Privacy Amendment (Enhancing Privacy Protection) Act 2012 (197 of 2012)

Schedule 1   Australian Privacy Principles

Privacy Act 1988

82   Divisions 2 and 3 of Part III

Repeal the Divisions, substitute:

Division 2 - Australian Privacy Principles

14 Australian Privacy Principles

(1) The Australian Privacy Principles are set out in the clauses of Schedule 1.

(2) A reference in any Act to an Australian Privacy Principle by a number is a reference to the Australian Privacy Principle with that number.

15 APP entities must comply with Australian Privacy Principles

An APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle.

16 Personal, family or household affairs

Nothing in the Australian Privacy Principles applies to:

(a) the collection, holding, use or disclosure of personal information by an individual; or

(b) personal information held by an individual;

only for the purposes of, or in connection with, his or her personal, family or household affairs.

16A Permitted general situations in relation to the collection, use or disclosure of personal information

(1) A permitted general situation exists in relation to the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier of an individual, if:

(a) the entity is an entity of a kind specified in an item in column 1 of the table; and

(b) the item in column 2 of the table applies to the information or identifier; and

(c) such conditions as are specified in the item in column 3 of the table are satisfied.

Permitted general situations

Item

Column 1

Kind of entity

Column 2

Item applies to

Column 3

Condition(s)

1

APP entity

(a) personal information; or

(b) a government related identifier.

(a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and

(b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

2

APP entity

(a) personal information; or

(b) a government related identifier.

(a) the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in; and

(b) the entity reasonably believes that the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.

3

APP entity

Personal information

(a) the entity reasonably believes that the collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing; and

(b) the collection, use or disclosure complies with the rules made under subsection (2).

4

APP entity

Personal information

The collection, use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.

5

APP entity

Personal information

The collection, use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

6

Agency

Personal information

The entity reasonably believes that the collection, use or disclosure is necessary for the entity’s diplomatic or consular functions or activities.

7

Defence Force

Personal information

The entity reasonably believes that the collection, use or disclosure is necessary for any of the following occurring outside Australia and the external Territories:

(a) war or warlike operations;

(b) peacekeeping or peace enforcement;

(c) civil aid, humanitarian assistance, medical or civil emergency or disaster relief.

(2) The Commissioner may, by legislative instrument, make rules relating to the collection, use or disclosure of personal information that apply for the purposes of item 3 of the table in subsection (1).

16B Permitted health situations in relation to the collection, use or disclosure of health information

Collection - provision of a health service

(1) A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:

(a) the information is necessary to provide a health service to the individual; and

(b) either:

(i) the collection is required or authorised by or under an Australian law (other than this Act); or

(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

Collection - research etc.

(2) A permitted health situation exists in relation to the collection by an organisation of health information about an individual if:

(a) the collection is necessary for any of the following purposes:

(i) research relevant to public health or public safety;

(ii) the compilation or analysis of statistics relevant to public health or public safety;

(iii) the management, funding or monitoring of a health service; and

(b) that purpose cannot be served by the collection of information about the individual that is de-identified information; and

(c) it is impracticable for the organisation to obtain the individual’s consent to the collection; and

(d) any of the following apply:

(i) the collection is required by or under an Australian law (other than this Act);

(ii) the information is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation;

(iii) the information is collected in accordance with guidelines approved under section 95A for the purposes of this subparagraph.

Use or disclosure - research etc.

(3) A permitted health situation exists in relation to the use or disclosure by an organisation of health information about an individual if:

(a) the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety; and

(b) it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure; and

(c) the use or disclosure is conducted in accordance with guidelines approved under section 95A for the purposes of this paragraph; and

(d) in the case of disclosure - the organisation reasonably believes that the recipient of the information will not disclose the information, or personal information derived from that information.

Use or disclosure - genetic information

(4) A permitted health situation exists in relation to the use or disclosure by an organisation of genetic information about an individual (the first individual ) if:

(a) the organisation has obtained the information in the course of providing a health service to the first individual; and

(b) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual; and

(c) the use or disclosure is conducted in accordance with guidelines approved under section 95AA; and

(d) in the case of disclosure - the recipient of the information is a genetic relative of the first individual.

Disclosure - responsible person for an individual

(5) A permitted health situation exists in relation to the disclosure by an organisation of health information about an individual if:

(a) the organisation provides a health service to the individual; and

(b) the recipient of the information is a responsible person for the individual; and

(c) the individual:

(i) is physically or legally incapable of giving consent to the disclosure; or

(ii) physically cannot communicate consent to the disclosure; and

(d) another individual (the carer ) providing the health service for the organisation is satisfied that either:

(i) the disclosure is necessary to provide appropriate care or treatment of the individual; or

(ii) the disclosure is made for compassionate reasons; and

(e) the disclosure is not contrary to any wish:

(i) expressed by the individual before the individual became unable to give or communicate consent; and

(ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and

(f) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (d).

16C Acts and practices of overseas recipients of personal information

(1) This section applies if:

(a) an APP entity discloses personal information about an individual to an overseas recipient; and

(b) Australian Privacy Principle 8.1 applies to the disclosure of the information; and

(c) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and

(d) the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice.

(2) The act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act:

(a) to have been done, or engaged in, by the APP entity; and

(b) to be a breach of those Australian Privacy Principles by the APP entity.