Privacy Amendment (Enhancing Privacy Protection) Act 2012 (197 of 2012)

Schedule 3 Privacy codes

Privacy Act 1988

29 Before Part IV

Insert:

Part IIIB - Privacy codes

Division 1 - Introduction

26 Guide to this Part

This Part deals with privacy codes.

Division 2 deals with codes of practice about information privacy, called APP codes. APP code developers or the Commissioner may develop APP codes, which:

(a) must set out how one or more of the Australian Privacy Principles are to be applied or complied with; and

(b) may impose additional requirements to those imposed by the Australian Privacy Principles; and

If the Commissioner includes an APP code on the Codes Register, an APP entity bound by the code must not breach it. A breach of a registered APP code is an interference with the privacy of an individual.

Division 3 deals with a code of practice about credit reporting, called a CR code. CR code developers or the Commissioner may develop a CR code, which:

(a) must set out how one or more of the provisions of Part IIIA are to be applied or complied with; and

(b) must deal with matters required or permitted by Part IIIA to be provided for by the registered CR code; and

If the Commissioner includes a CR code on the Codes Register, an entity bound by the code must not breach it. A breach of the registered CR code is an interference with the privacy of an individual.

Division 4 deals with the Codes Register, guidelines relating to codes and the review of the operation of registered codes.

Division 2 - Registered APP codes

Subdivision A - Compliance with registered APP codes etc.

26A APP entities to comply with binding registered APP codes

An APP entity must not do an act, or engage in a practice, that breaches a registered APP code that binds the entity.

26B What is a registered APP code

(1) A registered APP code is an APP code:

(a) that is included on the Codes Register; and

(b) that is in force.

(2) A registered APP code is a legislative instrument.

(3) Despite subsection 12(2) of the Legislative Instruments Act 2003, a registered APP code may be expressed to take effect before the date it is registered under that Act.

Note: An APP code cannot come into force before it is included on the Codes Register: see paragraph 26C(2)(c).

26C What is an APP code

(1) An APP code is a written code of practice about information privacy.

(2) An APP code must:

(a) set out how one or more of the Australian Privacy Principles are to be applied or complied with; and

(b) specify the APP entities that are bound by the code, or a way of determining the APP entities that are bound by the code; and

(c) set out the period during which the code is in force (which must not start before the day the code is registered under section 26H).

(3) An APP code may do one or more of the following:

(a) impose additional requirements to those imposed by one or more of the Australian Privacy Principles, so long as the additional requirements are not contrary to, or inconsistent with, those principles;

(b) cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3);

(d) provide for the reporting to the Commissioner about complaints;

(e) deal with any other relevant matters.

(4) An APP code may be expressed to apply to any one or more of the following:

(a) all personal information or a specified type of personal information;

(b) a specified activity, or a specified class of activities, of an APP entity;

(d) APP entities that use technology of a specified kind.

(5) An APP code is not a legislative instrument.

26D Extension of Act to exempt acts or practices covered by registered APP codes

If a registered APP code covers an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3), this Act applies in relation to the code as if that act or practice were not exempt.

Subdivision B - Development and registration of APP codes

26E Development of APP codes by APP code developers

Own initiative

(1) An APP code developer may develop an APP code.

At the Commissioner’s request

(2) The Commissioner may, in writing, request an APP code developer to develop an APP code, and apply to the Commissioner for the code to be registered, if the Commissioner is satisfied it is in the public interest for the code to be developed.

(3) The request must:

(a) specify the period within which the request must be complied with; and

(b) set out the effect of section 26A.

(4) The period:

(a) must run for at least 120 days from the date the request is made; and

(b) may be extended by the Commissioner.

(5) The request may:

(a) specify one or more matters that the APP code must deal with; and

(b) specify the APP entities, or a class of APP entities, that should be bound by the code.

(6) Despite paragraph (5)(a), the Commissioner must not require an APP code to cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). However, the APP code that is developed by the APP code developer may cover such an act or practice.

(7) The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.

26F Application for registration of APP codes

(1) If an APP code developer develops an APP code, the developer may apply to the Commissioner for registration of the code.

(2) Before making the application, the APP code developer must:

(a) make a draft of the APP code publicly available; and

(b) invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days); and

(3) The application must:

(a) be made in the form and manner specified by the Commissioner; and

(b) be accompanied by such information as is specified by the Commissioner.

(4) The APP code developer may vary the APP code at any time before the Commissioner registers the code, but only with the consent of the Commissioner.

26G Development of APP codes by the Commissioner

(1) This section applies if the Commissioner made a request under subsection 26E(2) and either:

(a) the request has not been complied with; or

(b) the request has been complied with but the Commissioner has decided not to register, under section 26H, the APP code that was developed as requested.

(2) The Commissioner may develop an APP code if the Commissioner is satisfied that it is in public interest to develop the code. However, despite subsection 26C(3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).

(3) Before registering the APP code under section 26H, the Commissioner must:

(a) make a draft of the code publicly available; and

(b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 28 days); and

26H Commissioner may register APP codes

(1) If:

(a) an application for registration of an APP code is made under section 26F; or

(b) the Commissioner develops an APP code under section 26G;

the Commissioner may register the code by including it on the Codes Register.

(2) In deciding whether to register the APP code, the Commissioner may:

(a) consult any person the Commissioner considers appropriate; and

(b) consider the matters specified in any relevant guidelines made under section 26V.

(3) If the Commissioner decides not to register an APP code developed by an APP code developer, the Commissioner must give written notice of the decision to the developer, including reasons for the decision.

Subdivision C - Variation and removal of registered APP codes

26J Variation of registered APP codes

(1) The Commissioner may, in writing, approve a variation of a registered APP code:

(a) on his or her own initiative; or

(b) on application by an APP entity that is bound by the code; or

(2) An application under paragraph (1)(b) or (c) must:

(a) be made in the form and manner specified by the Commissioner; and

(b) be accompanied by such information as is specified by the Commissioner.

(3) If the Commissioner varies a registered APP code on his or her own initiative, then, despite subsection 26C(3)(b), the variation must not deal with an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).

(4) Before deciding whether to approve a variation, the Commissioner must:

(a) make a draft of the variation publicly available; and

(b) consult any person the Commissioner considers appropriate about the variation; and

(5) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.

(6) If the Commissioner approves a variation of a registered APP code (the original code ), the Commissioner must:

(a) remove the original code from the Codes Register; and

(b) register the APP code, as varied, by including it on the Register.

(7) If the Commissioner approves a variation, the variation comes into effect on the day specified in the approval, which must not be before the day on which the APP code, as varied, is included on the Codes Register.

(8) An approval is not a legislative instrument.

Note: The APP code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26B.

26K Removal of registered APP codes

(1) The Commissioner may remove a registered APP code from the Codes Register:

(a) on his or her own initiative; or

(b) on application by an APP entity that is bound by the code; or

(2) An application under paragraph (1)(b) or (c) must:

(a) be made in the form and manner specified by the Commissioner; and

(b) be accompanied by such information as is specified by the Commissioner.

(3) Before deciding whether to remove the registered APP code, the Commissioner must:

(a) consult any person the Commissioner considers appropriate about the proposed removal; and

(b) consider the extent to which members of the public have been given an opportunity to comment on the proposed removal.

(4) In deciding whether to remove the registered APP code, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.

Division 3 - Registered CR code

Subdivision A - Compliance with the registered CR code

26L Entities to comply with the registered CR code if bound by the code

If an entity is bound by the registered CR code, the entity must not do an act, or engage in a practice, that breaches the code.

Note: There must always be one, and only one, registered CR code at all times after this Part commences: see subsection 26S(4).

26M What is the registered CR code

(1) The registered CR code is the CR code that is included on the Codes Register.

(2) The registered CR code is a legislative instrument.

(3) Despite subsection 12(2) of the Legislative Instruments Act 2003, the registered CR code may be expressed to take effect before the date it is registered under that Act.

26N What is a CR code

(1) A CR code is a written code of practice about credit reporting.

(2) A CR code must:

(a) set out how one or more of the provisions of Part IIIA are to be applied or complied with; and

(b) make provision for, or in relation to, matters required or permitted by Part IIIA to be provided for by the registered CR code; and

(d) specify the credit providers that are bound by the code, or a way of determining which credit providers are bound; and

(e) specify any other entities subject to Part IIIA that are bound by the code, or a way of determining which of those entities are bound.

(3) A CR code may do one or more of the following:

(a) impose additional requirements to those imposed by Part IIIA, so long as the additional requirements are not contrary to, or inconsistent with, that Part;

(b) deal with the internal handling of complaints;

(d) deal with any other relevant matters.

(4) A CR code may be expressed to apply differently in relation to:

(a) classes of entities that are subject to Part IIIA; and

(b) specified classes of credit information, credit reporting information or credit eligibility information; and

(5) A CR code is not a legislative instrument.

Subdivision B - Development and registration of CR code

26P Development of CR code by CR code developers

(1) The Commissioner may, in writing, request a CR code developer to develop a CR code and apply to the Commissioner for the code to be registered.

(2) The request must:

(a) specify the period within which the request must be complied with; and

(b) set out the effect of section 26L.

(3) The period:

(a) must run for at least 120 days from the date the request is made; and

(b) may be extended by the Commissioner.

(4) The request may:

(a) specify one or more matters that the CR code must deal with; and

(b) specify the credit providers, or a class of credit providers, that should be bound by the code; and

(5) The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.

26Q Application for registration of CR code

(1) If a CR code developer develops a CR code, the developer may apply to the Commissioner for registration of the code.

(2) Before making the application, the CR code developer must:

(a) make a draft of the CR code publicly available; and

(b) invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days); and

(3) The application must:

(a) be made in the form and manner specified by the Commissioner; and

(b) be accompanied by such information as is specified by the Commissioner.

(4) The CR code developer may vary the CR code at any time before the Commissioner registers the code, but only with the consent of the Commissioner.

26R Development of CR code by the Commissioner

(1) The Commissioner may develop a CR code if the Commissioner made a request under section 26P and either:

(a) the request has not been complied with; or

(b) the request has been complied with but the Commissioner has decided not to register, under section 26S, the CR code that was developed as requested.

(2) Before registering the CR code under section 26S, the Commissioner must:

(a) make a draft of the code publicly available; and

(b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 28 days); and

26S Commissioner may register CR code

(1) If:

(a) an application for registration of a CR code is made under section 26Q; or

(b) the Commissioner develops a CR code under section 26R;

the Commissioner may register the code by including it on the Codes Register.

(2) In deciding whether to register the CR code, the Commissioner may:

(a) consult any person the Commissioner considers appropriate; and

(b) consider the matters specified in any guidelines made under section 26V.

(3) If the Commissioner decides not to register a CR code developed by a CR code developer, the Commissioner must give written notice of the decision to the developer, including reasons for the decision.

(4) The Commissioner must ensure that there is one, and only one, registered CR code at all times after this Part commences.

Subdivision C - Variation of the registered CR code

26T Variation of the registered CR code

(1) The Commissioner may, in writing, approve a variation of the registered CR code:

(a) on his or her own initiative; or

(b) on application by an entity that is bound by the code; or

(2) An application under paragraph (1)(b) or (c) must:

(a) be made in the form and manner specified by the Commissioner; and

(b) be accompanied by such information as is specified by the Commissioner.

(3) Before deciding whether to approve a variation, the Commissioner must:

(a) make a draft of the variation publicly available; and

(b) consult any person the Commissioner considers appropriate about the variation; and

(4) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V.

(5) If the Commissioner approves a variation of the registered CR code (the original code ), the Commissioner must:

(a) remove the original code from the Codes Register; and

(b) register the CR code, as varied, by including it on the Register.

(6) If the Commissioner approves a variation, the variation comes into effect on the day specified in the approval, which must not be before the day on which the CR code, as varied, is included on the Codes Register.

(7) An approval is not a legislative instrument.

Note: The CR code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26M.

Division 4 - General matters

26U Codes Register

(1) The Commissioner must keep a register (the Codes Register ) which includes:

(a) the APP codes the Commissioner has decided to register under section 26H; and

(b) the APP codes the Commissioner must register under section 26J; and

(d) the CR code the Commissioner must register under section 26T.

(2) Despite subsection (1), the Commissioner is not required to include on the Codes Register:

(a) an APP code removed from the Register under section 26J or 26K; or

(b) the CR code removed from the Register under section 26T.

(3) The Commissioner must make the Codes Register available on the Commissioner’s website.

(4) The Commissioner may charge fees for providing copies of, or extracts from, the Codes Register.

26V Guidelines relating to codes

(1) The Commissioner may make written guidelines:

(a) to assist APP code developers to develop APP codes; or

(b) to assist APP entities bound by registered APP codes to apply or comply with the codes; or

(d) to assist entities bound by the registered CR code to apply or comply with the code.

(2) The Commissioner may make written guidelines about matters the Commissioner may consider in deciding whether:

(a) to register an APP code or a CR code; or

(b) to approve a variation of a registered APP code or the registered CR code; or

(3) The Commissioner may publish any such guidelines on the Commissioner’s website.

(4) Guidelines are not a legislative instrument.

26W Review of operation of registered codes

(1) The Commissioner may review the operation of a registered APP code.

Note: The review may inform a decision by the Commissioner to approve a variation of a registered APP code or to remove a registered APP code from the Codes Register.

(2) The Commissioner may review the operation of the registered CR code.

Note: The review may inform a decision by the Commissioner to approve a variation of the registered CR code.

Copyright notice

You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).