is required by an applicable law of a foreign jurisdiction. This provision is intended to ensure that the extra-territorial operation of the Act does not require organisations to act in contravention of laws operating in the country in which the act or practice occurs.
66. New clause 6B covers what it means to breach an approved privacy code. Sub-clause 6B(1) provides that a "breach of an approved privacy code" means an act or practice contrary to or inconsistent with that approved privacy code. An approved privacy code is defined in subsection 6(1) to mean a privacy code that has been approved by the Privacy Commissioner after consideration of the matters in clause 18BB.
67. Sub-clauses 6B(2), (3) and (4) list the circumstances in which an act or practice will not be a breach of an approved privacy code. Sub-clause 6A(5) provides that these sub-clauses have effect despite sub-clause 6A(1).
68. Sub-clause 6B(2) relates to organisations that are contracted service providers. The sub-clause provides that an act or practice will not breach an approved privacy code if it is done, or engaged in, by an organisation that is a contracted service provider for a Commonwealth contract, it is for the purpose of meeting obligations under that contract and it is authorised by a provision of the contract that is inconsistent with that approved privacy code. The effect of this provision is that a privacy clause in a Commonwealth contract that is inconsistent with an approved privacy code will prevail over that code. If a clause in a Commonwealth contract is consistent with the code or there is no corresponding clause in the Commonwealth contract, an approved privacy code will apply to the contracted service provider and the general rule regarding breach of a code will apply.
69. Sub-clause 6B(3) relates to the provision of information to the Archives. It confirms that disclosing personal information contained in a record to the Archives is allowed (that is, it will not be a breach of an approved privacy code), where the disclosure is solely for the purpose of enabling the Archives to consider whether or not to accept custody of the record.
70. Sub-clause 6B(4) provides that an act or practice which occurs outside Australia does not breach an approved privacy code if the act or practice is required by an applicable law of a foreign jurisdiction. This provision is intended to ensure that the extra-territorial operation of the Act does not require organisations to act in contravention of laws operating in the country in which the act or practice occurs.
71. New clause 6C inserts a definition of "organisation". The term "organisation" defines the range of private sector bodies and persons to whose acts and practices the Bill applies. An "organisation" must not do acts or engage in practices that breach an approved privacy code or, to the extent that an organisation is not bound by an approved privacy code, the NPPs.
72. "Organisation" is defined in sub-clause 6C(1) to mean an individual, a body corporate, a partnership, any other unincorporated association, or a trust, but does not include a small business operator (as defined in clause 6D); an agency (an agency is already required to comply with the Information Privacy Principles); a registered political party (as defined in subsection 6(1)); a State or Territory authority (as defined in sub-clause 6C(3)); or a State or Territory instrumentality that has been prescribed as such by regulation in accordance with the requirements in sub-clause 6C(4). In this clause a reference to State does not include the Australian Capital Territory or the Northern Territory (sub-clause 6C(5)). Sub-clause 6C(2) confirms that a legal person may have a number of different capacities in which the person does things.
73. Sub-clause 6C(3) defines a "State or Territory authority". State or Territory authorities are, in general terms, defined to mean people or bodies that are part of the State or Territory public sector (eg: Ministers, Departments and Courts. Local Government Councils will generally fall within the definition at paragraph 6C(3)(c)). It is not intended to regulate the acts and practices of a State or Territory public sector. This is left for the States and Territories to regulate. State or Territory statutory corporations are excluded from the coverage of the Bill by virtue of paragraph 6C(3)(c), but Government Business Enterprises that are Corporations Law corporations will be covered unless they are prescribed in accordance with sub-clause 6C(4).
74. Sub-clause 6C(4) describes the process for making regulations that stop State or Territory instrumentalities from being organisations (if a State or Territory instrumentality is not an organisation, its acts and practices are not regulated by the Bill). One of the purposes of this sub-clause is to recognise that Commonwealth regulation of a State or Territory instrumentality (for example a Corporations Law company, society or association) that performs core government functions is inappropriate, if such regulation would curtail the capacity of the State or Territory to function as a government. Before the Governor-General may make regulations prescribing a State or Territory instrumentality, the Minister must be satisfied that the State or Territory has requested that the instrumentality be prescribed as such and must then consider several matters listed in subparagraphs 6C(4)(b)(i), (ii) and (iii). The Minister is, under paragraph 6C(4)(b), required to consider whether the government of a State or Territory would be adversely affected if a particular instrumentality was regulated by the Bill and, in consultation with the Privacy Commissioner, the desirability of regulating the handling of personal information by the instrumentality through the Bill and whether a law of a State or Territory would regulate the handling of personal information by the instrumentality to a standard at least equivalent to the standard in the Bill.
75. Clauses 6D, 6DA, 6E and 6EA describe how the Bill applies to small businesses. By virtue of the definition of "organisation" at Clause 6C, "small business operators" are not organisations and are consequently exempt from the operation of the Bill. Clause 6D describes what a small business is and when a small business is a "small business operator". Some small businesses (those small businesses that engage in acts or practices that pose a particular risk to the privacy of individuals) will not be small business operators and will therefore remain subject to the provisions of the Bill.
76. Sub-clause 6D(1) provides that a business is a small business during a financial year if its annual turnover for the previous financial year was $3 million or less. Subclause 6D(2) provides that a business which was not carried on in a previous financial year is a small business only if its annual turnover for the current year is $3 million or less. The method by which annual turnover is calculated for a previous year or projected for a current year is set out in sub-clause 6DA(2).
77. Sub-clause 6D(3) provides that a small business operator is an individual, body corporate, partnership, unincorporated association or trust that carries on one or more small businesses but does not carry on a business that is not a small business. This definition is designed to ensure that a large enterprise that, among other things, carries on a business that would fall within the definition of small business, cannot benefit from being characterised as a small business operator.
78. Sub-clause 6D(4) outlines the circumstances in which a small business is prevented from being a "small business operator" and therefore unable to rely on the exemption for small business operators. Small businesses that fall within paragraphs 6D(4)(a), (b), (c), (d) or (e) are not small business operators for the purpose of the Bill. They are organisations for the purposes of the Bill and are therefore subject to its provisions.
79. Paragraph 6D(4)(a) provides that an individual, body corporate, partnership, unincorporated association or trust is not a small business operator if, for a financial year that has ended after the business was started or the commencement of this section (whichever is later), the business has an annual turnover of more than $3 million. This means that an entity will not be a small business operator if it carries on a business that has had an actual annual turnover of more than $3 million in a previous financial year. The reference to a financial year that has ended means that a new small business that is required to project its annual turnover in accordance with new sub-clause 6DA(2) will not be denied the status of a small business operator only because its projected annual turnover exceeds $3 million.
80. Paragraph 6D(4)(b) provides that a small business that provides a health service and holds health information, except in an employee record, is not a small business operator.
81. Paragraph 6D(4)(c) provides that a small business that discloses personal information about another individual to anyone else for service, benefit or advantage is not a small business operator. Conversely, paragraph 6D(4)(d) provides that a small business that provides a benefit, service or advantage to collect personal information about another individual from anyone else is not a small business operator. Sub-clauses 6D(7) and 6D(8) qualify paragraphs 6D(4)(c) and (d) where the personal information is disclosed or collected with the consent of the individual concerned or as required or authorised by or under legislation. Paragraph 6D(4)(e) provides that a contracted service provider for a Commonwealth contract is not a small business operator.
82. Sub-clause 6D(5) confirms that an individual will not be prevented from being a small business operator merely if he or she does something described in paragraphs 6D(4)(b), (c) or (d) otherwise than in the course or carrying on his or her business and only for the purposes of or in connection with his or her personal, family or household affairs.
83. Sub-clause 6D(6) confirms that a body corporate, partnership, unincorporated association or trust will not be prevented from being a small business operator because it does something described in paragraphs 6D(4)(b), (c) or (d) otherwise than in the course or carrying on its business.
84. Sub-clause 6D(7) provides that paragraph 6D(4)(c) of the Bill will not have the effect of denying a small business the status of a "small business operator" only because the small business discloses personal information about another individual with the consent of the individual or as required or authorised by or under legislation.
85. Sub-clause 6D(8) provides that paragraph 6D(4)(d) of the Bill will not have the effect of denying a small business the status of "small business operator" only because the small business provides a benefit, service or advantage to be allowed to collect personal information from an individual with the consent of the individual or as required or authorised by or under legislation.
86. Sub-clause 6D(9) provides that a body corporate that carries on a small business is not a "small business operator" if it is related to a body corporate that carries on a business that is not a small business. This means that a small business that is part of a corporate group which includes a large business will not be able to take advantage of the small business exemption.
87. Sub-clause 6DA(1) defines the "annual turnover" of a business for a financial year as the total of: the proceeds of sales of goods and/or services; commission income; repair and service income; rent, leasing and hiring income; government bounties and subsidies; interest, royalties and dividends; and other operating income earned in the year in the course of business. The note to sub-clause 6DA(1) clarifies that, in general, a business annual turnover calculated in accordance with clause 6DA will equate to the total of the instalment income the business notifies to the Commissioner of Taxation on its Business Activity Statements over the course of the financial year. It is intended that, in most cases, a business will be able to use the calculations on its Business Activity Statements to demonstrate its annual turnover for the purposes of clause 6DA.
88. Sub-clause 6DA(2) sets out a formula to project the annual turnover of a business that has been carried on for only part of a financial year. The annual turnover for such a business is determined by multiplying the amount of turnover that has been generated in the course of business during the part year by the number of days in the whole financial year divided by the number of days in the relevant part of the financial year.
89. Clause 6E allows regulations to be made prescribing small business operators and particular acts and practices of small business operators. Once prescribed, the Bill will apply (with the prescribed modifications, if any) to the small business operator, either in relation to all of the small business operators acts and practices or the particular acts and practices that were prescribed, as if the small business operator were an organisation. The regulations may also prescribe small business operators, or acts and practices of small business operators, by reference to a particular class of small business operator (for example, "used car dealers"), or class of act or practice of small business operators (for example, the act of collecting information about the religion of customers). Under sub-clause 6E(3), modifications include additions, omissions and substitutions.
90. Sub-clause 6E(4) provides that before the Governor-General may make regulations under clause 6E, the Minister must be satisfied that it is in the public interest to regulate the small business operator (or act or practice) in question, and must consult the Privacy Commissioner about the desirability of regulating the small business operator, act or practice.
91. Clause 6EA allows a small business operator to elect to be treated as if it were an organisation and subject to the provisions of the Bill. Sub-clause 6EA(2) provides that such a choice must be made in writing and given to the Privacy Commissioner. Sub-clause 6EA(3) provides that if the Privacy Commissioner is satisfied that a small business operator has made a choice to "opt-in" to the privacy scheme in the Bill under sub-clause 6EA(2), he or she must enter the name or names under which the operator carries on business and the operators Australian Business Number (if it has one) in a register. The small business operator would then be treated as if it were an organisation (and covered by the Bill) from the date of registration.
92. A small business operator may revoke a choice under sub-clause 6EA(2) by notice given in writing to the Privacy Commissioner. If a revocation is made, sub-clause 6EA(4) requires the Privacy Commissioner to remove the name of the operator from the register.
93. Sub-clause 6EA(5) provides that the Privacy Commissioner may decide the form of the register and how it is to be kept. For example, the Privacy Commissioner may choose to maintain an electronic database which is accessible via the Internet. The aim of the register is to make it easy to establish which small business operators have opted in to the privacy scheme in the Bill, and the date from which those operators are required to comply with the scheme.
94. Sub-clause 6EA(6) requires the Privacy Commissioner to make the register available to the public but prevents the Privacy Commissioner from releasing publicly any information about a business other than the name or names under which it trades and its Australian Business Number.
95. Clause 6F allows a State or Territory instrumentality that has been prescribed (and is therefore no longer an organisation for the purpose of the Bill) to opt back in to coverage by the Bill in a modified way. In such a case, the Bill would apply to regulate the handling of personal information (with the prescribed modifications) as if the instrumentality were an organisation. Clause 6F also describes how a State or Territory authority not otherwise covered by the Bill, (because it is not, by definition, an organisation) may choose to "opt-in" to the privacy regime in the Bill, by prescription. The State or Territory may request that the Act apply to the authority in a modified way. Under sub-clause 6F(2), modifications include additions, omissions and substitutions.
96. Before the Governor General is able to make regulations prescribing a State or Territory authority, the Minister must be satisfied that the relevant State or Territory has requested that the authority be prescribed, and consult with the Privacy Commissioner about the desirability of regulating the acts and practices of the authority under the Bill (sub-clause 6F(3)). Once prescribed, the Bill applies (with the prescribed modifications, if any) to the prescribed authority as if it were an organisation (sub-clause 6F(1)). One of the purposes of this clause is to allow statutory corporations whose activities are predominantly commercial, to "opt-in" to the private sector privacy regime where the State (or Territory) and Minister (in consultation with the Privacy Commissioner) consider that it is appropriate to do so.
97. Item 37 confirms that a Commonwealth contract may prevent an act or practice from being a breach of an NPP or an approved code regardless of when the contract was made (ie: before or after the commencement of clauses 6A and 6B).
Item 38. At the end of paragraph 7(1)(ed)
98. Item 38 inserts "or" after paragraph 7(1)(ed) in order to allow for an additional provision in relation to the acts and practices of organisations to be included in the list of acts and practices to which the Act applies. The heading to section 7 is consequentially amended by inserting "organisations" after "agencies".
Item 39. After paragraph 7(1)(ed)
99. Item 39 inserts a new paragraph 7(1)(ee). Currently subsection 7(1) defines what is meant by a reference to an act or practice in the Act. New paragraph 7(1)(ee) adds an act done, or practice engaged in, by an organisation (other than an exempt act or practice), to the list of acts or practices to which the Act applies.
100. Item 40 amends subsection 7(2). The Act does not currently apply the Information Privacy Principles to acts and practices of the bodies listed in Part 1 of Schedule 2 and Division 1 of Part II of Schedule 2 to the Freedom of Information Act 1982 (the FOI Act). The amendment to subsection 7(2) inserts "National Privacy Principles, an approved privacy code" so that the Act will not apply the Information Privacy Principles, NPPs or an approved code to acts and practices of the bodies listed in Part 1 of Schedule 2 or Division 1 of Part II of Schedule 2 to the FOI Act. An agency listed in Part 1 of Schedule 2 may be prescribed for the purpose of clause 7B. In that case, the acts and practices of the prescribed agency are treated as being acts and practices of an organisation (and the prescribed agency is treated as an organisation). Where an agency has been prescribed, the NPPs (or approved privacy code, where appropriate) will apply to the prescribed agency.
101. Item 41 amends subsection 7(4). Subsection 7(4) refers to paragraphs in section 27, and these references are consequentially amended to reflect the changes that have been made to the paragraphs in section 27.
102. Item 42 inserts new clauses 7A, 7B and 7C. The effect of new clause 7A is to make the acts and practices of some agencies subject to the standards in the NPPs (or an approved privacy code, as appropriate), to the extent that they are not currently subject to the Information Privacy Principles (by virtue of section 7 of the Act). The Governments policy is that bodies operating in the commercial sphere should operate on a level playing field. Where agencies are engaged in commercial activities, they should be required to comply with the NPPs, just like private sector organisations. The purpose of this clause which, (by virtue of sub-clause 7A(4)) has effect despite existing subparagraph 7(1)(a)(i), paragraph 7(1)(c) and subsection 7(2), is to give effect to this policy.
103. New clause 7A affects agencies specified in Part I of Schedule 2 to the FOI Act that have been prescribed for the purpose of sub-clause 7A(2). Sub-clause 7A(1) provides that acts and practices of prescribed agencies will be subject to the Act as if the agency were an organisation. Agencies that are in Part I of Schedule 2 to the FOI Act do not currently have to comply with the Information Privacy Principles. The aim of the amendment is to make some of those agencies (to be prescribed by regulation at a later date) comply with the Act. The result is that these agencies will need to comply with the NPPs (or an approved privacy code, as appropriate). Sub-clause 7A(1) foreshadows that it may be appropriate for the Act to be modified in its application to prescribed agencies. "Modifications" is defined in sub-clause 7A(5).
104. Clause 7A also affects the acts and practices of agencies in Division 1 of Part II of Schedule 2 to the FOI Act (to the extent that the acts and practices relate to documents associated with the agencys commercial activities or the commercial activities of another entity) (sub-clause 7A(3)). Sub-clause 7A(1) provides that acts and practices described in sub-clause 7A(3) will be subject to the Act as if the act or practice were an act done or a practice engaged in by an organisation and the agency mentioned in that sub-clause were an organisation. Agencies in Division 1 of Part II of Schedule 2 to the FOI Act are not currently required to comply with the Information Privacy Principles (in relation to documents in respect of the agencys commercial activities or the commercial activities of another entity). The aim of the amendment is to ensure that an agency in Division 1 of Part II of Schedule 2 to the FOI Act complies with the standards set out in the NPPs or an approved privacy code (as appropriate) in relation to documents in respect of its commercial activities or the commercial activities of another entity. This clause is intended to apply to agencies such as Comcare, the Health Insurance Commission and Telstra Corporation Limited. It is not intended to apply to the Australian Broadcasting Corporation or the Special Broadcasting Service Corporation.
105. New clause 7B sets out acts and practices of organisations that are exempt for the purposes of new paragraph 7(1)(ee). The effect of this provision is to exempt certain acts and practices from the operation of the Bill.
106. Sub-clause 7B(1) exempts acts done or practices engaged in by individuals where those acts are done, or practices are engaged in, other than in the course of business. The Act is not intended to affect the way an individual collects, holds, uses, discloses, or transfers personal information in the course of his or her personal, family or household affairs.
107. Sub-clause 7B(2) deals with the situation where a small business is also a contracted service provider for a Commonwealth contract. It provides that an act done or practice engaged in by such an organisation, is exempt for the purposes of paragraph 7(1)(ee) provided the act is done or practice engaged in otherwise than for the purpose of meeting an obligation under a Commonwealth contract. An organisation to which this sub-clause applies, therefore, need only comply with the legislation in relation to its activities that are for the purposes of a Commonwealth contract. In relation to its activities that are not for the purposes of a Commonwealth contract, the organisation is in the same position as a small business operator.
108. This sub-clause applies to a contracted service provider that is a party to the Commonwealth contract and to a subcontractor who may not be a party to that contract but is a party to a subcontract where the act done, or practice engaged in, is directly or indirectly for the purposes of meeting an obligation under the contract.
109. Sub-clause 7B(3) exempts acts done or practices engaged in by an organisation that is or was an employer of an individual where the act or practice is directly related to a current or former employment relationship between the employer and the individual and an "employee record" relating to the individual. The act or practice must be directly related to a current or former employment relationship so as to ensure that employers cannot use "employee records" for commercial purposes unrelated to the employment context. Acts and practices in relation to employee records are exempted as it is recognised that the handling of "employee records" is a matter better dealt with under workplace relations legislation.
110. Sub-clause 7B(4) exempts acts and practices engaged in by an organisation where the act is done or practice is engaged in, "in the course of journalism" and at a time when the organisation is publicly committed to observing published standards that deal with privacy. In other words, if a media organisation seeks to rely on the exemption for acts and practices done or engaged in by the organisation in the course of journalism it must be able to show that, at the relevant time, it was committed to standards that deal with privacy.
111. One way a media organisation might demonstrate its public commitment to standards dealing with privacy is to show that it is a member of a media industry body and that membership of that body requires it to subscribe to a code developed and published by the industry body. Indeed, many media organisations already subscribe to published codes of practice that have been developed by media industry bodies. It is not intended that a media organisation need subscribe to a privacy code approved by the Privacy Commissioner in order to benefit from the exemption.
112. This exemption seeks to ensure an appropriate balance is found between the public interest in allowing the free flow of information to the public through the media and the public interest in providing adequate safeguards for the handling of personal information. This aim is also made clear in clause 3, which sets out the objects of the Act.
113. Sub-clause 7B(5) exempts acts and practices of an organisation acting under a State contract where the act done, or practice engaged in, is directly or indirectly, for the purposes of meeting an obligation under that contract. This ensures that private sector organisations providing services under contract to a State or Territory authority are exempt from the Commonwealths privacy regime in respect of those services and can be regulated by the relevant State or Territory.
114. Clause 7C exempts political acts and practices from the operation of the Act.
115. Sub-clause 7C(1) exempts acts done, or practices engaged in, by an organisation that is either a member of Parliament or a councillor of a local government authority, where the acts are done, or practices are engaged in, for a purpose that is connected to an election under an electoral law, a referendum under a law of the Commonwealth or State or Territory, or the participation of the member or councillor in any aspect of the political process.
116. Sub-clause 7C(2) exempts acts done or practices engaged in, by an organisation that is a contractor, for the purposes of paragraph 7(1)(ee), if the act is done or practice is engaged in for the purpose of meeting an obligation under a contract between the contractor and a registered political party, or a member of Parliament or councillor described in sub-clause 7C(1), and for any purpose outlined in paragraph 7C(2)(b).
117. Sub-clause 7C(3) exempts acts done, or practices engaged in, by an organisation that is a sub-contractor to a contractor described in sub-clause 7C(2), where the act is done or practice is engaged in for the purposes of meeting an obligation under a contract between the contractor and the sub-contractor and for a purpose referred to in paragraph 7C(2)(b).
118. Sub-clause 7C(4) exempts acts done or practices engaged in voluntarily by an organisation for or on behalf of a registered political party for a purpose listed in paragraphs 7C(4)(a) to (c) or facilitating acts or practices of a registered political party for a purpose mentioned in paragraphs (a) to (c).
119. Sub-clause 7C(5) clarifies that sub-clause 7C(4) does not otherwise affect the operation of the Act in relation to agents or principals.
120. Sub-clause 7C(6) defines the meaning of "electoral law" and "Parliament". "Electoral law" is defined to mean a law of the Commonwealth, or State or Territory, relating to elections to Parliament or a local government authority. "Parliament" is defined to mean the Parliament of the Commonwealth or a State, or the legislature of a Territory.
Items 43 and 44. Paragraph 8(1)(a)
121. Item 43 inserts "organisation" into paragraph 8(1)(a) after "an agency" and Item 44 inserts "organisation" into the paragraph after "the agency". The heading to section 8 is consequentially amended to read "Acts and practices of, and disclosure of information to, staff of agency, organisation etc".
122. Currently, paragraph 8(1)(a) states that an act done or practice engaged in by, or information disclosed to, a person in the course of employment by or in the service of an agency, file number recipient, credit reporting agency or credit provider, shall be treated as having been done, engaged in by or disclosed to the agency. Items 43 and 44 insert organisation into the paragraph so that acts done or practices engaged in by, or information disclosed to, a person in the course of employment by, or in the service of, an organisation will also be treated as having been done, engaged in by, or disclosed to, the organisation. An individual employed by an organisation is not considered to be an "organisation" himself or herself.
123. Item 45 inserts "or organisation" into paragraph 8(1)(b) after "an agency".
124. Item 46 inserts "or organisation" into the paragraph after "the agency". This item, together with Item 45, extends the application of existing paragraph 8(1)(b) and deems an act done or practice engaged in by, or information disclosed to, a person on behalf of, or for the purposes of the activities of an unincorporated body (as currently defined in paragraph 8(1)(b)), for the purpose of assisting, or performing functions in connection with an organisation is to be deemed as having been done, or engaged in by, or disclosed to, that organisation.
Item 47. At the end of section 8
125. Item 47 inserts new sub-clauses 8(3), (4) and (5) at the end of section 8. These sub-clauses relate to partnerships, unincorporated associations and trusts. They describe how the Act applies to these non legal entities, specifically identifying whose acts and practices constitute acts and practices of the organisation, and to whom a communication must be made in order to communicate with the organisation.
126. Sub-clause 8(3) provides, in relation to partnerships, that an act or practice of a partner is taken to be an act or practice of the organisation, and that a communication made to a partner is taken to have been made to the organisation.
127. Sub-clause 8(4) provides, in relation to unincorporated associations, that an act or practice of a member of the committee of management of the association is taken to be an act or practice of the organisation, and that a communication made to a member of the committee of management of the association is taken to have been made to the organisation.
128. Sub-clause 8(5) provides, in relation to trusts, that an act or practice of a trustee is taken to be an act or practice of the organisation, and that a communication made to a trustee is taken to have been made to the organisation.
Item 48. At the end of Part II
129. Item 48 inserts a new clause 12B. Clause 12B is intended to ensure that the Act is given the widest possible operation consistent with Commonwealth constitutional legislative power. Sub-clause 12B(1) provides that, without limiting the effect of the Act apart from section 12B, the Act also has effect as provided by each of sub-clauses 12B(2) to (8), namely, the Act has the effect it would have if its operation in relation to organisations were expressly confined to:
- •
- giving effect to the International Covenant on Civil and Political Rights, and in particular, Article 17 of the Covenant;
- •
- acts or practices by organisations covered by sub-clause 5B(1) which occur outside Australia and the external Territories;
- •
- organisations which are corporations;
- •
- acts or practices of organisations taking place in the course of, or in relation to, trade or commerce between Australia and places outside Australia, among the States or within a Territory, between a State and a Territory or between two Territories;
- •
- acts or practices of organisations taking place using a postal, telegraphic, telephonic or other like service within the meaning of paragraph 51(v) of the Constitution;
- •
- acts or practices of organisations taking place in a Territory;
- •
- acts and practices of organisations taking place in a place acquired by the Commonwealth for public purposes.
130. Item 49 inserts the heading "Division 1 - Interferences with privacy" before section 13 of the Act.
131. Section 13 marks the beginning of Part III of the Act. The amendments in this Bill separate Part III of the Act into five divisions. Division 1 relates to interferences with privacy generally. Division 2 relates to duties and obligations of public sector bodies and contains the Information Privacy Principles. Division 3 relates to duties and obligations of private sector bodies. Division 4 relates to duties and obligations of tax file number recipients. Division 5 relates to duties and obligations in respect of credit information files and credit reports.
132. Item 50 amends section 13 by deleting the words "and only if". The amendment recognises that an act or practice may also be an interference with the privacy of an individual under clause 13A.
Item 51. Paragraphs 13(b) and (d)
133. Item 51 amends paragraphs 13(b) and 13(d) by inserting "organisation" after "an agency". The effect of this amendment is to extend the application of the provisions to organisations.
134. The amendment recognises that a file number recipient may also be an organisation and confirms that an act or practice engaged in by a file number recipient that is an organisation is an interference with privacy if it breaches a guideline under section 17 (in relation to tax file numbers). A credit reporting agency or credit provider may also be an organisation and the amendment further recognises that an act or practice engaged in by a credit reporting agency or credit provider that is an organisation is an interference with privacy if it constitutes a credit reporting infringement.
135. Item 52 inserts new clauses 13A to F.
136. Clause 13A establishes the elements of an interference with the privacy of an individual by an organisation. Sub-clause 13A(1) lists what constitutes an "interference with privacy" by an organisation. The general rule is that an act or practice of an organisation is an interference with privacy if:
- •
- the act or practice breaches an approved privacy code that binds the organisation, or
- •
- where the organisation is not bound by an approved privacy code, the act or practice breaches an NPP, or
- •
- the act or practice relates to personal information that relates to the individual; the organisation is a contracted service provider for a Commonwealth contract; the Commonwealth contract includes a provision that is inconsistent with an approved code or the NPPs; and the act done, or practice engaged in, is inconsistent with the relevant provision of the contract; or
- •
- where the organisation is a contracted service provider under a Commonwealth contract, the organisation uses or discloses the personal information obtained for the purpose of meeting an obligation under a Commonwealth contract for direct marketing (in contravention of clause 16F).
137. Sub-clause 13A(2) recognises that the general rule applies even if other rules apply by virtue of the organisation being a credit reporting agency, credit provider or a file number recipient. Note that clause 13E confirms that the exceptions in clauses 13B, 13C and 13D do not override other obligations that an organisation may have by virtue of being a credit reporting agency, credit provider, or file number recipient.
138. Clause 13B identifies situations where acts and practices of related bodies corporate will not be interferences with privacy. Sub-clause 13B(1) recognises commercial reality that, for many bodies corporate to continue to operate effectively, they need to be able to communicate with related bodies corporate. Often, what appears to the consumer to be one "organisation" will in fact (by virtue of the definition of "organisation" in clause 6C) be several bodies corporate that are related to each other. The effect of clause 13B is to allow one body corporate to disclose information to another body corporate that is related to it, without the disclosure being an interference with privacy. The clause also allows the collection by the related body corporate from the first body corporate. The bodies corporate will, in all other areas, each need to comply with the NPPs (or approved privacy code, as appropriate).
139. Before an organisation can collect personal information and rely on sub-clause 13B(1) to allow it to disclose to other bodies corporate to which it is related, it must first comply with NPP 1.3 or 1.5 (or code equivalent, whichever is appropriate). NPP 1.3 (which applies where personal information is collected directly from the individual) and NPP 1.5 (which applies where information is collected from a third party) both require the organisation to take reasonable steps to ensure that the individual knows that the organisation has collected the information, what the organisation will use the information for, and the types of organisations to which the information is usually disclosed by that organisation. These sub-principles aim to ensure that individuals are aware of who has their personal information and what the information will be used for. An approved privacy code will also contain equivalent (or greater) privacy protection.
140. The exemption is limited to the collection from, and disclosure by, related bodies corporate of personal information that is not "sensitive information". Sub-clause 13B(1) does not allow the disclosure of health information between private hospitals or between co-located private hospitals and community held centres run by related bodies corporate.
141. The note for sub-clause 13B(1) confirms that the provision allows related bodies corporate to share personal information but that handling of the personal information is still subject to the NPPs (or approved privacy code, as appropriate). The NPPs contain a sub-principle (2.3) that clarifies how an organisation may use personal information collected from a related body corporate. The sub-principle defines the meaning of "primary purpose" in terms of the main purpose for which the personal information was originally collected. This means that the "primary purpose" is transferred with the personal information when it is shared around the group of related bodies corporate. Each body corporate within the group must use the information consistently with the main purpose for which it was originally collected, and may only use the personal information for a secondary purpose where that purpose is allowed by NPP 2.1 (or equivalent provision in an approved privacy code).
142. Sub-clause 13B(1A) will ensure that if an entity ("A") that was not required to comply with the NPPs (or approved privacy code) in obtaining personal information shares that personal information with a related body corporate ("B"), then the collecting related body "B" must comply with the NPPs (or code equivalent) when accepting personal information from "A" (the exempt entity, or organisation whose acts and practices are exempt). The sub-clause clarifies how clause 13B interacts with the exemptions in the Bill. For example, a body corporate that is related to a media organisation could not rely on clause 13B to collect personal information from the media organisation without first ensuring that the individual was aware of the matters listed in NPP 1.3 (or code equivalent) and that collection complied with all the other requirements in NPP 1 (or code equivalent).
143. Sub-clause 13B(2) confirms that 13B(1) does not over-ride the general rule for organisations that are contracted service providers.
144. Clause 13C identifies situations where acts and practices of partnerships will not be interferences with privacy. The sub-clause is intended to address what happens to personal information that is in the possession of a partnership when that partnership dissolves, and a new partnership (with at least one partner in common with the first partnership) forms to carry on the same, or a similar, business. For example, a law firm (a partnership) collects personal information from, and holds personal information about, its clients. If a partner leaves the partnership, and a new partner joins the firm, the first partnership has dissolved and a second partnership forms. The purpose of clause 13C is to prevent disclosure to the second partnership and collection by the second partnership from being an interference with privacy. The sub-clause is not intended to allow a partnership to reform and use the information collected for a totally different business purpose.
145. The note for sub-clause 13C(1) confirms that personal information may be passed from an old partnership to a new partnership but that handling of the personal information is still subject to the NPPs (or approved privacy code, as appropriate).
146. Clause 13D provides that an act or practice which occurs outside Australia is not an interference with privacy if the act or practice is required by an applicable law of a foreign jurisdiction. This provision is intended to ensure that the extra-territorial operation of the Act does not require organisations to act in contravention of laws operating in the country in which the act or practice occurs.
147. Clause 13E confirms that the exceptions in clauses 13B, 13C and 13D are subject to section 13 of the Act (which identifies acts and practices that are interferences with privacy). For example, a credit provider cannot rely on clause 13B to pass credit information to a related body corporate. Disclosure of credit information can be made to a related corporation under paragraph 18N(1)(d), but the related corporation must not use or disclose the information except in accordance with section 18Q of the Act.
148. Clause 13F recognises that section 13 of the Act and clause 13A provide an exhaustive description of what constitutes an interference with privacy.
149. The heading "Division 2 - Information Privacy Principles" is inserted.
150. Item 53 confirms that an act or practice of an organisation that is a contracted service provider for a Commonwealth contract may be an interference with privacy under paragraph 13A(1)(c) whether the contract was made before or after the commencement of clause 13A.
151. Item 54 inserts a new Division 3 headed "Approved privacy codes and the National Privacy Principles", which comprises clauses 16A, 16B, 16C, 16D, 16E and 16F.
152. Clause 16A requires organisations to comply with an approved privacy code, or, to the extent that an organisation is not bound by an approved privacy code, to refrain from doing an act, or engaging in a practice, that breaches the NPPs.
153. Sub-clause 16A(3) clarifies that clause 16A, approved privacy codes and the NPPs have effect in addition to the existing requirements placed on the Privacy Commissioner to issue a Code of Conduct relating to credit information files and credit reports, and the existing provisions in relation to credit reporting generally.
154. Sub-clause 16A(4) confirms that an act or practice is not authorised by law for the purposes of existing Part IIIA (credit reporting), merely because it does not breach an approved privacy code or the NPPs.
155. The criteria and procedure for approval of privacy codes are dealt with in Part IIIAA. Before a privacy code may be approved by the Privacy Commissioner the code must provide as least as much privacy protection as the NPPs. The NPPs will be contained in Schedule 3 to the Act, and provide default minimum standards for the handling of personal information. Clause 16B specifies when the Act applies to personal information collected and held by an organisation. The Act applies to personal information being collected by an organisation if the organisation collects it for inclusion in a "record" or "generally available publication" (as defined in section 6). The Act applies to personal information that has been collected by an organisation if the organisation holds the information in a record.
156. Clause 16C comprises sub-clauses 16C(1), (2), (3) and (4). Sub-clause 16C(1) restricts the application of NPPs 1 and 3 (in so far as these relate to the collection of personal information) and 10 to collection of information that occurs after commencement of the clause. Sub-clause 16C(2) provides that NPPs 3 (in so far as it relates to the use or disclosure of personal information), 4, 5, 7 and 9 apply to personal information held by an organisation, whether that information was collected before or after commencement of this clause. Sub-clause 16C(3) restricts the application of NPPs 2 and 6 to personal information collected after commencement of this clause. Sub-clause 16C(4) restricts the application of NPP 8 to transactions entered into after the commencement of this clause.
157. Clause 16D delays the application of the NPPs to organisations that carry on one or more small businesses throughout the delayed application period for the organisation as calculated under sub-clause 16D(6). The delayed commencement is designed to allow small businesses extra time to ensure compliance with the legislation. The length of the delayed application period may vary. The period of delay may be a maximum of 12 months after the commencement of clause 16D, or may be a shorter period. After the initial period, it is intended that small businesses be exempt from the operation of the legislation where the nature of their business means that they constitute a low privacy risk.
158. Sub-clause 16D(1) provides that clause 16D applies to organisations that carry on one or more small businesses throughout the delayed application period for the organisation, and has effect despite clause 16C.
159. Sub-clause 16D(2) delays the application of NPPs 1, 3 (so far as it relates to the collection of personal information) and 10 to personal information collected by a small business for the delayed application period after the commencement of the clause.
160. Sub-clause 16D(3) delays the application of NPPs 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 in relation to a small business for the delayed application period after the commencement of the clause. At the end of the delayed application period, NPPs 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 will apply regardless of the time of collection of the personal information by the small business.
161. Sub-clause 16D(4) delays the application of NPPs 2 and 6 in relation to personal information collected by a small business for the delayed application period after the commencement of the clause.
162. Sub-clause 16D(5) delays the application of NPP 8 in relation to transactions entered into by a small business for the delayed application period after the commencement of the clause.
163. Sub-clause 16D(6) defines the term delayed application period for the purposes of clause 16D. The period starts on either the day that clause 16D commences or the day that the entity carrying on the small business becomes an "organisation" for the purposes of the Bill, whichever is the later. An entity may become an organisation after the commencement of clause 16D if, for example, it commences carrying on a small business but is not a small business operator as defined in the Bill. The delayed application period ends 12 months after clause 16D commences or when an organisation carries on a small business that involves the provision of health services, whichever is earlier. It is recognised that the community considers the type of personal information held by health service providers to be particularly sensitive. Health service providers are therefore denied the advantage of the delayed application period in order to ensure that their information handling procedures comply with the terms of the Bill from the earliest possible time.
164. Clause 16E confirms that the NPPs do not apply to regulate the handling of personal information by an individual where that information is collected, held, used, disclosed or transferred for personal, family or household affairs (that is, done other than in the course of business). This is consistent with the exemption in sub-clause 7B(1).
165. Clause 16F prohibits the use of personal information collected or held by contracted service providers for the purposes of a Commonwealth contract from being used or disclosed for direct marketing unless the use or disclosure is a necessary part of the performance of the contract.
166. Sub-clause 16F(1) specifies the organisations to which the section applies. It applies to an organisation that is a contracted service provider for a Commonwealth contract and limits the use that can be made of personal information collected for the purpose of meeting, directly or indirectly, an obligation under that contract.
167. Sub-clause 16F(2) prohibits a contracted service provider from using or disclosing the personal information for direct marketing unless the use or disclosure is necessary to meet, directly or indirectly, an obligation under the contract.
168. Sub-clause 16F(3) makes it clear that the prohibition in sub-clause 16F(2) applies despite an approved privacy code that may bind the organisation in relation to the personal information and despite the NPPs.
169. A heading "Division 4 - Tax File Number Information" is inserted before existing sections 17 and 18 (which relate to tax file number information).
170. Item 55 inserts a heading "Division 5 - Credit Information "before existing sections 18A and 18B (which relate to credit information).
Item 56. After paragraph 18A(3)(a)
171. Item 56 inserts a new paragraph 18A(3)(aa). Sub-clause 18A(3) currently lists the matters that the Privacy Commissioner must take into account when preparing a code of conduct relating to credit information files and credit reports. New paragraph 18A(3)(aa) requires the Privacy Commissioner to have regard to the NPPs and the provisions of Part IIIAA in preparing the Code of Conduct.
172. Item 57 confirms that the amendment of section 18A applies to the preparation of the Code of Conduct for issue after the commencement of the amendment.
173. Item 58 inserts a new Part IIIAA. Part IIIAA relates to privacy codes. A privacy code sets out principles for the fair handling of personal information and may be voluntarily adopted by an organisation. The code may or may not set out complaint handling procedures. Where the code does not set out a mechanism for handling complaints, the Privacy Commissioner will be responsible for resolving complaints. Once approved by the Privacy Commissioner and adopted by the organisation, a privacy code replaces the privacy framework provided by the NPPs.
174. Clause 18BA requires any application to the Privacy Commissioner for approval of a privacy code, to be in writing.
175. Clause 18BB sets out the procedure that the Privacy Commissioner must follow in relation to approving a privacy code. Sub-clause 18BB(1) provides that the Privacy Commissioner may consult any person the Privacy Commissioner considers appropriate before deciding to approve a privacy code. Such consultation may include liaison with enforcement bodies where the code impacts on the way they are able to perform their functions.
176. Sub-clause 18BB(2) sets out the matters about which the Privacy Commissioner must be satisfied before he or she may decide to approve a privacy code. The code must set out obligations that are at least the equivalent of all the obligations in the NPPs. The code must specify which organisations are bound by the code (or specify how to determine which organisations are bound by the code). The code must only bind organisations that have consented to be bound by the code, and set out a procedure by which an organisation can cease to be bound by the code. If the code sets out procedures for making and dealing with complaints, the Privacy Commissioner must have regard to additional factors in sub-clause 18BB(3), and finally, members of the public must have been given an adequate opportunity to comment on a draft of the code.
177. The requirement that an approved privacy code provide at least an equivalent level of privacy protection as the NPPs will mean that the existence of several codes within an industry is not unduly problematic. The "openness" obligation that an organisation has under NPP 5.1 may also be useful in assisting individuals to understand the privacy standards that apply to the organisation with which they are dealing. The code approval process enables industries to set privacy standards above those set out in the NPPs, particularly where those standards reflect long-standing and strongly held professional values or practices (eg, doctor-patient confidentiality).
178. Sub-clause 18BB(3) sets out the additional matters in paragraphs (a) to (l) about which the Privacy Commissioner must be satisfied in the case where the privacy code sets out procedures for making and dealing with complaints. As part of the process of approving a code the Privacy Commissioner will have to be satisfied that the Code provides that an adjudicator under the code must, in performing his or her functions, or exercising his or her powers under the code, have due regard to the same matters that the Privacy Commissioner must consider under paragraph 29(a) of the Act. This means that the code adjudicators will be required to have due regard for important human rights and social interests that compete with privacy. This provision seeks to ensure that, in performing his or her functions, and exercising his or her powers, a code adjudicator will be required to consider issues such as the general desirability of the free flow of information to the Australian public through the media.
179. Sub-clause 18BB(4) allows the Privacy Commissioner to consider matters specified in guidelines issued by the Commissioner in deciding whether to approve a privacy code.
180. Sub-clause 18BB(5) provides that the Privacy Commissioners approval must be in writing. The Privacy Commissioners decision about whether or not to approve a code is not a legislative instrument for the purpose of section 46A of the Acts Interpretation Act 1901 , but it is intended that his or her decisions be judicially reviewable under the Administrative Decisions (Judicial Review) Act 1977 .
181. Sub-clause 18BB(6) specifies that the Privacy Commissioner may approve a code that operates for a limited time, or that will expire in certain circumstances, provided the Privacy Commissioner considers that the period or the circumstances are appropriate. An organisation that is no longer bound by a code (because the code has expired, or the organisation has chosen to cease to be bound by it) is, by virtue of clause 16A, required to refrain from doing an act, or engaging in a practice, that breaches an NPP. This means that an organisation cannot evade being subject to privacy standards.
182. Sub-clause 18BB(7) provides that the Privacy Commissioner may still approve a code if it is expressed to apply to all types, or a particular type, of personal information; a specified activity; or a specified industry or profession, or class of industry sectors or professions. An organisation will, to the extent that it is not bound by a privacy code, be required to refrain from doing an act, or engaging in a practice, that breaches an NPP.
183. By virtue of clause 18BC, approval of a code will take effect on the day specified in the approval and must not be before the day on which the approval is given.
184. Clause 18BD sets out the procedures for varying an approved privacy code. Sub-clause 18BD(1) requires an application for approval of a variation to be in writing, and sub-clause 18BD(2) requires that the Privacy Commissioners approval of a variation also be in writing. In deciding whether or not to approve a variation of a code, sub-clause 18BD(3) requires the Privacy Commissioner to consider all the matters set out in clause 18BB. It is intended that the procedure for approval of a variation be the same as for approval of the code - a code should not escape scrutiny because it introduces something by way of variation rather than at the time it was first approved. The one exception to this is where the variation is minor. In that case, sub-clause 18BD(4) provides that the Privacy Commissioner need not be satisfied that members of the public have been consulted, but may consult any person he or she thinks is appropriate, instead.
185. The Privacy Commissioners approval of a variation takes effect on the day specified in the approval (sub-clause 18BD(5)). Sub-clause 18BD(6) provides that the day specified must not be before the day on which the approval was granted. That is, approval of a variation is not intended to retrospectively validate the acts and practices of an organisation that occurred before the variation of the code was approved.
186. Clause 18BE prescribes the procedures for revoking the approval of a privacy code. The Privacy Commissioner may revoke his or her approval of a privacy code (or variation of a code) on his or her own initiative, or upon an application by an organisation that is bound by the code (sub-clause 18BE(1)). Sub-clause 18BE(2) sets out the consultation procedure the Privacy Commissioner must follow before revoking a code. Any revocation by the Privacy Commissioner must be in writing (sub-clause 18BE(3) and comes into effect on the day specified in the revocation (sub-clause 18BE(4)). The day specified in the revocation must not be before the day on which the revocation is made (sub-clause 18BE(5)).
187. Clause 18BF(1) allows the Privacy Commissioner to make written guidelines:
- (a)
- to assist organisations to develop privacy codes;
- (b)
- relating to making and dealing with complaints under an approved privacy code;
- (c)
- about matters the Privacy Commissioner may consider in deciding whether to approve a privacy code or a variation of a privacy code.
188. Sub-clause 18BF(1A) requires the Privacy Commissioner to give everyone he or she considers has a real or substantial interest in the matters covered by the proposed guidelines in relation to complaint handling an opportunity to comment on them. An example of one way the Privacy Commissioner may provide this opportunity is to publish an invitation for parties to comment on the proposed guidelines in a nationally available newspaper. Another way would be to publish an invitation on his or her website. Sub-clause 18BF(2) provides that the Privacy Commissioner may publish guidelines made under subsection (1) in any way he or she considers appropriate.
189. Clause 18BG requires the Privacy Commissioner to keep a register of approved privacy codes.
Item 59. After paragraph 27(1)(a)
190. Item 59 inserts new paragraphs 27(1)(aa), (ab) and (ac). Currently, subsection 27(1) lists the functions of the Privacy Commissioner. New paragraphs 27(1)(aa), (ab) and (ac) provide the Privacy Commissioner with additional functions.
191. Paragraph 27(1)(aa) provides the Privacy Commissioner with the function of approving privacy codes and varying or revoking approved privacy codes. Paragraph 27(1)(ab) provides that the Privacy Commissioner has the function, subject to Part V, of investigating an act or practice of an organisation that may be an interference with an individuals privacy because of clause 13A. This function includes that the Privacy Commissioner may, if he or she considers it appropriate, attempt to effect settlement of the matter giving rise to the investigation, by conciliation. Paragraph 27(1)(ac) provides the Privacy Commissioner with the function of performing functions and exercising powers conferred on an adjudicator under an approved privacy code where the Privacy Commissioner has been appointed as the independent adjudicator under that code.
192. Item 60 amends existing paragraph 27(1)(b) by inserting a reference to "organisation". Currently, paragraph 27(1)(b) describes one of the Privacy Commissioners functions as examining proposed legislation that would require or authorise acts or practices which, if done by agencies, might amount to interferences with privacy. The effect of the amendment is to expand the Privacy Commissioners focus from acts and practices of agencies to acts and practices of agencies and organisations.
Item 61. At the end of paragraph 27(1)(d)
193. Item 61 amends existing paragraph 27(1)(d) by inserting a reference to "the National Privacy Principles". Currently, paragraph 27(1)(d) describes one of the Privacy Commissioners functions as promoting an understanding and acceptance of the Information Privacy Principles and their objects. The effect of the amendment is to expand the Privacy Commissioners function to promoting an understanding and acceptance of the NPPs, as well as the Information Privacy Principles.
194. Item 62 amends existing paragraph 27(1)(e) by inserting a reference to an "organisation". Currently paragraph 27(1)(e) provides that it is one of the functions of the Privacy Commissioner to publish guidelines in relation to acts or practices of an agency that may interfere with or have an adverse effect on the privacy of individuals. This amendment has the effect of extending the Privacy Commissioners guideline publication function to acts and practices of organisations. That is, it is a function of the Privacy Commissioner to publish guidelines in relation to acts or practices of an organisation that may interfere with or have an adverse effect on the privacy of individuals.
Item 63. After paragraph 27(1)(e)
195. Item 63 inserts a new paragraph 27(1)(ea) after 27(1)(e), adding three new functions of the Privacy Commissioner to subsection 27(1). Paragraph 27(1)(ea) allows the Privacy Commissioner to make guidelines (and to publish them in a way that he or she considers appropriate) in relation to assisting organisations to develop privacy codes; making and dealing with complaints under an approved privacy code; and matters the Privacy Commissioner may consider in deciding whether to approve a privacy code or a variation of a privacy code.
196. Item 64 repeals paragraph 27(1)(f) and substitutes two new paragraphs 27(1)(f) and (fa). New paragraph 27(1)(f) provides that one of the Privacy Commissioners functions is to give advice (with or without a request) to a Minister, agency, organisation or an adjudicator for an approved privacy code on any matter relevant to the operation of the Privacy Act.
197. Paragraph 27(1)(fa) provides details of another function of the Privacy Commissioner, namely, to provide advice (on request) to an adjudicator of an approved privacy code about any matter relevant to the operation of the Act or the privacy code.
193. Item 65. Paragraphs 27(1)(n) and (o)
198. Item 65 repeals paragraphs 27(1)(n) and (o). Paragraph 27(1)(n) described one of the Privacy Commissioners functions as encouraging corporations to develop programs for the handling of records of personal information that are consistent with the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines). The NPPs provide a default privacy framework for the private sector and are consistent with the OECDs recommendations. Under clause 16A organisations (as defined in subsection 6(1)) are not merely encouraged to develop a program consistent with the OECD guidelines, they are required to abide by either an approved code (which provides as much privacy protection as the NPPs) or the NPPs themselves. Paragraph 27(1)(o) is effectively replaced by new paragraph 27(1)(s), inserted by Item 66, below.
Item 66. At the end of subsection 27(1)
199. Item 66 inserts a new paragraph, 27(1)(s), at the end of subsection 27(1). The paragraph replaces old paragraph 27(1)(o), repealed by Item 65, above. New paragraph 27(1)(s) allows the Privacy Commissioner to do anything incidental or conducive to the performance of any of his/her functions.
Item 67. After subsection 27(1)
200. Item 67 inserts a new sub-clause 27(1A) after subsection 27(1). New sub-clause 27(1A) provides that the Privacy Commissioner is not subject to Part V of the Act when performing functions or exercising powers as an adjudicator under an approved privacy code. This means that the requirements placed on the Privacy Commissioner to conduct investigations into complaints alleging interferences with privacy and to follow a certain method when conducting an investigation do not apply when the Privacy Commissioner has been appointed as an independent adjudicator under an approved privacy code.
Item 68. At the end of section 27
201. Item 68 inserts a new sub-clause 27(3). The effect of the sub-clause is to allow the Privacy Commissioner to examine the records of an organisation in order to ascertain whether the organisation is maintaining its records in accordance with the standards set out in an approved privacy code or, to the extent that the organisation is not bound by an approved privacy code, the NPPs. The Privacy Commissioner is only able to conduct such an examination if the organisation requests that he or she does so.
202. Item 69 amends paragraph 29(a). Section 29 of the Act sets out those matters which the Privacy Commissioner is required to consider in the performance of his or her functions, and the exercise of his or her powers, under the Act, including the protection of important human rights and social interests that compete with privacy. Some of these competing interests are expressly addressed in the NPPs, for example, the ability of enforcement bodies to perform their legitimate functions.
203. Currently paragraph 29(a) requires the Privacy Commissioner in making decisions, handling complaints, issuing guidelines and performing other functions to balance the need to ensure proper protection from interferences with privacy against, amongst other things, the general desirability of a free flow of information. The amendment to paragraph 29(a) highlights the important role of the media in the free flow of information to the Australian public. The amendment makes clear that the Privacy Commissioner must have due regard for the general desirability of the free flow of information to the Australian public through the media. This is consistent with the obligation to be imposed on code adjudicators under new paragraph 18BB(3)(c).
204. Item 70 repeals existing paragraph 29(d) and substitutes new paragraph 29(d). This substituted paragraph requires that, in performing his or her functions, and exercising his or her powers, under the Act, the Privacy Commissioner ensures that his or her directions and guidelines are consistent with the Information Privacy Principles, the NPPs, and the Code of Conduct and Part IIIA, where relevant.
Item 71. At the end of section 30
205. Item 71 amends section 30 by adding a new sub-clause 30(6). Currently, section 30 relates to reports to the Minister following an investigation conducted (without a complaint having been made) by the Privacy Commissioner. Subsection 30(1) prescribes the circumstances in which the Privacy Commissioner must report to the Minister. Sub-clause 30(6) provides that section 30 does not apply to a complaint made under section 36 in relation to an act or practice of an organisation, or a complaint the Privacy Commissioner accepts under sub-clause 40(1B). Sub-clause 40(1B) sets out the circumstances in which the Privacy Commissioner must investigate a complaint made about an organisation even where the organisation is bound by an approved code that contains a complaint handling mechanism. The purpose of sub-clause 30(6) is to clarify that there is no requirement to report to the Minister following investigations conducted by the Privacy Commissioner into the acts and practices of organisations.
206. Item 72 amends subsection 31(2). Currently subsection 31(2) describes the circumstances in which the Privacy Commissioner must report to the Minister after the Privacy Commissioner has examined a proposed amendment under paragraph 27(1)(b). Section 27 lists the functions of the Privacy Commissioner. Currently paragraph 27(1)(b) describes one of the Privacy Commissioners functions as examining proposed legislation that would require or authorise acts or practices which, if done by agencies, might amount to interferences with privacy. Item 60 of the Bill amends paragraph 27(1)(b) so that the Privacy Commissioners focus is expanded from acts and practices of agencies to acts and practices of agencies and organisations. The amendment to subsection 31(2) is consequential to, and consistent with, changes made to paragraph 27(1)(b) by Item 60.
207. Item 73 amends subsection 36(1) by requiring that this subsection be read subject to new sub-clause 36 (1A) which is inserted by Item 74.
Item 74. After subsection 36(1)
208. Item 74 amends section 36 by inserting new sub-clauses 36(1A), (1B) and (1C) after subsection 36(1). Sub-clause 36(1A) provides that existing subsection 36(1) does not apply in respect of a complaint by an individual about an act or practice of an organisation that is bound by an approved privacy code which contains a procedure for making and dealing with complaints to an adjudicator in relation to acts and practices that may be an interference with the privacy of an individual, and that is relevant to the act or practice complained of. The effect of this sub-clause, is that an individual may not complain to the Privacy Commissioner about an act or practice that may be an interference with the privacy of that individual, if the circumstances in sub-clause 36(1A) apply.
209. Sub-clause 36(1B) provides that sub-clause 36(1A) does not prevent an individual from making a complaint under an approved privacy code to the Privacy Commissioner if the adjudicator, under the code, is the Privacy Commissioner.
210. Sub-clause 36(1C) makes clear that even if an organisation is bound by an approved privacy code that contains a procedure for complaint-handling, an individual may complain to the Privacy Commissioner about an act or practice of an organisation purportedly for the purpose of meeting, directly or indirectly, an obligation under a Commonwealth contract.
211. Item 75 repeals subsection 36(7) and inserts new sub-clauses 36(7) and (8).
212. New sub-clause 36(7) provides that where a complaint is made about an act or practice of an organisation, the organisation is to be the respondent to the complaint.
213. Sub-clause 36(8) provides that the respondent to a complaint concerning acts or practices of someone other than an agency or an organisation in relation to tax file number information, data-matching, a breach of guidelines under the National Health Act 1953, or a credit reporting infringement, will be the person who engaged in the act or practice.
214. Item 76 confirms that sub-clause 36(8) applies in relation to complaints made after the commencement of Schedule 1.
215. Item 76A amends section 37 of the Act by omitting the words "for the purposes of this Part, the" and substitutes "The". Section 37 currently defines "principal executive", but only for the purpose of Part V of the Act (which relates to investigations). This amendment means that the definition is capable of extending to other parts of the Act, notably NPP 7.
216. Item 77 amends subsection 38(1) by inserting a reference to "or accepted under subsection 40(1B)" after "36". Currently, subsection 38(1) describes the conditions under which a representative complaint may be lodged under section 36. This amendment has the effect of extending the conditions under which a representative complaint can be made to complaints accepted by the Privacy Commissioner under sub-clause 40(1B) which is inserted into the Act by Item 80.
217. Item 78 amends subsection 38(2) by omitting "under section 36" and substituting made under section 36 or accepted under subsection 40(1B). Currently, subsection 38(2) describes the matters that must be specified in a representative complaint lodged under section 36. This amendment has the effect of extending the requirement for those matters to be specified to complaints accepted by the Privacy Commissioner under sub-clause 40(1B) which is inserted into the Act by Item 80.
218. Item 79 amends subsection 40(1) by omitting "The" and substituting "Subject to subsection (1A), the". This amendment means that it will not be mandatory that the Privacy Commissioner investigate an act or practice that may be an interference with privacy and in respect of which a complaint has been made under section 36, if the circumstances set out in sub-clause 40(1A) apply.
Item 80. After subsection 40(1)
219. Item 80 amends section 40 by inserting new sub-clauses 40(1A), (1B) and (1C). Currently, section 40 requires the Privacy Commissioner to investigate acts and practices of agencies and file number recipients that may be interferences with privacy if a complaint is made under section 36. The Privacy Commissioner may, as a matter of discretion, investigate an act or practice that may be an interference with the privacy of an individual, if the Privacy Commissioner thinks it desirable to do so.
220. Sub-clause 40(1A) provides that the Privacy Commissioner must not investigate a complaint if the complainant did not complain to the respondent before approaching the Privacy Commissioner. The Privacy Commissioner may, however, investigate the complaint if it was not appropriate for the complainant to complain to the respondent.
221. Sub-clause 40(1B) allows the Privacy Commissioner to accept a complaint about an act or practice of an organisation bound by an approved privacy code where the complaint is referred to the Privacy Commissioner by the adjudicator under the approved privacy code. If, after consulting the complainant, the Privacy Commissioner accepts the complaint, the Privacy Commissioner must investigate it.
222. Sub-clause 40(1C) provides that, if the Privacy Commissioner accepts a complaint under sub-clause 40(1B), the Privacy Commissioner must deal with it as if it were a complaint made about an act or practice of the organisation under section 36.
Item 81. At the end of section 40
223. Item 81 adds a new sub-clause 40(3) to section 40, which confirms that section 40 has effect subject to section 41.
224. Item 82 inserts a new clause 40A after section 40. Clause 40A applies where an adjudicator for an approved privacy code forms the view that a complaint is about an act or practice of an organisation that is a contracted service provider for a Commonwealth contract which has been done or engaged in, for the purposes of meeting contractual obligations. The clause provides that despite the code, the adjudicator must stop investigating the complaint under the code without making a determination in relation to the complaint and refer the complaint to the Privacy Commissioner under new sub-clause 40(1B). Sub-clause 40A(3) provides that the Privacy Commissioner must accept the complaint.
225. Item 83 amends subsection 41(1) by inserting "or which the Privacy Commissioner has accepted under subsection 40(1B)" after "under section 36". This amendment allows the Privacy Commissioner to decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under sub-clause 40(1B) if any of the situations set out in section 41(1) paragraphs (a) -(f) inclusive are satisfied.
226. Item 84 repeals paragraph 41(1)(b).
Item 85. Paragraphs 41(1)(e) and (f)
227. Item 85 repeals paragraphs 41(1)(e) and (f) and replaces them with new paragraphs 41(1)(e) and (f).
228. New paragraph 41(1)(e) provides that the Privacy Commissioner may decide not to investigate, or to further investigate a complaint about an act or practice if satisfied that the act or practice is the subject of an application under another Commonwealth, State or Territory law and the subject-matter of the complaint has been or is being dealt with adequately under that law. The intention of this amendment is to restrict potential forum shopping by complainants.
229. New paragraph 41(1)(f) provides that the Privacy Commissioner may decide not to investigate, or further investigate a complaint about an act or practice, if that act or practice could be made the subject of an application under another Commonwealth, State or Territory law for a more appropriate remedy. The intention of this amendment is to allow the Privacy Commissioner to consider referring complainants to other fora, where appropriate.
Item 86. Subsections 41(2) and 41(3)
230. Item 86 amends subsections 41(2) and 41(3). The item inserts "or accepted by the Privacy Commissioner under subsection 40(1B)" after "under section 36" in each subsection. Currently subsection 41(2) provides that the Privacy Commissioner may decide not to investigate a complaint made under section 36 if satisfied that the complainant has complained to the respondent and the respondent has dealt adequately with the complaint or has not yet had time to deal adequately with the complaint.
231. Subsection 41(3) provides that the Privacy Commissioner may defer the investigation of a complaint under section 36 if the respondent has made an application under section 72 and the Privacy Commissioner is satisfied that deferral of the investigation would not unreasonably prejudice interested persons. This amendment has the effect of extending the Privacy Commissioners discretion in subsections 41(2) and 41(3) to investigations of complaints accepted by the Privacy Commissioner under sub-clause 40(1B) which is inserted into the Act by Item 80.
232. Item 87 repeals subsection 41(4) and replaces it with new sub-clause 41(4). Subsection 41(4) relates to investigating acts or practices which may breach Information Privacy Principle 7 which deals with correction of personal information. New sub-clause 41(4) extends the provision to include investigating acts or practices under NPP 6 or a provision of an approved privacy code to the extent that they deal with correction of personal information.
233. Item 88 amends section 42. The item inserts "or the Commissioner accepts a complaint under subsection 40(1B)" after "Commissioner" (first occurring). Currently, section 42 provides that when a complaint is made the Privacy Commissioner may make preliminary inquiries of the respondent to determine whether the Privacy Commissioner has the power to investigate further or whether the Privacy Commissioner should decide not to investigate the matter. This amendment has the effect of extending the ability of the Privacy Commissioner to make preliminary inquiries to where a complaint has been accepted under sub-clause 40(1B) which is inserted into the Act by Item 80.
Item 89. After subsection 43(1)
234. Item 89 inserts a new sub-clause 43(1A). This sub-clause facilitates the accountability of contracted service providers to the agency to whom the service is being provided under a Commonwealth contract. The new sub-clause requires the Privacy Commissioner to inform the relevant agency that the act or practice of a contracted service provider is to be investigated before commencing the investigation.
235. Item 90 amends subsection 43(6) by inserting a reference to "organisation" after "agency" (twice occurring). Currently, subsection 43(6) provides that the Privacy Commissioner may allow an agency or person appearing before the Privacy Commissioner to make a submission under subsection 43(5) to be represented by another person. This amendment will have the effect of permitting the Privacy Commissioner to allow an organisation appearing before the Privacy Commissioner to make a submission under subsection 43(5) to be represented by another person.
Item 91. After subsection 43(8)
236. Item 91 inserts a new sub-clause 43(8A) into section 43. New sub-clause 43(8A) limits the Privacy Commissioners discretionary power in existing subsection 43(8) to discuss any matter that is relevant to the investigation of a complaint under Division V with a Minister. This provision states that subsection 43(8) does not allow the Privacy Commissioner to discuss a matter relevant to an investigation of a breach of the NPPs or an approved code unless it concerns an act done, or practice engaged in, by a contracted service provider for a Commonwealth contract and for the purpose of providing a service to an agency to meet contractual obligations.
237. Item 92 amends subsection 46(1) by inserting "(except an NPP complaint or a code complaint accepted under subsection 40(1B))" after "a complaint". Currently, subsection 46(1) provides that in the course of performing functions in relation to a complaint, the Privacy Commissioner may give written notice to direct persons to attend, at a time and place specified in the notice, a conference presided over by the Privacy Commissioner. This amendment will have the effect of preventing the Privacy Commissioner from directing persons to attend a conference in relation to complaints concerning the NPPs or a complaint accepted under sub-clause 40(1B) which is inserted into the Act by Item 80.
Item 93. At the end of section 48
238. Item 93 adds a new sub-clause 48(2). Section 48 currently requires the Privacy Commissioner to inform the complainant and the respondent of, and the reasons for, a decision not to investigate, or not to investigate further, a matter to which a complaint relates. New sub-clause 48(2) provides that if the Privacy Commissioner decides not to investigate an act or practice of a contracted service provider, either at all or after commencing an investigation, the Privacy Commissioner must also inform the agency of the decision.
239. Item 94 adds a new clause 50A after section 50. Clause 50A allows the Privacy Commissioner to substitute an agency for an organisation as respondent to a complaint. Sub-clause 50A(1) sets out when the Privacy Commissioner may use this power. (It only applies if the organisation is a contracted service provider for a Commonwealth contract to provide services to the agency.) Substitution may be made before the Privacy Commissioner has made a determination in relation to the complaint if the contracted service provider is not available or appropriate as respondent for one of the reasons specified. Should the Privacy Commissioner consider it appropriate to do so, new sub-clause 50A(2) allows the Privacy Commissioner to amend a complaint to substitute the agency, or the principal executive of the agency, as respondent to a complaint. The ability of the Privacy Commissioner to substitute an agency as respondent ensures that an individual complainant does not suffer loss in the event that the respondent contracted service provider has become insolvent, has been wound up or has ceased to exist for other similar reasons.
240. New sub-clause 50A(3) provides that before the Privacy Commissioner amends a complaint in this way he or she is required to give the agency a notice informing the agency of the proposed amendment to the complaint and giving reasons for the proposed amendment. The Privacy Commissioner must then provide to the agency an opportunity to make oral and/or written submissions to the Privacy Commissioner concerning the proposed amendment.
241. Under new sub-clause 50A(4), if the Privacy Commissioner has already started investigating a complaint under section 40 before it is amended to substitute the agency for the contracted service provider, the Privacy Commissioner is taken to have informed the outsourcing agency that the matter is to be investigated, to satisfy the requirements of sub-clause 43(1A).
242. Item 95 repeals subsection 52(3A) and inserts new sub-clauses 52(3A) and (3B). Sub-clause 52(3A) provides that the Privacy Commissioner may include an order of the kind set out in sub-clause 52(3B) in a determination made under subparagraph 52(1)(b)(i) or (ii) that concerns a breach of the relevant Information Privacy Principle, NPP, provision of an approved privacy code, or credit reporting provision that deals with the correction of personal information.
243. Sub-clause 52(3B) sets out the orders that may be included in the determination made under subparagraph 52(1)(b)(i) or (ii). They are that the agency or respondent correct, delete or add to a record, credit file or credit report; or that the agency or respondent attach a statement provided by the complainant to the record, credit file or credit report seeking correction, deletion or addition.
Item 96. At the end of Division 2 of Part V
244. Item 96 adds new clauses 53A and 53B at the end of Division 2 of Part V. Like the amendment inserted by Item 95, clause 53A adds a requirement for notification, should the Privacy Commissioner make a determination to which a contracted service provider is the respondent. The clause provides that the Privacy Commissioner must give a copy of the determination to each agency to which services are or were to be provided under the Commonwealth contract, if the Privacy Commissioner considers it appropriate. After consultation with any such agency, the Privacy Commissioner may recommend to such an agency any measures the Privacy Commissioner considers appropriate. Within 60 days of receiving the recommendation, the outsourcing agency must inform the Privacy Commissioner of any action that it proposes to take concerning the recommendation.
245. Item 96 also inserts new clause 53B, which applies if the respondent to a determination under subsection 52(1) is a contracted service provider for a Commonwealth contract and the determination includes a declaration that the complainant is entitled to a specified amount by way of compensation or reimbursement. The clause only applies if the contracted service provider is not available or appropriate as respondent to the determination for one of the reasons specified. The new clause allows the Privacy Commissioner to make a determination in writing that a specified agency to which services were or were to be provided under the contract is taken to be the respondent in relation to the determination. This will ensure that the individual complainant does not suffer loss in the event that the contracted service provider is not able to provide compensation or pay costs awarded, for one of these reasons. Before the Privacy Commissioner makes such a determination the Privacy Commissioner is required to give the relevant agency a notice informing the agency of the proposed determination and giving reasons for the proposal. The Privacy Commissioner must give the agency an opportunity to make oral and/or written submissions to the Privacy Commissioner concerning the proposed determination.
Item 97. Division 3 of Part V (heading)
246. Item 97 repeals the heading and replaces it with "Division 3 - Enforcement".
Item 98. After subsection 54(1)
247. Item 98 inserts a new sub-clause (1A) into section 54. The purpose of the amendment is to extend the application of Division 3 of Part V to determinations made by an adjudicator for an approved code under the code in relation to a complaint under the code.
248. Item 99 repeals section 55 and substitutes new clauses 55, 55A and 55B.
249. Clause 55 confirms that an organisation that is a respondent to a determination made by the Privacy Commissioner under section 52, or a determination made by an adjudicator under an approved privacy code, must not repeat the conduct identified in the determination as being an interference with privacy, and must perform any act or course of conduct that is specified in the determination.
250. Clause 55A relates to proceedings in the Federal Court or Federal Magistrates Court to enforce a determination made by the Privacy Commissioner or a code adjudicator. Sub-clause 55A(1) provides that proceedings in either court may be commenced by the complainant, the Privacy Commissioner (if the determination was made under section 52), or the adjudicator for an approved privacy code (if the determination was made by him or her under an approved privacy code). The court may, if it thinks fit, grant an interim injunction pending the determination of the proceedings (sub-clause 55A(3)) but cannot require a person to give undertakings as to damages (sub-clause 55A(4)).
251. If the court is satisfied, by way of hearing de novo (sub-clause 55A(5)), that the respondent has engaged in conduct that constitutes an interference with the privacy of the complainant, the court may make such orders (including a declaration of right) as it thinks fit (sub-clause 55A(2)). Sub-clauses 55A(6) and (7) provide that, in hearing the matter, the court may receive into evidence: a copy of the written reasons for the determination, a copy of any document that was before the decision maker, and a copy of a record of any appearance before the decision maker.
252. Sub-clause 55A(7A) describes the matters to which the Court is to have due regard in conducting a hearing or making an order. The sub-clause makes it clear that a Court must have due regard to the same matters that the Privacy Commissioner must consider under paragraph 29(a) of the Act.
253. Clause 55B relates to evidentiary certificates. Sub-clauses 55B(1) and (2) provide that a certificate may be issued by the Privacy Commissioner, or an adjudicator for an approved privacy code, setting out the findings of fact upon which he or she based his or her determination that a specified body (ie; an agency or organisation) had breached the relevant privacy standard (ie: Information Privacy Principles in the case of an agency, or NPPs or approved code in the case of an organisation).
254. Sub-clause 55B(3) provides that the certificate is prima facie evidence of the facts found by the Privacy Commissioner or adjudicator, but not prima facie evidence of a finding that an agency or organisation had breached the relevant privacy standard (because the question of whether a breach has occurred is a question the court must consider de novo ). A document purporting to be a certificate must be taken to be a certificate unless the contrary is established (sub-clause 55B(4)). The purpose of the certificate is to facilitate the enforcement process.
255. Item 100 provides that Division 3 of Part V, as amended, applies to determinations made as a result of a complaint that is made after the commencement of the Schedule. Clause 55B applies in relation to determinations made by the Privacy Commissioner in relation to an agency before or after the commencement of the clause.
Item 101. Subsections 62(1) and (2)
256. Item 101 amends subsections 62(1) and (2). The item inserts "or the Federal Magistrates Court" after "Federal Court" in both subsections. Currently subsection 62(1) states that where an agency fails to comply with section 58 (which sets out the obligations of a respondent agency), an application may be made to the Federal Court for an order directing the agency to comply. Similarly, subsection 62(2) states that where the principal executive officer of an agency fails to comply with section 59 (which sets out the obligations of a principal executive officer of an agency), an application may be made to the Federal Court for an order directing the principal executive to comply. Item 101 amends subsection 62(1) and 62(2) so that an application may be made to the Federal Magistrates Court as well as to the Federal Court.
257. Item 102 amends subsection 62(4). The item substitutes the word "court" for "Federal Court". Currently, subsection 62(4) provides that, on application under section 62, the Federal Court may make such orders as it sees fit to secure the compliance of the respondent. This amendment will have the effect of broadening subsection 62(4) to allow either the Federal Court or the Federal Magistrates Court, on application, to make such orders as they see fit to secure the compliance of the respondent.
Item 103. Paragraphs 63(2)(a) and (b)
258. Item 103 amends paragraphs 63(2)(a) and (b). The item inserts "or the Federal Magistrates Court" after "Federal Court" in both paragraphs. Currently, paragraphs 63(2)(a) and (b) provide that a person who has commenced proceedings in the Federal Court under section 55, or has been involved in proceedings commenced in the Federal Court under section 55 as a result of their alleged conduct, may apply to the Attorney-General for assistance in respect of those proceedings. This amendment will have the effect of broadening the paragraphs to allow a person to apply to the Attorney-General for assistance where the relevant proceedings have been commenced in the Federal Magistrates Court under clause 55A.
Item 104. After subsection 63(2)
259. Item 104 inserts a new sub-clause 63(2A) after subsection 63(2). Sub-clause 63(2A) prohibits the making of an application for legal assistance in relation to enforcement proceedings relating to a code complaint or an NPP complaint.
Item 105. At the end of section 64
260. Item 105 inserts new sub-clause 64(2) at the end of section 64. Sub-clause 64(2) protects an adjudicator for an approved privacy code, or any person acting under his or her direction or authority, from legal proceedings arising from an act done under this Bill, or the approved privacy code, that was performed in good faith.
Item 106. After subsection 66(1)
261. Item 106 inserts new sub-clause 66(1A), after subsection 66(1). Subsection 66(1) makes it an offence for a person to refuse or fail to give information, to answer a question, or produce a document or record, when required to do so under the Act, without reasonable excuse.
262. New sub-clause 66(1A) provides that a journalist has a reasonable excuse if giving the information, answering a question or producing a document or record would tend to reveal the identity of a person who gave information to the journalist in confidence. This provision is intended to assist in balancing the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media.
Item 107. After paragraph 67(a)
263. Item 107 inserts new paragraphs (aa) and (ab) after paragraph 67(a). Paragraphs 67(aa) and (ab) preclude a person from being sued for lodging a complaint under an approved privacy code or for the acceptance by the Privacy Commissioner of a complaint under sub-clause 40(1B), respectively.
264. Item 108 amends section 68(1) to insert the words "in writing" after "Commissioner". This requires that a person authorised by the Privacy Commissioner to enter premises under section 68 must be so authorised in writing by the Privacy Commissioner.
265. Item 109 amends subsection 68(1) to include a reference to "an organisation" after "an agency". This amendment allows the Privacy Commissioner to authorise a person to enter premises occupied by an organisation.
Item 110. After subsection 68(1)
266. Item 110 inserts a new sub-clause 68(1A) into subsection 68(1). Sub-clause 68(1A) provides that a person may be authorised to enter premises under section 68 only while the person is a member of the staff assisting the Privacy Commissioner.
Item 111. After subsection 68(3)
267. Item 111 inserts new sub-clauses 68(3A), (3B), (3C) and (3D) into subsection 68(3). Sub-clause 68(3A) provides that a person authorised under subsection 68(1) to enter premises must inform the occupier or person in charge that he or she may refuse to consent to the entry by the authorised person.
268. Sub-clause 68(3B) provides that, if consent given to the authorised person is not voluntary (for example, if a person authorised under subsection 68(1) fails to comply with sub-clause 68(3A)), then the entry is unlawful.
269. Sub-clause 68(3C) requires that an authorised person must produce his or her identity card (as defined in clause 68A (Item 112) on request by the occupant or person in charge. Sub-clause 68(3D) requires that the authorised person leave the premises if so requested by the occupier or person in charge.
270. Item 112 inserts new sub-clauses 68A(1), (2) and (3) after section 68. Sub-clause 68(1) requires that the Privacy Commissioner issue persons authorised under section 68 to enter premises with an identity card containing a recent photograph of the authorised person. Sub-clause 68A(2) provides that, as soon as practicable after a person ceases to be so authorised, he or she return the identity card to the Privacy Commissioner. Sub-clause 68A(3) provides that if sub-clause 68A(2) is contravened, one penalty unit is imposed.
Item 113. Subsection 69(9) (definition of complaint )
271. Item 113 repeals the existing definition of "complaint" in subsection 69(9) and substitutes a new definition of "complaint". Item 113 defines "complaint", for the purposes of section 69, to mean a complaint under section 36 or a complaint the Privacy Commissioner accepts under sub-clause 40(1B).
Item 114. At the end of Division 5 of Part V
272. Item 114 inserts sub-clauses 70A(1), (2) and (3) and clause 70B at the end of Division 5 of Part V. Sub-clauses 70A(1), (2) and (3) deal with the situation where Part V imposes an obligation on an entity that does not have separate legal personality, namely a partnership, unincorporated association or trust. Clause 70B preserves the jurisdiction of the Privacy Commissioner in the specified circumstances.
273. Sub-clause 70A(1) provides that, where Part V imposes an obligation on an organisation that is a partnership, this obligation is imposed on each partner individually and may be discharged by any of the partners to the partnership.
274. Sub-clause 70A(2) provides that, if Part V imposes an obligation on an unincorporated association, the obligation is imposed on each member of the committee of management of the association and may be discharged by any member of that committee.
275. Sub-clause 70A(3) provides that if Part V imposes an obligation on a trust, the obligation is imposed on each trustee but may be discharged by any one of the trustees.
276. Clause 70B provides that an entity that ceases to be an organisation but continues to exist is subject to Part V of the Act (which relates to investigations) in relation to an act or practice of the entity while it was an organisation, as if it were still an organisation. This means that a complaint may be made about an act or practice of a small business that subsequently becomes a small business operator and therefore exempt from the Bill if the act or practice occurred before the business became exempt. Equally, if a small business operator makes an election under clause 6EA to be subject to the Bill but later revokes that election, acts or practices that occurred while the election remained in force may be investigated and dealt with by the Privacy Commissioner (or code adjudicator) as if the small business operator were still subject to the Bill. This ensures that the Privacy Commissioners (or code adjudicators) jurisdiction to investigate complaints about alleged interferences with privacy is not defeated by a business gaining or reasserting an exemption from the Bill after the act or practice complained of occurred.
277. Item 115 repeals the heading "Part VI - Public interest determinations about certain acts and practices" and substitutes "Part VI - Public interest determinations and temporary public interest determinations".
278. Item 116 inserts a new heading "Division 1 - Public Interest Determinations" before section 71.
279. Item 117 omits the reference to "Part" in section 72 and substitutes "Division" to reflect the changes made by Item 116.
Item 118. At the end of section 72
280. Item 118 adds new sub-clauses 72(2), (3), (4) and (5). Sub-clause 72(2) provides that the Privacy Commissioner may make a written determination that an act or practice of an organisation which is in breach, or may be in breach, of an approved privacy code, or an NPP, that binds the organisation, is not to be regarded as a breach of the code or NPP because of the overriding public interest in the organisation being able to do the act, or engage in the practice.
281. A determination under sub-clause 72(2) applies only to acts or practices that occur while it is in force. Sub-clause 72(3) provides that the effect of a determination under sub-clause (2) is that the organisation is taken not to contravene clause 16A (which provides that an organisation must comply with the NPPs or an approved privacy code). Sub-clause 72(4) provides that the Privacy Commissioner may make a written determination that applies a determination made under sub-clause (2) generally to all organisations. Sub-clause 72(5) provides that a determination under sub-clause (4) which gives determinations under sub-clause (2) general effect, is to have effect according to its terms.
282. Item 119 inserts "or organisation" after the word "agency" in subsection 73(1). This allows an organisation to apply, in accordance with any regulations, for a public interest determination under section 72 about an act or practice.
Item 120. At the end of subsection 73(1)
283. Item 120 inserts "of the agency or organisation" at the end of subsection 73(1). This allows an agency or organisation to seek a public interest determination in respect of an act or practice of the agency or organisation.
284. Item 121 substitutes the term "services" for "care" in subsection 73(2). This amendment is not intended to substantively change the operation of subsection 73(2). It is intended to ensure consistency in the terminology used in the Act. A "health service" is a term that is defined in Item 17 of the Bill.
285. Item 122 repeals subsection 75(2) and inserts new sub-clauses 75(2) and (2A). Sub-clause 75(2) provides that, if the applicant for a public interest determination is an agency then the Privacy Commissioner must send a written invitation to the agency and any other person interested in the application to notify him or her if the agency or other person wishes the Privacy Commissioner to hold a conference about the draft determination.
286. Sub-clause 75(2A) provides that, if the applicant for a public interest determination is an organisation, the Privacy Commissioner must send a written invitation to the organisation to notify him or her within a specified time whether the organisation wishes the Privacy Commissioner to hold a conference about the draft determination. Sub-clause 75(2A) also requires that the Privacy Commissioner issue, in any way he or she considers appropriate, an invitation in similar terms to any other persons the Privacy Commissioner thinks appropriate.
287. Item 123 inserts the words "or subsection (2A)" after the words "subsection (2)" in subsection 75(3). This is to reflect that an invitation must also be made under sub-clause 75(2A).
Item 124. Application and saving
288. Sub-item 1 of Item 124 provides that the amendments of section 75 made by Items 103 and 104 apply only in relation to applications made under section 73 after the commencement of this Schedule. Sub-item 2 provides that any regulations in force before commencement of the Schedule continue to have effect as if they had been made for the purposes of that subsection after that commencement. Sub-item 3 provides that sub-item 2 does not prevent amendment or repeal of regulations that are in force before commencement of this Schedule.
289. Item 125 inserts "organisation" after "agency" wherever it occurs in subsection 76(1). This allows an organisation to request a conference about a draft determination.
290. Item 126 inserts "organisation" after "agency" in subsection 76(4). This amendment extends the application of the current subsection 76(4) to cover the circumstance where an organisation requests that the Privacy Commissioner hold a conference about a draft determination and requires the Privacy Commissioner to give notice of the day, time and place of the conference to the organisation.
291. Item 127 inserts "or organisation" after "agency" wherever it occurs in subsection 77(1). This extends the coverage of subsection 77(1) to entitle an organisation to be represented at a conference about a draft determination by a person who is, or persons each of whom is, an officer or employee of the organisation.
292. Item 128 substitutes "organisation or any other person" for "or any person" in subsection 79(2). Subsection 79(2), requires that the Privacy Commissioner take account of all submissions about an application for a draft determination whether at the conference or not, by the agency or any other person. This amendment also requires that the Privacy Commissioner take account of any submission made by the organisation making the application.
Item 129. At the end of Part VI
293. Item 129 inserts new Division 2 - Temporary public interest determinations, comprising clauses 80A, 80B, 80C, 80D, and Division 3 -Register of determinations comprising clause 80E.
294. Sub-clause 80A(1) provides that the Privacy Commissioner may issue a temporary public interest determination in respect of an act or practice of an agency or organisation that breaches or may breach an Information Privacy Principle (in respect of agencies) or an approved privacy code or an NPP (in respect of organisations) and is the subject of an application by either an agency or organisation under section 73 for a public interest determination under section 72. The power to issue temporary public interest determinations is restricted by paragraphs (b) and (c) of sub-clause 80A(1) to circumstances requiring an urgent decision and where the Privacy Commissioner is satisfied that the public interest in the agency or organisation continuing to perform the act, or engage in the practice, outweighs to a substantial degree, the public interest in adhering to the relevant Principle or code.
295. Sub-clause 80A(2) provides that the Privacy Commissioner may make a written temporary public interest determination noting that he or she is satisfied of the matters set out in sub-clause 80A(1). This may be done either at the request of any agency or organisation or on his or her own initiative.
296. Sub-clause 80A(3) provides that the temporary public interest determination must specify the time period (not being more than 12 months) during which the determination is in force (subject to sub-clause 80A (2)) and include a statement of reasons for the determination.
297. Sub-clause 80B(1) provides that an act or practice of any agency that is the subject of a temporary public interest determination will not breach section 16 if that act is done or practice engaged in, while the determination is in force.
298. Sub-clause 80B(2) provides that an act or practice of any organisation that is the subject of a temporary public interest determination will not breach section 16 if that act is done or practice engaged in, while the determination is in force.
299. Sub-clause 80B(3) provides that the Privacy Commissioner may make a written determination which extends the effect of a temporary public interest determination made in respect of the act or practice of one organisation, to any organisation and not just the organisation in respect of which the determination was made. Sub-clause 80B(4) provides that a determination has effect according to its terms.
300. Clause 80C provides that a determination made under new Division 2, is a disallowable instrument for the purposes of section 46A of the Acts Interpretation Act 1901 .
301. Sub-clause 80D(1) provides that the making of a determination under new Division 2 does not prevent the Privacy Commissioner from dealing with an application for a public interest determination under section 73 in respect of that act or practice.
302. Sub-clause 80D(2) sets out the circumstances in which a determination about an act or practice under new Division 2 ceases to have effect. A temporary public interest determination will cease to have effect where a public interest determination under subsection 72(1) or (2) about the act or practice comes into effect or where a determination is made under paragraph 78(b) by the Privacy Commissioner to dismiss the application for a determination.
303. Sub-clause 80E(1) requires that the Privacy Commissioner keep a register of determinations made under Division 1 or 2. This will require the Privacy Commissioner to maintain a list of public interest determinations made in respect of agencies or organisations (section 72), temporary public interest determinations under sub-clause 80A(2) and determinations that give a temporary public interest determination general effect under sub-clause 80B(3).
304. Sub-clause 80E(2) allows the Privacy Commissioner to determine the form of the register and how it is to be kept. Sub-clause 80E(3) requires the Privacy Commissioner to make the register publicly available in a way that the Privacy Commissioner determines. This may be via the World Wide Web or any other means allowing the public to access current determinations made by the Privacy Commissioner. Sub-clause 80E(4) provides that the Privacy Commissioner may charge fees for making the register available to the public or providing copies of, or extracts from, the register.
305. Item 130 provides that clause 80A applies in respect of an application made by or on behalf of any agency under section 73 regardless whether the application was made before or after the commencement of the Bill. An application made by an agency under section 73 before the commencement of this Schedule may therefore be the subject of a temporary public interest determination once clause 80A commences, notwithstanding that the application was made before clause 80A commenced.
306. Item 131 inserts new clauses 95A, 95B and 95C.
307. Sub-clause 95A(1) allows the Privacy Commissioner to approve, for the purposes of the NPPs, guidelines issued by the National Health and Medical Research Council or a prescribed authority about specified aspects of the handling of health information. A prescribed authority is an authority prescribed by the Governor-General under the existing regulation-making power in the Act.
308. Under sub-clause 95A(2), the Privacy Commissioner may approve guidelines relating to the use and disclosure of health information for the purposes of research, or the compilation or analysis of statistics, aimed at improving public health or public safety. The approval of guidelines is to be evidenced by notice in the Gazette.
309. Under sub-clause 95A(3), the "test" for approval is that the public interest in the use or disclosure of health information for public health or public safety purposes in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 2.1(d)).
310. Sub-clause 95A(4) provides that the Privacy Commissioner may approve guidelines relating to the collection of health information for the purposes set out in NPP 10.3.
311. Under sub-clause 95A(5) the "test" for approval of such guidelines is that the public interest in the collection of health information for NPP 10.3 purposes in accordance with the guidelines substantially outweighs the public interest in maintaining the level of privacy protection afforded by the NPPs (other than paragraph 10.3(d)). Under sub-clauses 95A(3) and (5), the "level of privacy protection" is to be judged at the time the Privacy Commissioner is considering whether to approve the guidelines.
312. Sub-clause 95A(6) provides that the Privacy Commissioner may revoke an approval of guidelines, if he or she is no longer satisfied of the matter that he or she had to be satisfied of to approve the guidelines. This sub-section would permit, for example, a revocation of the approval of guidelines in circumstances where the guidelines are out-of-date. The Privacy Commissioners approval of updated guidelines would need to meet the relevant "test" for approval in either sub-clauses 95A(3) or (5).
313. Sub-clause 95A(7) provides that an application may be made to the Administrative Appeals Tribunal for review of a decision of the Privacy Commissioner to refuse to approve guidelines, or to revoke an approval of guidelines.
314. New clause 95B requires an agency to consider its own obligations under the Act when entering into a Commonwealth contract. It requires an agency to take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an Information Privacy Principle if done by the agency. The obligation on the agency to ensure that the contract does not authorise a contracted service provider to do such an act or engage in such a practice also extends to ensuring that such an act or practice is not authorised by a subcontract. The section applies to agencies entering into Commonwealth contracts in their own right as well as those entering a contract on behalf of the Commonwealth.
315. To ensure that individuals can find out about the content of privacy clauses agreed between agencies and organisations and included in Commonwealth contracts, clause 95C enables a person to ask a party to the contract for this information. The clause requires the party requested to inform the person, in writing, of the content of any provisions in the contract (if any) that are inconsistent with an approved code binding a party to the contract or with an NPP. For example, the contract may contain a provision concerning the contractors ability to use or disclose personal information that is not consistent with NPP 2. If asked, a party to the contract would be required to inform the person of the content of that provision. This ensures that parties to a Commonwealth contract cannot claim "commercial-in-confidence" in respect of privacy standards contained in Commonwealth contracts, thereby preserving accountability and openness in respect of these standards.
316. Item 132 omits the words "27(1)(n)" from subsection 97(2). This amendment is a consequential amendment arising from the amendments made by Item 65, which repeals paragraph 27(1)(n).
Item 133. After subsection 97(2)
317. Item 133 inserts new sub-clause 97(2A) after subsection 97(2). This requires that the annual report which the Privacy Commissioner must provide to the Minister include a statement about the operation of approved privacy codes that contain procedures for making and dealing with complaints in relation to acts or practices that may be an interference with the privacy of an individual. This statement must include action taken by adjudicators to monitor compliance with codes and the number of complaints made under approved privacy codes and their nature and outcome.
Item 134. Subsections 98(1) and (2)
318. Item 134 inserts "or the Federal Magistrates Court" after "Federal Court". This recognises that the Federal Magistrates Court has jurisdiction to grant injunctions restraining conduct that constituted or would constitute a contravention of the Act.
Item 135. Subsections 99A(1) and (2)
319. Item 135 omits "servant" (wherever occurring) in subsections 99A (1) and (2) and substitutes "employee". This amendment recognises that section 99A now applies to organisations as well as to agencies. Subsection 99A(1), as amended, provides that, in proceedings for an offence against the Act where it is necessary to establish the state of mind of a body corporate in relation to particular conduct, it will be sufficient to show that the director, employee, or agent of the body corporate had the requisite state of mind (provided that the conduct was engaged in by the person within the scope of his or her authority).
320. Subsection 99A(2) provides that conduct that is within the scope of the directors, employees or agents authority and engaged in on behalf of a body corporate by that person is to be taken, for the purposes of prosecution of an offence against the Act, to have been conduct engaged in also by the body corporate.
321. The heading to section 99A is consequentially amended by omitting "servants" and substituting "employees".
322. Item 136 omits "a servant" and substitutes "an employee" in paragraph 99A(3)(a). Like the amendments to subsections 99A(1) and (2), this amendment reflects the extension of subsection 99A(3) to cover organisations as well as agencies.
323. Item 137 omits "servant" and substitutes "employee" in paragraph 99A(3)(b). Amended subsection 99A(3) provides that, in proceedings for an offence against the Act, where it is necessary to establish the state of mind of a person other than a body corporate in relation to particular conduct, it is sufficient to show that the conduct was engaged in by an employee or agent within the scope of his or her authority and that the person had that particular state of mind.
324. Item 138 omits "a servant" and substitutes "an employee" in subsection 99A(4). Amended subsection 99A(4) provides that conduct engaged in on behalf of a person other than a body corporate by an employee or agent of that person (within the scope of that persons actual or apparent authority) is to be taken, for the purposes of a prosecution for an offence against the Act, to have been engaged in also by the first mentioned person, unless that person can establish that he or she took reasonable precautions and exercised due diligence to avoid the conduct.
Item 138A. At the end of Section 100
325. Item 138A inserts sub-clause 100(2) at the end of existing section 100 of the Act. Section 100 provides that the Governor-General may make regulations prescribing certain matters. Sub-clause 100(2) provides that, before the Governor-General may make regulations for the purposes of NPP 7.1A or NPP 7.2(c), the Minister must be satisfied of the things listed in paragraphs 100(2)(a), (b) and (c). Paragraph 100(2)(a) provides that the agency (or principal executive of the agency, where the agency has a principal executive) must have agreed that the adoption, use of disclosure by the organisation of the identifier in the circumstances is appropriate. Paragraph 100(2)(b) provides that the agency (or principal executive, as appropriate) must have consulted the Privacy Commissioner about the proposal in paragraph (a). Finally, paragraph 100(2)(c) provides that the adoption, use or disclosure can only be for the benefit of the individual concerned.
Item 139. At the end of the Act
326. Item 139 inserts "Schedule 3 - National Privacy Principles".
327. 327. The National Privacy Principles (NPPs) relate to fair handling of personal information and set the standards for the private sector. They apply to private sector organisations that do not have their own privacy codes that have been approved by the Privacy Commissioner. The NPPs apply to personal information collected, held, used or disclosed by an organisation. To remove doubt, a reference to law in the NPPs means Commonwealth, State and Territory legislation, as well as the common law.
328. The reference in the NPPs to the collection of personal information by organisations means, by virtue of clause 16B, a reference to collection of that information for inclusion in a record or generally available publication. (That is, the NPPs regulate the collection of personal information to the extent that the information is collected for inclusion in a record or generally available publication.) Where an organisation has already collected the personal information, the NPPs apply only to the extent that the information is held by the organisation in a record.
NPP 1.1 provides that personal information must not be collected by an organisation unless the information is necessary for one or more of its functions or activities. 'Necessary' should be interpreted in a practical sense. If an organisation cannot, in practice, effectively pursue a function or activity without collecting personal information, then that personal information would be regarded as necessary for that function or activity. An organisation should not collect personal information on the off chance that it may become necessary for one of its functions or activities in the future. If an organisation receives personal information that is not necessary for one of its functions or activities, it should not retain that personal information.
330. NPP 1.2 provides that an organisation must collect information only by lawful and fair means and not in an unreasonably intrusive way. 'Lawful means' refers to methods that are not prohibited by law. 'Fair' means without intimidation or deception. This would usually require organisations not to collect personal information covertly but there will be some circumstances - for example, investigations of possible fraud or other unlawful activity - where covert collection of information by surveillance or other means would be fair.
331. NPP 1.3 provides that when collecting personal information about an individual from that individual, the organisation collecting the information must, at or before the time of collection (or, if that is not practicable, as soon as practicable after), take reasonable steps to ensure that the individual is aware of the identity of the organisation and how to contact it, the fact that the individual is able to gain access to the information, the purposes for which the information is collected, the disclosure practices of the organisation in relation to the information, any law that requires the particular information to be collected and the consequences (if any) for the individual if the information is not provided.
332. Where information is being collected on a form, an organisations obligations under NPP 1.3 could be satisfied by a statement on the form. Where information is collected via the internet, NPP 1.3 would require that a policy statement appear on the web page notifying the individual of contact details of the organisation collecting the information and outlining in what circumstances, and for what purposes personal information (such as an email address, name or other personal details including purchasing habits linked to an email address) is collected. The Privacy Commissioner has prepared Guidelines on email and web-browsing.
333. In relation to the requirement in 1.3(c) to tell the individual the purposes for which the information is collected: The description of the purposes may be kept reasonably general, and internal purposes that form part of normal business practice need not be mentioned. If the collection is made for only one purpose, it would often be apparent simply from the title of a form, for example, 'Application for Membership'. Informing an individual about the purposes of collection will often assist the individual to understand the types of persons within an organisation that may be handling his or her personal information. It will also be of assistance in defining how personal information may be used or disclosed under NPP 2.1.
334. In relation to the requirement in 1.3(d) to tell the individual about the types of organisations to which the organisation usually discloses information of the kind collected from the individual: 'Reasonable steps', in this context, means giving generic descriptions of sets of organisations (eg, 'debt collectors' or 'State Government licensing authorities' or 'health insurers') where it is not practicable to list each member of the set. Disclosures that may happen but in practice happen only rarely - like disclosures under warrant or to intelligence agencies - would not need to be mentioned. If an organisation is a member of a group of related bodies corporate, it would be appropriate for an organisation to let the individual know that his or her personal information may be given to bodies corporate that are related to that organisation.
335. In relation to the requirement in 1.3(e) to tell the individual about any law that requires the information to be collected: This paragraph is intended to cover any legal obligation to provide the information or any legal obligation on the organisation to collect it. In describing such an obligation, it would be desirable to specify the exact piece of legislation that imposes the obligation (where it is feasible to do so).
336. In relation to the requirement in 1.3(f) to tell the individual about the consequences of not providing personal information: An organisation would not be required to try to describe all possible consequences of not providing information, but should make it clear which items are essential to fulfil the purpose of collection and which are not.
337. NPP 1.4 notes that as a general rule, and if it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual. There will, however, be situations in which it would not be 'reasonable and practicable' to collect directly from an individual. An example would be where direct collection would prejudice the purpose of collection (eg in the case where an enforcement body is investigating a breach of a criminal law).
338. NPP 1.5 is relevant where it is not reasonable and practicable for the organisation to collect personal information directly from the individual concerned and an organisation collects personal information from a third party. In such circumstances, the organisation must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in NPP 1.3. For example, if organisation A collected information from an individual, and organisation A usually discloses that type of information to organisation B, then, at the very minimum, organisation A would be required to tell the individual that it usually discloses the information to organisation B (this is required under NPP 1.3(d)). Before organisation B could collect the information, it would need to be satisfied that the individual was aware of the other matters listed in NPP 1.3 as they pertain to organisation B. If organisation A has given these details to the individual, then organisation B does not have to do any notifying itself. If organisation A has not notified the individual of the matters listed in NPP 1.3 as they relate to organisation B, then organisation B will need to notify the individual of these matters (where relevant) itself. The aim of NPP 1.5 is to ensure that the individual knows what happens to his or her personal information. It does not, however, require organisation B to contact the individual where to do so would pose a threat to the life or health of any individual.
Principle 2 - use and disclosure
339. NPP 2 sets out the general rule that personal information must only be used or disclosed for the primary purpose for which it was collected. Use and disclosure for a purpose other than the primary purpose (a secondary purpose) is only allowed in the circumstances listed in NPP 2. In establishing whether use or disclosure for a secondary purpose is permitted under this principle, it would be appropriate to refer back to the purposes identified under NPP 1.3 or 1.5.
340. Determining the primary purpose of collection should always be possible. Where the information is collected directly from the individual, the context in which the information is provided by the individual to the organisation will be of assistance in establishing the primary purpose of collection. When an individual provides (and an organisation collects) personal information, the individual and the organisation almost always do so for a particular purpose - to buy/sell a particular product or to receive a service, for example. This is the primary purpose of collection, even if the organisation has some additional purposes in mind. Where the information is not collected from the individual, the organisation usually uses the information soon after it collects it and this is a guide to the primary purpose of collection. For example, if an insurance company consults an insurance reference service in the course of considering an applicant, it seems clear that the primary purpose of collection is to decide whether or not to insure the individual.
341. NPP 2.1(a) allows information to be used or disclosed for a secondary purpose where the secondary purpose is related to the primary purpose of collection (although where the information is sensitive information it must be directly related to the primary purpose of collection) and the individual would reasonably expect the organisation to use or disclose the information for that secondary purpose. To be "related", the secondary purpose must be something that arises in the context of the primary purpose. For example, a business that collects personal information about its clients may use that information to notify its clients of its change of business address.
342. Where the information sought to be used or disclosed for a secondary purpose is "sensitive information", the secondary purpose for use or disclosure must be directly related to the primary purpose for collection. The sensitivities associated with the use or disclosure of sensitive information mean that a stronger connection should be demonstrated between the primary purpose for collection and the secondary purpose. The application of the "directly related" test in this context is recognised as a matter that can appropriately be clarified in guidelines issued by the Privacy Commissioner.
343. The 'reasonable expectations' test would be applied from the point of view of the person in the street, that is, an organisation should be able to use or disclose personal information in ways in which a person with no special knowledge of the industry or activity involved, would expect. For example, if a person has several different types of contact with one bank, he or she could expect the information about themselves to be shared within that bank. If the banking group also ran a health insurance business, the individual would not expect their health claims record to be matched with banking information.
344. NPP 2.1(b) allows information to be used or disclosed for a secondary purpose where the individual has consented to use/disclosure for that secondary purpose. Consent to the use or disclosure may be express or implied. Implied consent would be acceptable in some circumstances. Implied consent could legitimately be inferred from the individuals failure to object to a proposed use or disclosure (that is, a failure to opt out), provided that the option to opt out was clearly and prominently presented and easy to take up. If the consequences for the individual of the use or disclosure were serious, however, the organisation would have to be able to demonstrate clearly that the individual could have been expected to understand what was going to happen to his or her information. In such circumstances it would generally be more appropriate to seek express consent.
345. NPP 2.1(c) describes the circumstances in which an organisation may use personal information (provided it is not sensitive information) for the secondary purpose of direct marketing. NPP 2.1(c) allows personal information to be used for the secondary purpose of direct marketing where it is impracticable to get the individuals consent before using the information; the organisation gives the individual an opportunity to opt out of further direct marketing communications (at no charge); and the individual has not already asked the organisation not to send direct marketing material to the individual.
346. This sub-principle allows personal information, other than sensitive information, to be used in order to establish initial contact with an individual, provided that the individual is given the chance to opt out of any further approaches. The exclusion of sensitive information from this sub-principle recognises that the 'opt out' mechanism is not a sufficient protection in relation to this type of information. It would allow sensitive information to be used to establish contact with an individual, in the absence of consent, for purposes that may be entirely unrelated to the primary purpose of collection of the sensitive information. The exclusion of sensitive information will not prevent direct marketing organisations from using sensitive information about an individual in reliance on, for example, NPP 2.1(b) (that is, with the individuals consent) or NPP 2.1(a). The application of this sub-principle in the health context will be detailed in guidelines issued by the Privacy Commissioner.
347. NPP 2.1(c)(iv) requires an organisation to draw to the individuals attention his or her opportunity to opt out of further direct marketing communications, in each direct marketing communication to the individual. This sub-paragraph is intended to ensure that an individual is made aware that he or she may ask the organisation to stop sending direct marketing material to him or her at any stage in the transaction with the organisation.
348. NPP 2.1(c)(v) requires an organisation to provide its business address and telephone number to an individual in any written direct marketing communication to the individual. NPP 2.1(c)(v) also requires an organisation to provide electronic contact details (for example, a facsimile number or electronic mail address) at which the organisation can be contacted directly, where direct marketing communications are sent to an individual by electronic means. These paragraphs are intended to ensure that businesses provide consumers with information that allows identification of the business involved in a particular transaction as well as prompt, easy and effective communication with the business. It is expected that relevant statutory registration or licence numbers, including, for example, the Australian Business Number and/or the Australian Company Number would be displayed on any written direct marketing communications with an individual.
349. NPP 2.1(d) allows an organisation to use or disclose health information for a secondary purpose where the use or disclosure is necessary for research, or the compilation or analysis of statistics relevant to public health or public safety, provided that: it is impracticable for the organisation to obtain the individuals consent before using or disclosing the information; and the use or disclosure is conducted in accordance with guidelines issued by the Privacy Commissioner under clause 95A; and in the case of disclosure, the organisation reasonably believes that the recipient of the information will not disclose the health information or personal information derived from the health information.
350. In considering whether the use or disclosure of health information is "necessary" the organisation must consider whether the use or disclosure of de-identified information would, in the circumstances, suffice. (This is consistent with the requirement in NPP 10.4 to take reasonable steps to permanently de-identify health information before disclosing it, where the primary purpose of collection is relevant to research into public health and safety issues etc.) Where the use or disclosure of de-identified information would be sufficient, then organisations must not rely on NPP 2.1(d) to justify the use or disclosure of health information for a purpose other than the primary purpose of collection. In considering whether the use or disclosure is necessary for the compilation or analysis of statistics relevant to public health or public safety, relevant means that the research is about public health or public safety, or the compilation or analysis of statistics is in relation to public health or public safety.
351. Paragraph 2.1(d)(i) requires it to be impracticable for the organisation to seek the individuals consent before the use or disclosure. "Impracticability" must be something more than the incurring of some expense or effort in seeking an individuals consent to the use or disclosure. For example, an organisation may be unable to locate the present whereabouts of the individual for the purpose of seeking their consent, despite making reasonable efforts to contact that individual.
352. Paragraph 2.1(d)(ii) requires the use or disclosure to be conducted in accordance with guidelines approved by the Privacy Commissioner under clause 95A. Clause 95A does not prescribe the content of any guidelines that may be subject to the Privacy Commissioners approval. These guidelines may, for example, require different standards to be met, depending on whether the use or disclosure is for the purposes of research or the compilation or analysis of statistics. The guidelines may also require that certain uses and disclosures in reliance on NPP 2.4 be subject to some form of ethics committee approval.
353. If there are no guidelines approved by the Privacy Commissioner for the purpose of this paragraph, this exemption will not operate. An organisation will not be able to rely on this exemption merely because it meets the conditions set out in paragraphs (i) and (iii).
354. Paragraph 2.1(d)(iii) requires an organisation to reasonably believe that the recipient of the health information will not disclose the health information, or personal information derived from the health information. An organisations belief that the recipient will not disclose the health information will not be "reasonable" if it is merely assumed.
355. NPP 2.1(e) allows information to be used or disclosed for a secondary purpose where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individuals life, health or safety; or a serious threat to public health or safety.
356. The sub-principle is aimed at two types of emergency situations. First, it permits the use or disclosure of personal information where the organisation reasonably believes it is necessary to lessen or prevent a serious and imminent threat to an individuals life, health or safety. The threat may be to the individual with whom the organisation is dealing, or another individual. The use or disclosure of personal information in response to non-imminent threats to individuals may be dealt with by consent or in reliance on other relevant sub-principles in NPP 2. Secondly, this sub-principle allows use or disclosure where an organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to public health or public safety. There is no requirement that the threat be imminent because a threat to public health or safety, for example, a possible outbreak of infectious disease, may be serious enough to warrant disclosures of personal information but may not be imminent in terms of time. It may be clear that, unless addressed, the threat will do serious harm to public health or safety but unclear when that harm will actually occur.
357. NPP 2.1(f) allows information to be used or disclosed for a secondary purpose where the organisation reasonably suspects that unlawful activity has been, is, or may be engaged in, and the organisation uses or discloses the information as part of its investigation into the unlawful activity, or in reporting its concerns to relevant people or authorities. The sub-principle explicitly acknowledges that one of an organisations legitimate functions is to investigate, and report on, suspected unlawful activity relating to its operations.
358. NPP 2.1(g) allows information to be used or disclosed for a secondary purpose where the use or disclosure is required or authorised by or under law. The sub-principle is intended to cover situations where a law unambiguously requires or authorises the use or disclosure of personal information. There could be situations where the law requires some actions which, of necessity, involve particular uses or disclosures, but this sort of implied requirement would be conservatively interpreted. The reference to "authorised" encompasses circumstances where the law permits, but does not require, use or disclosure.
359. NPP 2.1(h) allows information to be used or disclosed for a secondary purpose where the organisation reasonably believes that the use or disclosure is reasonably necessary to enable an enforcement body (as defined in subsection 6(1)) to perform one of its functions mentioned in paragraphs (i) to (v). This sub-principle recognises that law enforcement includes matters broader than traditional policing of the criminal law, such as confiscation of assets derived from criminal activity, investigation of corruption, serious abuse of power, serious dereliction of duty or other seriously reprehensible behaviour, and breaches of laws imposing a penalty or a sanction. The term imposing a penalty or a sanction includes a law allowing the Government to refuse a benefit or impose other non-criminal consequences for failure to comply with a legal obligation, such as a refusal to grant a visa or licence, revocation of a visa or licence or imposing civil penalties under Customs legislation.
360. Note 1 provides that the NPPs are not intended to deter lawful cooperation with enforcement bodies. Note 2 makes clear, first, that sub-clause 2.1 does not override any existing legal obligations (for example, the duty of confidentiality between health service provider and patient) not to disclose personal information and, secondly, that an organisation is always entitled not to disclose personal information in the absence of a legal obligation to do so. For example, NPP 2.1(h) would not prevent a medical practitioner refusing to disclose health information to an enforcement body if he or she were concerned about his or her obligation of confidentiality and the body would then need to seek a court order. Note 3 indicates that any use or disclosure outside Australia must comply with NPP 9 .
361. NPP 2.2 requires an organisation to make a written note of the use or disclosure, if it uses or discloses information under paragraph 2.1(h). The requirement to make a note would not apply where there is a specific statutory provision prohibiting the making of such a record.
362. NPP 2.3 clarifies the way NPP 2.1 (as it relates to the use of personal information) works where information has been shared between bodies corporate that are related to each other. An organisation that has collected the information from a related body corporate must use that personal information in accordance with NPP 2.1 (or code equivalent). The object of NPP 2.3 is to assist bodies corporate to identify the "primary purpose" of collection so that they are able to establish how they may "use" particular personal information that they have collected from a related body corporate. The sub-principle identifies the "primary purpose" of collection as being the original purpose for which the personal information was provided to/ collected by the first point of contact with the group. The fact that the information is shared with other related bodies corporate does not change the "primary purpose" of collection - the purpose is effectively transferred with the information.
363. NPP 2.4 is intended to permit disclosure of an individuals health information in a number of circumstances where disclosure would not be permitted under NPP 2.1(e). NPP 2.4 is not intended to operate in a manner that interferes with any existing law governing who may make decisions regarding the health care or medical treatment of a legally incompetent or incapacitated individual. The disclosure of health information under NPP 2.4 to a person who is responsible for an individual does not represent an entitlement for that person to make decisions regarding the health care or medical treatment of the individual.
364. A key limitation on the scope of this sub-principle is that the disclosure can only be made to a person who is responsible for the individual as defined in NPP 2.5. However, a hierarchy does not exist between those categories of person that fall within the definition. That is, the sub-principle permits disclosure to any person listed in NPP 2.5, provided that it is not contrary to any wish expressed by the individual before they became unable to give or communicate consent.
365. An individual may be physically or legally incapable of giving consent because of their mental or psychological state, or their age. An individual may be legally incapable of giving consent regardless of whether a court or competent tribunal has made a formal determination as to their capacity. Equally, while minors are subject to a presumption of legal incapacity, it is intended that the capacity of a particular minor to give consent be determined on a case by case basis.
366. Another primary limitation on the scope of the sub-principle is that the disclosure can only be made by an organisation that provides a "health service" as defined in Item 17 of the Bill. Paragraphs (a) to (d) set out the conditions that are to be satisfied before an organisation that provides a "health service" can rely on NPP 2.4 to authorise their disclosure of health information.
367. NPP 2.5 lists, for the purposes of sub-clause 2.4, persons that may be taken to be persons responsible for an individual. These include a parent, child or sibling of an individual or spouse or defacto spouse or a relative who is a member of the individuals household. It also lists guardians, persons exercising an enduring power of attorney for the individual or a person who has an intimate personal relationship with the individual (for example, a girlfriend, boyfriend or partner in a homosexual relationship with the individual). The person may also be a person nominated by the individual to be contacted in case of emergency (for example, on a next of kin card). The terms "child", "parent", "relative" and "sibling" are defined in NPP 2.6 .
368. NPP 3 provides that an organisation must take reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date. This principle requires an organisation to take reasonable steps to ensure that personal information is accurate, complete and up to date at the time the organisation collects the information, at the time the organisation uses the information and at the time the organisation discloses the information.
369. NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. 'Reasonable steps' in this context would include following any guidelines prepared by the Privacy Commissioner in relation to limiting physical means of access to personal information, protecting records containing personal information from destruction, physical security measures for safe-keeping of paper and electronic records containing personal information, etc.
370. NPP 4.2 provides that an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. The reference to "needed for any purpose" includes needed for the purpose of meeting a legal requirement to retain the personal information. De-identification requires the removal of any information by which an individual may be identified.
371. NPP 5.1 requires that an organisation prepare a policy statement on its practices relating to the management of personal information. In most circumstances, a general policy statement will suffice stating that it abides by the NPPs or an approved privacy code.
372. NPP 5.2 requires an organisation to provide, to any person who asks, general information about the sort of personal information it holds and how it handles that information. (The obligation to provide a particular individual with access to the information an organisation holds about him or her is covered under NPP 6.)
Principle 6 Access and correction
373. As a general rule, an organisation is required to provide an individual with access to personal information held about that individual on request.
374. NPP 6.1 lists the circumstances in which access to the information will be denied. There is an obligation to provide access to personal information, except to the extent that:
- a.
- other than in the case of health information, it would pose serious and imminent threat to the life or health of any individual;
- b.
- in respect of health information, it would pose serious threat to the life or health of any individual;
- c.
- it would have an unreasonable impact upon the privacy of others (that is, an individual should usually be able to gain access to personal information about him or herself but not to personal information about others). Access to a document containing personal information about people other than the individual requesting access need not be denied altogether. In such a case, another persons personal information may be deleted from the document before the document is released to the individual who made the request;
- d.
- the request is frivolous or vexatious. An organisation should not be obliged to provide access to personal information where, for example, the individual uses access requests as a means of pursuing some unrelated grievance against the organisation, or makes repeated requests for access to the same information. In order to prevent abuse of this provision, 'frivolous' and 'vexatious' would be narrowly interpreted - a request for access may be legitimate even if it is irritating to the organisation.
- e.
- legal dispute resolution proceedings are under way or anticipated and discovery would not grant access to the information. This paragraph does not seek to interfere with the existing procedures for discovery in legal proceedings.
- f.
- it would prejudicially reveal an organisations intentions in relation to negotiations with the individual. An example of this may be where an organisation is currently negotiating with an individual about the purchase of an object and is seeking independent valuations.
- g.
- providing access would be unlawful. This is intended to cover circumstances where providing access to personal information would ground an action for breach of confidence. This would cover, for example, legal professional privilege.
- h.
- denying access is required or authorised by or under law (that is, State, Territory or Commonwealth law);
- i.
- unlawful activity is being investigated, and providing access would be likely to prejudice the investigations into that activity. Organisations have a right and a responsibility to protect themselves against fraud or other unlawful activity. The access principle would not require the organisation to provide access to records which could prejudice such an investigation.
- j.
- access would prejudice activities being carried on by an enforcement body;
- k.
- an enforcement body asks an organisation not to provide access because access would be likely to cause damage to the security of Australia. While it is usually preferable that a person be informed of any use or disclosure of their personal information, there will be occasions when that information will itself prejudice an investigation or a security function. The purpose of NPP 6.1(j) and (k) is to ensure that where such information will prejudice an investigation or a security function, then the information will not be passed on.
375. NPP 6.2 provides that an organisation has no obligation to provide direct access to evaluative information generated within the organisation in connection with a commercially sensitive decision making process. The organisation may, instead, give the individual an explanation for the commercially sensitive decision.
376. NPP 6.3 is relevant where access would not otherwise be granted (because access is denied under one of the paragraphs in NPP 6.1). Where access would otherwise be denied, NPP 6.3 requires an organisation to consider whether an alternative form of access (through an intermediary) would meet the needs of both parties. The sub-principle is not intended to provide a mechanism to reduce access if access would otherwise be required. There will be some cases - investigations of fraud or theft for example - where no form of access is appropriate. In other cases it should be considered as an alternative to complete denial of access. For example, in the health context, an intermediary could usefully explain the contents of the health record to the individual as an alternative to denying access to the health information altogether.
377. NPP 6.4 provides that charges for access must not be excessive and must not apply to mere lodgement of a request for access. This provision aims to prevent organisations from using excessive charging to discourage individuals from making requests for access. It is reasonable that organisations should be able to charge for providing access to personal information, where complying with a request for access imposes substantial costs on the organisation. In determining what to charge, an organisation should consider reasonable administrative costs ie: the cost of photocopying, for example. An organisation is not entitled to charge an individual for the lodgement of a request for access.
378. NPP 6.5 requires that an organisation take reasonable steps to correct information about an individual where that information is not accurate, up-to-date and complete. 'Reasonable steps' has been included so that, if information is shown to be of poor quality but is inaccessible and will never be used, the organisation would not be obliged to expend resources to no purpose. If an individual and the organisation are unable to agree about whether the information is accurate, up-to-date and complete, the organisation must, at the request of the individual, (by virtue of NPP 6.6 ), take reasonable steps to associate with the information a statement that it is not accurate, up-to-date and complete.
379. NPP 6.7 requires an organisation to provide reasons for denying access or a refusal to correct personal information. The organisation should endeavour to tell the individual which exception under 6.1 it is relying upon to refuse access. However, this would not be required where such a disclosure would prejudice an investigation against fraud or other unlawful activity.
380. NPP 7.1 prevents an organisation from adopting an identifier assigned by an agency or a contracted service provider as its own identifier of an individual. For example, it prevents an organisation from acquiring a particular government assigned identifier from all the individuals with which it deals and using that identifier to organise personal information it holds and match it with other personal information organised by reference to the same identifier. NPP 7.1A provides some flexibility by recognising that there may be situations where it is appropriate for certain organisations to adopt certain identifiers in certain circumstances. These organisations, identifiers and circumstances may be prescribed. The prerequisites that must be satisfied before prescription can occur were outlined in Item 138A.
381. NPP 7.2 places limitations on when an organisation may use or disclose a government identifier. An organisation must not use or disclose an identifier assigned by an agency or a contracted service provider unless such use or disclosure is necessary for the organisation to fulfil its obligations to the agency that assigned the identifier to the individual; one or more of NPPs 2.1(e) to (h) (inclusive) apply to the use or disclosure or the use or disclosure is by a prescribed organisation of a prescribed identifier in prescribed circumstances as outlined in Item 138A.
382. NPP 7.2 would enable contracted service providers to use or disclose an identifier if they need to for the performance of a Commonwealth contract. Similarly, organisations that receive funding from an agency could use or disclose the identifier if they need to for performing the functions for which they have received that funding. This principle would not prevent certain organisations from collecting and recording an identifier assigned by an agency for identity verification where authorised under the Financial Transaction Reports Act 1988 (Cth) and Regulation 4 of the Financial Transaction Reports Regulations (that is, the 100 point identity requirements). The purpose of the principle is to prevent the gradual adoption of government identity numbers as de facto universal identity numbers.
383. NPP 7.3 defines 'identifier'. While not limited to letters and numbers, an identity will often contain either, or both. Examples of identifiers include Medicare numbers and pension numbers. The definition specifically says that a name is not an identifier. An ABN, intended to be a unique business identifier, may, where assigned to a sole trader, also identify an individual. The restrictions on using identifiers assigned by agencies are not intended to apply within the context of the ABN scheme. For this reason an ABN is specifically excluded from the definition of 'identifier'.
384. Anonymity is an important dimension of privacy. In some circumstances, it will not be practicable to do business anonymously. In others, there will be legal obligations that require identification of the individual. Unless there is a good practical or legal reason to require identification, organisations should give people the option to operate anonymously. This principle is not intended to facilitate illegal activity.
Principle 9 Transborder data flows
385. This principle prevents an organisation from disclosing personal information to a recipient located in a foreign country that is not subject to a comparable information privacy scheme (except with the individuals consent). The principle is based on the restrictions on international transfers of personal information set out in the European Union Directive 95/46. The limited circumstances in which personal information may be transferred to a recipient in a foreign country are listed in paragraphs 9(a) to (f). The principle does not prevent transfers of personal information outside Australia by an organisation to another part of the same organisation, or to the individual concerned.
386. Where personal information is transferred out of Australia by an organisation to another part of the same organisation, clause 5B will apply. Clause 5B provides for the Act to operate extra-territorially in some circumstances.
Principle 10 Sensitive information
387. NPP 10 places restrictions on the collection of sensitive information. Sensitive information is defined in section 6(1) to include health information and personal information that also contains information or an opinion about sensitive subjects, such as an individuals political opinions, religious beliefs or sexual preferences or practices. The collection of health information is specifically dealt with in NPP 10, as it is a subset of sensitive information that involves unique issues.
388. NPP 10.1 describes the circumstances in which sensitive information may be collected. NPP 10.2 and NPP 10.3 set out additional circumstances in which an organisation may collect health information. NPP 10.4 requires an organisation to take reasonable steps to de-identify health information collected in accordance with NPP 10.3, before disclosing it.
389. Under NPP 10.1 an organisation must not collect sensitive information unless: the individual has consented; the collection is required or authorised by or under law; the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual and the individual is physically or legally incapable of giving their consent or physically cannot communicate consent; the information is collected in the course of the activities of a non-profit organisation; or the collection is necessary for the establishment, exercise or defence of a legal or equitable claim. NPP 10.5 defines non-profit organisation as a non-profit organisation that has only racial, ethnic, political, religious, philosophical, professional, trade, or trade union aims.
390. Express consent from the individual to collect sensitive information about them would also allow the organisation to obtain consent for all legitimate uses or disclosures of that information. For example, a person who identifies themselves to an organisation as having a particular religious affiliation so that he or she may be treated in a culturally appropriate manner could be asked to consent to the organisation retaining that information for future dealings.
391. An individual who is legally incapable of giving consent to the collection of sensitive information concerning themselves for the purposes of NPP 10.1(c)(i) may be subject to a legal incapacity because of their mental or psychological state, or their age. An individual may be legally incapable of giving consent regardless of whether a court or competent tribunal has made a formal determination as to their capacity. Equally, while minors are subject to a presumption of legal incapacity, it is intended that the capacity of a particular minor to give consent be determined on a case by case basis.
392. In addition to the permitted collection of sensitive information in NPP 10.1, NPP 10.2 sets out a situation in which health information can be collected about an individual. That is, where the information is necessary to provide a health service to the individual and the information is collected as required by law or in accordance with relevant rules dealing with obligations of professional confidentiality.
393. Under NPP 10.3 an organisation may also collect health information about an individual for the purpose of research or the compilation of statistics relevant to public health or safety or for the management, funding or monitoring of a health service provided the safeguards included in NPP 10.3 (b), (c) and (d) are satisfied. These safeguards require that the collection of the health information is the only means to satisfy the purpose of the research, obtaining the individuals consent is impracticable and that the information is collected as required by law, in accordance with relevant rules dealing with obligations of professional confidentiality or in accordance with guidelines issued by the Privacy Commissioner. NPP 10.3 recognises the need to enable research to be carried out while at the same time ensuring that appropriate protection is in place for individuals health information.
394. If health information is collected by an organisation in accordance with NPP 10.3, NPP 10.4 , requires the organisation to take reasonable steps to permanently de-identify the information before it is disclosed. For example, if health information is collected to be used in research on a particular disease, the information collected should be modified so that the identities of the subjects of the research are not reasonably apparent in the publication or other disclosure of the results of that research. Information collected pursuant to NPP 10.3 is also subject to the general rules about data security contained in NPP 4.
395. schedule 2 - amendment of other acts
Administrative Decisions (Judicial Review) Act 1977
Item 1. Subsection 3(1) (after paragraph (c) of the definition of enactment )
395. Item 1 inserts a new paragraph (ca) in the definition of "enactment" in section 3(1) of the Act. The addition of new paragraph (ca) means that decisions made by adjudicators under an approved privacy code are decisions made under an enactment and therefore judicially reviewable under the Act.
Item 2. Subsection 3(1) (definition of enactment )
396. Item 2 omits "or (c)" and inserts "(c) or (ca)".
397. Item 3 inserts new clause 273GAB into the Customs Act 1901 ("the Customs Act").
398. New paragraph 273GAB(1)(a) authorises people to give to officers of Customs information (even if the information is personal information) relating to the actual or proposed travel of persons or goods on the way (directly or indirectly) to Australia. Personal information has the same meaning as in the Privacy Act 1988 .
399. Similarly, new paragraph 273GAB(1)(b) authorises people to give that type of information to officers of Customs relating to the actual or proposed travel of persons or goods from Australia.
400. The Note to clause 273GAB makes it clear that the Australian Customs Service ("Customs") is obliged to handle any personal information received in accordance with section 16 of the Customs Administration Act 1985 (which regulates the recording and disclosure of information by Customs) and, more generally, in accordance with the Privacy Act 1988 . This obligation also applies to the officer who received the information.
401. New sub-clause 273GAB(1) is needed because the National Privacy Principles only authorise the disclosure of personal information for a secondary purpose in certain circumstances (Principle 2.1 refers).
402. The National Privacy Principles allow the disclosure of personal information where that disclosure is required or specially authorised by law (paragraph 2.1(f) refers). New clause 273GAB authorises, in accordance with paragraph 2.1(f), the disclosure of personal information relating to the travel of persons and goods to or from Australia.
403. New paragraph 273GAB(2)(a) provides that section 273GAB does not require anyone to disclose information to an officer. The information intended to be covered by section 273GAB would be given voluntarily to Customs.
404. New paragraph 273GAB(2)(b) provides that section 273GAB does not affect a requirement of or under another provision of the Customs Act for a person to disclose information to an officer. That disclosure can be by answering a question, by providing a document or by other means. There are other provisions in the Customs Act which require people to answer questions or produce documents. Those documents may contain person information. New paragraph 273GAB(2)(b) makes it clear that section 273GAB does not affect those requirements.
405. Part 6 of the Telecommunications Act 1997 sets out arrangements for industry codes and industry standards as part of a predominantly self-regulatory framework for the telecommunications industry. The arrangements involve sections of the telecommunications industry developing codes and registering them with the Australian Communications Authority (ACA). The ACA has a reserve power to make an industry standard if there are no industry codes or if an industry code is deficient.
406. Paragraph 113(3)(f) of the Telecommunications Act provides that one of the matters that may be dealt with by industry codes and industry standards is privacy and, in particular:
- a.
- the protection of personal information; and
- b.
- the intrusive use of telecommunications by carriers or service providers; and
- c.
- the monitoring or recording of communications; and
- d.
- calling number display; and
- e.
- the provision of directory products and services.
407. Where an industry code deals with a matter set out in paragraph 113(3)(f), the ACA needs to be satisfied that the Privacy Commissioner has been consulted about the development of the code (paragraph 117(1)(j)). Before determining, varying or revoking an industry standard, the ACA must consult the Privacy Commissioner (section 134).
408. The aim of the amendments to Part 6 of the Telecommunications Act is to recognise and promote the pre-eminence of the Privacy Act and the role of the Privacy Commissioner within the telecommunications environment without diminishing the integrity of the current telecommunications self-regulatory regime. The retention of Part 6 of the Telecommunications Act, as modified by the amendments made by this Bill, is necessary for several reasons:
- a.
- The provisions in Part 6 allow the ACA to request the development of an industry code dealing with privacy. No such power exists for the Privacy Commissioner. With the operation of the default National Privacy Principles (NPPs) it is unlikely that the ACA will exercise such a power but it is useful to retain this power as it is not possible to foresee all eventualities. This power may also provide a useful goad to industry to act under the Privacy Act.
- b.
- The ACA has also indicated that it believes a number of primarily technical industry codes, which would ordinarily be registered with the ACA, may contain provisions that address one or more the of the NPPs, but which do not address all the NPPs. It is important to allow codes which would be more appropriately registered with the ACA to contain provisions which deal with privacy at a very specific, technical level. This is especially important as the Privacy Commissioner cannot register codes unless they address all of the NPPs.
- c.
- The industry should still be allowed to develop codes that address privacy matters that are not covered by the NPPs and the amended Privacy Act.
Item 4. At the end of Division 3 of Part 6
409. Item 4 inserts a new clause 116A into the Telecommunications Act 1997 . New clause 116A provides that nothing in an industry code registered under Part 6 of that Act or an industry standard determined under Part 6 of that Act replaces or diminishes any obligations imposed by the Privacy Act 1988 or an approved privacy code as defined in that Act.
410. Item 5 amends paragraph 117(1)(j). Section 117 of the Telecommunications Act provides for the ACA to register certain codes developed by a relevant section of the telecommunications industry. Paragraph 117(1)(j) requires the ACA to be satisfied that the Privacy Commissioner has been consulted about the development of a code relating to privacy and, in particular, the matters specified in paragraph 113(3)(f). The aim of the amendments to paragraph 117(1)(j) is to make it clear that, where the code deals with a matter on privacy and certain privacy matters in particular, as set out in paragraph 113(3)(f), the ACA must be satisfied that the Privacy Commissioner has been consulted about the development of the code by the body or association that represents a section of the telecommunications industry before submitting the code to the ACA for registration.
Item 6. At the end of subsection 117(1)
411. Item 6 inserts a new paragraph 117(1)(k). Paragraph 117(1)(k) provides that, before registering a code, the ACA must consult the Privacy Commissioner and believe that the Commissioner is satisfied with the code, if the code deals directly or indirectly with the NPPs, or other provisions of the Privacy Act 1988 related to those Principles, or a relevant binding approved privacy code, or provisions of the Privacy Act 1988 related to the approved privacy code.
412. Item 7. At the end of subsection 117(4)
412. Item 7 inserts a note at the end of subsection 117(4) referring to proposed clause 122A, which will allow the ACA to remove an industry code from the Register. Once removed, the code will cease to be registered.
Item 8. At the end of subsection 118(1)
413. Item 8 inserts a note at the end of subsection 118(1). Section 118 performs the function of being a formal trigger for the development of an industry code. The failure to develop the code which has been requested provides a ground for the ACA to develop an industry standard (section 123). Section 118 provides that if the ACA is satisfied that a body or association represents a particular section of the telecommunications industry, it may request them to develop a code that would apply to participants of the section and deals with one or more specified matters. The note at the end of subsection 118(1) explains that the ACA will be able to request the body or association that represents a section of the telecommunications industry to develop a replacement code for one that the Privacy Commissioner has found to be inconsistent with the National Privacy Principles or a relevant approved privacy code.
414. Item 9. After subsection 118(4)
414. Item 9 inserts a new sub-clause 118(4A). The sub-clause provides that, before requesting a body or association to make an industry code, the ACA must consult the Privacy Commissioner if the ACA believes the code to be developed may include elements which deal directly or indirectly with the NPPs, or other provisions of the Privacy Act 1988 related to those Principles, or a relevant binding approved privacy code, or provisions of the Privacy Act 1988 related to the approved privacy code.
Item 10. At the end of subsection 120(1)
415. Item 10 amends subsection 120(1). Currently, section 120 provides that changes to an industry code are to be achieved by replacement of the code. Section 120 does not currently allow an industry code to be deregistered. The amendment to subsection 120(1) addresses this shortcoming by providing that if the ACA intends to change an industry code, the ACA is not prevented from removing the code or part of the code from the Register, if it does not wish to replace the code.
416. This amendment is desirable for two main reasons. First, conflicts may arise between privacy codes developed under the amended Privacy Act, or the proposed default regime under that Act, and codes developed under the Telecommunications Act. The proposed amendment enables the ACA to deregister an industry code or part of an industry code that contains provisions setting privacy standards less than equivalent to the NPPs. Second, it is desirable that the ACA should be able to deregister an industry code or part of an industry code for reasons that do not relate to privacy. The ACA should, for example, be able to deregister the whole or part of a code that has become redundant or where the subject matter of the code is more appropriately dealt with by legislation or by a regulator other than the ACA.
Item 11. After subsection 121(1)
417. Item 11 inserts new sub-clause 121(1A). The intention underlying Part 6 of the Telecommunications Act is that compliance with industry codes is to be voluntary or as determined by the industry section subject to the code. It is envisaged, however, that where a code is effective and being complied with by a majority of participants to whom it applies, it may be appropriate to direct non-compliant persons to comply with the code. In this context, section 121 allows the ACA to direct the person to comply with a code. This provides a back-up to self-regulation by allowing a person who refuses to comply with otherwise successful self-regulatory arrangements to be directed to comply with a code; in effect, compliance with the code becomes mandatory for that person. New subsection 121(1A) provides that the ACA will be required to consult the Privacy Commissioner before it gives a direction to a person to comply with an industry code that it believes the person has contravened, and the ACA is satisfied that the contravention relates directly or indirectly to the NPPs or an approved privacy code.
Item 12. At the end of section 122
418. Item 12 amends section 122 by inserting new sub-clause 122(3). Section 122 currently provides that if an industry participant contravenes an industry code, the ACA may issue a formal warning to the industry participant. This enables the ACA to formally indicate its concerns about a contravention of a code to a person. Such a warning may be a precursor to making a compliance direction under section 121. However, in the case of a serious, flagrant or recurring breach, the ACA may decide to give a direction under section 121 without giving a prior formal warning. Sub-clause 122(3) provides that, before the ACA issues a warning to a person about the contravention of an industry code, the ACA must consult the Privacy Commissioner if the code relates directly or indirectly to a matter dealt with by the NPPs or an approved privacy code.
Item 13. At the end of Division 4 of Part 6
419. Item 13 inserts a new clause 122A. Clause 122A will give the ACA a broad power to deregister an industry code or part of a code where the ACA considers it appropriate to do so. If a code is removed from the Register, the code will cease to be registered. If part of a code is removed, the registered code will become the code minus the part. This provision will facilitate alteration of current codes with aspects setting privacy standards less than equivalent to the NPPs. The provision will also give the ACA the power to deregister a code or part of a code for reasons that do not relate to privacy. Possible situations include a redundant code or part of a code, or where the subject matter of the code is more appropriately dealt with by legislation or by a regulator other than the ACA.
Item 14. At the end of subsection 130(1)
420. Item 14 inserts a note at the end of subsection 130(1). Section 130 currently allows the ACA to vary an industry standard if it is satisfied that it is necessary or convenient to do so in order to provide appropriate community safeguards or otherwise adequately regulate participants in a particular section of the telecommunications industry. The note explains that the ACA will be able to vary an industry standard that is inconsistent with the NPPs or an approved privacy code, following advice from the Privacy Commissioner, if the ACA believes it is necessary or convenient to make the variation.
421. Item 15 amends subsection 134(1). Section 134 currently provides that if an industry standard deals with privacy issues, the ACA must consult the Privacy Commissioner before determining, varying or revoking the standard. The purpose of the amendments to subsection 134(1) is to clarify that section 134 applies to industry standards that deal with privacy matters and certain matters in particular, as set out in paragraph 113(3)(f), including a matter dealt with by the NPPs, or other provisions of the Privacy Act 1988 related to those Principles, or a relevant binding approved privacy code, or provisions of the Privacy Act 1988 related to the approved privacy code.
Item 16. After subsection 136(1)
422. Item 16 amends section 136 by inserting a new sub-clause 136(1A). Section 136 currently provides for the establishment and maintenance by the ACA of a Register of industry codes and standards, requests under section 118, notices under section 119 and directions under section 121. Sub-clause 136(1A) provides that the ACA is not required to include in the Register of industry codes and standards a code or part of a code that the ACA removed from the Register under proposed clause 122A dealing with the de-registration of industry codes and provisions of industry codes.
Item 17. At the end of Division 4 of Part 13
423. Item 17 inserts a new clause 303A at the end of Division 4 of Part 13. Part 13 of the Telecommunications Act provides for the protection of communications by means of secrecy provisions which create offences for the use or disclosure of certain information by carriers, carriage service providers, emergency call persons and their respective associates. The disclosure or use of protected information is authorised in limited circumstances (for example, disclosure or use for purposes required by or under a law). An authorised recipient of protected information may only disclose or use the information for an authorised purpose. Division 4 of Part 13 creates offences for secondary or later disclosure or use of information or documents that have been disclosed or used under certain exceptions provided under Division 3 of Part 13. Exceptions to these secondary offences are contained in various provisions of Division 3. The main purpose of the amendments to Part 13 is to ensure its effective operation with the amended Privacy Act and to allow legal proceedings or administrative action to be taken under both the Telecommunications Act and the amended Privacy Act.
424. The effect of clause 303A is that a provision in Division 4 is not to be read down in the light of another provision in that Division or by references in that Division to provisions of Division 3 which also authorise the disclosure of information in specified circumstances.
Item 18. After Division 4 of Part 13
425. Item 18 inserts a new Division 4A titled "Relationship with the Privacy Act 1988". The new Division contains new clauses 303B and 303C.
426. Divisions 2 and 4 of Part 13 currently provide for primary and secondary disclosure/use offences. Section 280 of the Telecommunications Act (in Division 3 of Part 13) provides that Division 2 does not prohibit a disclosure or use of information or document if, amongst other things, the disclosure or use is required or authorised by or under law. Section 297 (in Division 4 of Part 13) prohibits secondary or later disclosure or use of information or documents disclosed as required or authorised by or under law unless the later disclosure or use is required or authorised by or under law.
427. Clause 303B will make it clear that a disclosure or use of information by a person permitted under Divisions 3 and 4 is a disclosure or use authorised by law for the purposes of the Privacy Act 1988 or an approved privacy code.
428. Sub-clauses 303C(1) and (2) provide that the taking of criminal proceedings under Division 2 or 4 of Part 13 for the unauthorised disclosure or use of information or a document (whatever the outcome of those proceedings) does not preclude civil proceedings or administrative action being taken in relation to the disclosure or use under the Privacy Act 1988 or an approved privacy code.
429. Sub-clause 303C(3) provides that proposed clause 303C does not affect the operation of section 49 of the Privacy Act. Section 40 of the Privacy Act allows the Privacy Commissioner to investigate certain acts or practices that may be an interference with the privacy of an individual. Section 49 of the Privacy Act provides that an investigation under section 40 is to cease in certain circumstances if certain tax file number or credit reporting offences may have been committed.
Item 19. Sub-clause 15(2) of Schedule 2
430. Item 19 amends sub-clause 15(2) of Schedule 2. Part 5 of Schedule 2 provides that a carriage service provider who supplies a standard telephone service must provide itemised billing for each of its customers of such a service. Clause 15 of Schedule 2 allows the ACA to determine that specified details must be shown in an itemised bill provided by a carriage service provider to a customer. In making such a determination, the ACA is required to have regard to the Information Privacy Principles set out in section 14 of the Privacy Act 1988 . The amendment to sub-clause 15(2) provides that, in making a determination specifying details that must not be shown in an itemised bill, the ACA must have regard to the NPPs, in addition to the Information Privacy Principles, in the Privacy Act 1988 .
Telecommunications (Consumer Protection and Service Standards) Act 1999
Item 20. After subparagraph 147(2)(l)(i)
431. Item 20 amends subparagraph 147(2)(l) by inserting new sub-subparagraphs (ia) and (ib). Section 147 requires the ACA to make a written determination imposing requirements on telecommunications carriers, carriage service providers and emergency call persons. In making such a determination, the ACA is required to have regard to the objective that the determination should be consistent with Principle 11 of the Information Privacy Principles (dealing with limits on disclosure of personal information) set out in section 14 of the Privacy Act 1988 and codes registered, and standards determined, under Part 6 of the Telecommunications Act 1997 (see paragraph 147(2)(l)). New sub-subparagraphs 147(2)(l)(ia) and (ib) provide that, when making a determination on the provision of emergency call services under section 147, the ACA must have regard to National Privacy Principle 2 (dealing with use and disclosure) and any relevant binding approved privacy code, in addition to having regard to Principle 11 of the Information Privacy Principles and telecommunications industry codes and standards.
432. schedule 3 - disclosure to intelligence bodies
Australian Security Intelligence Organisation Act 1979.
432. Item 1 repeals section 93A of the Australian Security Intelligence Organisation Act 1979 .
433. Item 2 saves the application of section 93A to those acts or practices engaged in before the repeal of section 93A.
434. Item 3 inserts a new sub-clause 7(1A) in section 7. Sub-clause 7(1A) provides for the disclosure of personal information to ASIO and ASIS, without infringing the Privacy Act . This item is based on the repealed section 93A of the ASIO Act which exempted disclosures of personal information to ASIO from the Privacy Act in relation to the public sector. This item extends that exemption to disclosures to ASIS and in addition provides that disclosures of personal information to both ASIO and ASIS are exempt in relation to the private sector provisions of the Privacy Act.
435. Item 4 confirms that acts or practices occurring before and after the commencement of the amendment to section 7 are covered by the amendment.