PRIVACY ACT 1988 - SECT 100 Regulations

PRIVACY ACT 1988 - SECT 100

  (1)   The Governor - General may make regulations, not inconsistent with this Act, prescribing matters:

  (a)   required or permitted by this Act to be prescribed; or

  (b)   necessary or convenient to be prescribed for carrying out or giving effect to this Act.

  (2)   Before the Governor - General makes regulations for the purposes of Australian Privacy Principle   9.3 prescribing a government related identifier, an organisation or a class of organisations, and circumstances, the Minister must be satisfied that:

  (a)   the relevant agency or State or Territory authority or, if the relevant agency or State or Territory authority has a principal executive, the principal executive:

  (i)   has agreed that the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances is appropriate; and

  (ii)   has consulted the Commissioner about that adoption, use or disclosure; and

  (b)   the adoption, use or disclosure of the identifier by the organisation, or the class of organisations, in the circumstances can only be for the benefit of the individual to whom the identifier relates.

  (3)   Subsection   (2) does not apply to the making of regulations for the purposes of Australian Privacy Principle   9.3 that relate to the use or disclosure of a government related identifier by an organisation, or a class of organisations, in particular circumstances if:

  (a)   the identifier is a kind commonly used in the processing of pay, or deductions from pay, of Commonwealth officers, or a class of Commonwealth officers; and

  (b)   the circumstances of the use or disclosure of the identifier relate to the provision by:

  (i)   the organisation; or

  (ii)   the class of organisations;

    of superannuation services (including the management, processing, allocation and transfer of superannuation contributions) for the benefit of Commonwealth officers or the class of Commonwealth officers; and

  (c)   before the regulations are made, the Minister consults the Commissioner about the proposed regulations.

In general, this Part deals with the privacy of information relating to credit reporting.

Divisions   2 and 3 contain rules that apply to credit reporting bodies and credit providers in relation to their handling of information relating to credit reporting.

Division   4 contains rules that apply to affected information recipients in relation to their handling of their regulated information.

Division   5 deals with complaints to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.

Division   6 deals with entities that obtain credit reporting information or credit eligibility information by false pretence, or when they are not authorised to do so under this Part.

Division   7 provides for compensation orders, and other orders, to be made by the Federal Court or Federal Circuit and Family Court of Australia (Division   2).

  (a)   credit reporting information;

  (b)   CP derived information;

  (c)   credit reporting information that is de - identified;

  (d)   a pre - screening assessment.

  (a)   credit information;

  (b)   credit eligibility information;

  (c)   CRB derived information.

This Division sets out rules that apply to affected information recipients in relation to their handling of their regulated information.

If an affected information recipient is an APP entity, the rules apply in relation to the regulated information of the recipient in addition to, or instead of, any relevant Australian Privacy Principles.

This Division deals with complaints about credit reporting bodies or credit providers.

Individuals may complain to credit reporting bodies or credit providers about acts or practices that may be a breach of certain provisions of this Part or the registered CR code.

If a complaint is made, the respondent for the complaint must investigate the complaint and make a decision about the complaint.

This Part deals with privacy codes.

Division   2 deals with codes of practice about information privacy, called APP codes. APP code developers or the Commissioner may develop APP codes, which:

  (a)   must set out how one or more of the Australian Privacy Principles are to be applied or complied with; and

  (b)   may impose additional requirements to those imposed by the Australian Privacy Principles; and

  (c)   may deal with other specified matters.

If the Commissioner includes an APP code on the Codes Register, an APP entity bound by the code must not breach it. A breach of a registered APP code is an interference with the privacy of an individual.

Division   3 deals with a code of practice about credit reporting, called a CR code. CR code developers or the Commissioner may develop a CR code, which:

  (a)   must set out how one or more of the provisions of Part   IIIA are to be applied or complied with; and

  (b)   must deal with matters required or permitted by Part   IIIA to be provided for by the registered CR code; and

  (c)   may deal with other specified matters.

If the Commissioner includes a CR code on the Codes Register, an entity bound by the code must not breach it. A breach of the registered CR code is an interference with the privacy of an individual.

Division   4 deals with the Codes Register, guidelines relating to codes and the review of the operation of registered codes.

•   This Part sets up a scheme for notification of eligible data breaches.

•   An eligible data breach happens if:

  (a)   there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and

  (b)   the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.

•   An entity must give a notification if:

  (a)   it has reasonable grounds to believe that an eligible data breach has happened; or

  (b)   it is directed to do so by the Commissioner.

•   The Commissioner may obtain information or documents in relation to actual or suspected eligible data breaches.

In general, this Part deals with complaints and investigations about acts or practices that may be an interference with the privacy of an individual.

An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual. If a complaint is made, the Commissioner is required to investigate the act or practice except in certain circumstances.

The Commissioner may also, on his or her own initiative, investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle   1.

The Commissioner has a range powers relating to the conduct of investigations including powers:

  (a)   to conciliate complaints; and

  (b)   to make preliminary inquiries of any person; and

  (c)   to require a person to give information or documents, or to attend a compulsory conference; and

  (d)   to transfer matters to an alternative complaint body in certain circumstances.