• Specific Year
    Any

PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) ACT 2012 (NO. 197, 2012) - SCHEDULE 4 Other amendments of the Privacy Act 1988

PRIVACY AMENDMENT (ENHANCING PRIVACY PROTECTION) ACT 2012 (NO. 197, 2012) - SCHEDULE 4

Other amendments of the Privacy Act 1988

   

1  After section 2

Insert:

2A   Objects of this Act

                   The objects of this Act are:

                     (a)  to promote the protection of the privacy of individuals; and

                     (b)  to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities; and

                     (c)  to provide the basis for nationally consistent regulation of privacy and the handling of personal information; and

                     (d)  to promote responsible and transparent handling of personal information by entities; and

                     (e)  to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected; and

                      (f)  to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected; and

                     (g)  to provide a means for individuals to complain about an alleged interference with their privacy; and

                     (h)  to implement Australia's international obligation in relation to privacy.

2  Subsections 5B(1) and (1A)

Repeal the subsections, substitute:

Agencies

             (1)  This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an agency.

Note:          The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).

Organisations and small business operators

          (1A)  This Act, a registered APP code and the registered CR code extend to an act done, or practice engaged in, outside Australia and the external Territories by an organisation, or small business operator, that has an Australian link.

Note:          The act or practice overseas will not breach an Australian Privacy Principle or a registered APP code if the act or practice is required by an applicable foreign law (see sections 6A and 6B).

3  Subsection 5B(2) (heading)

Repeal the heading, substitute:

Australian link

4  Subsection 5B(2)

Omit "The organisation must be", substitute "An organisation or small business operator has an Australian link if the organisation or operator is".

5  Subsection 5B(3) (heading)

Repeal the heading.

6  Subsection 5B(3)

Omit "All of the following conditions must be met", substitute "An organisation or small business operator also has an Australian link if all of the following apply".

7  Paragraphs 5B(3)(a), (b) and (c)

After "organisation", insert "or operator".

8  Subsection 5B(4)

After "subsection (1)", insert "or (1A)".

9  Subsection 6(1)

Insert:

"advice related functions" has the meaning given by subsection 28B(1).

10  Subsection 6(1)

Insert:

"Australian link" has the meaning given by subsections 5B(2) and (3).

11  Subsection 6(1) (all the definitions of breach )

Repeal the definitions, substitute:

"breach" :

                     (a)  in relation to an Australian Privacy Principle, has the meaning given by section 6A; and

                     (b)  in relation to a registered APP code, has the meaning given by section 6B; and

                     (c) in relation to the registered CR code, has the meaning given by section 6BA.

12  Subsection 6(1)

Insert:

"civil penalty order" has the meaning given by subsection 80W(4).

13  Subsection 6(1)

Insert:

"civil penalty provision" has the meaning given by section 80U.

14  Subsection 6(1) (definition of code complaint )

Omit "the complainant", substitute "an individual".

15  Subsection 6(1)

Insert:

"committee of management" of an unincorporated association means a body (however described) that governs, manages or conducts the affairs of the association.

16  Subsection 6(1) (definition of credit reporting complaint )

Omit "the complainant", substitute "an individual".

17  Subsection 6(1)

Insert:

"Defence Department" means the Department of State that deals with defence and that is administered by the Minister administering section 1 of the Defence Act 1903 .

18  Subsection 6(1) (definition of file number complaint )

Omit "the complainant", substitute "an individual".

19  Subsection 6(1) (paragraph (a) of the definition of file number complaint )

Omit "guideline", substitute "rule".

20  Subsection 6(1)

Insert:

"guidance related functions" has the meaning given by subsection 28(1).

21  Subsection 6(1) (definition of individual concerned )

Repeal the definition.

22  Subsection 6(1)

Insert:

"interference with the privacy of an individual" has the meaning given by sections 13 to 13F.

23  Subsection 6(1)

Insert:

"monitoring related functions" has the meaning given by subsections 28A(1) and (2).

24  Subsection 6(1)

Insert:

"offence against this Act" includes an offence against section 6 of the Crimes Act 1914 , or section 11.1, 11.2, 11.2A, 11.4 or 11.5 of the Criminal Code , that relates to an offence against this Act.

25  Subsection 6(1)

Insert:

"recognised external dispute resolution scheme" means an external dispute resolution scheme recognised under section 35A.

26  Subsection 6(1) (definition of tax file number information )

Omit "(including information forming part of a database)".

27  Subsection 6(3)

Omit "guideline" (wherever occurring), substitute "rule".

28  Subsection 6(6)

Omit "Department of Defence", substitute "Defence Department".

29  Paragraphs 7(1)(ca) and (g) and (1A)(c)

Omit "Department of Defence", substitute "Defence Department".

30  Subsection 7(2)

Omit "under section 27", substitute "in relation to the principles and such a code".

31  Paragraph 7(2)(b)

Omit "Department of Defence", substitute "Defence Department".

32  Subsection 7(3A)

Repeal the subsection.

33  Subsection 7(4)

Omit "paragraphs 27(1)(b), (c), (d), (e), (g), (k) and (m)", substitute "section 28, of paragraphs 28A(2)(a) to (e)".

34  Section 12B (heading)

Repeal the heading, substitute:

12B   Severability--additional effect of this Act

35  Subsections 12B(1) and (2)

Repeal the subsections, substitute:

             (1)  Without limiting its effect apart from this section, this Act has effect in relation to the following (the regulated entities ) as provided by this section:

                     (a)  an agency;

                     (b)  an organisation;

                     (c)  a small business operator;

                     (d)  a body politic.

Note:          Subsection 27(4) applies in relation to an investigation of an act or practice referred to in subsection 29(1) of the Healthcare Identifiers Act 2010 .

             (2)  This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to an operation to give effect to the following:

                     (a)  the International Covenant on Civil and Political Rights done at New York on 16 December 1966 ([1980] ATS 23), and in particular Articles 17 and 24(1) of the Covenant;

                     (b)  Article 16 of the Convention on the Rights of the Child done at New York on 20 November 1989 ([1991] ATS 4).

Note:          In 2012, the text of the Covenant and Convention in the Australian Treaty Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).

36  Subsection 12B(3)

Omit "to organisations", substitute "to regulated entities".

37  Subsection 12B(3)

Omit "subsection 5B(1)", substitute "section 5B".

38  Subsection 12B(3)

Omit "by organisations".

39  Subsections 12B(4) and (5)

Omit "organisations" (wherever occurring), substitute "regulated entities".

40  After subsection 12B(5)

Insert:

          (5A)  This Act also has the effect it would have if its operation in relation to regulated entities were expressly confined to acts or practices engaged in by regulated entities in the course of:

                     (a)  banking (other than State banking not extending beyond the limits of the State concerned); or

                     (b)  insurance (other than State insurance not extending beyond the limits of the State concerned).

41  Subsections 12B(6) to (8)

Omit "organisations" (wherever occurring), substitute "regulated entities".

42  Sections 13 and 13A

Repeal the sections, substitute:

13   Interferences with privacy

APP entities

             (1)  An act or practice of an APP entity is an interference with the privacy of an individual if:

                     (a)  the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual; or

                     (b)  the act or practice breaches a registered APP code that binds the entity in relation to personal information about the individual.

Credit reporting

             (2)  An act or practice of an entity is an interference with the privacy of an individual if:

                     (a)  the act or practice breaches a provision of Part IIIA in relation to personal information about the individual; or

                     (b)  the act or practice breaches the registered CR code in relation to personal information about the individual and the code binds the entity.

Contracted service providers

             (3)  An act or practice of an organisation is an interference with the privacy of an individual if:

                     (a)  the act or practice relates to personal information about the individual; and

                     (b)  the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and

                     (c)  the act or practice does not breach:

                              (i)  an Australian Privacy Principle; or

                             (ii)  a registered APP code that binds the organisation;

                            in relation to the personal information because of a provision of the contract that is inconsistent with the principle or code; and

                     (d)  the act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision.

Note:          See subsections 6A(2) and 6B(2) for when an act or practice does not breach an Australian Privacy Principle or a registered APP code.

Tax file numbers

             (4)  An act or practice is an interference with the privacy of an individual if:

                     (a)  it is an act or practice of a file number recipient and the act or practice breaches a rule issued under section 17 in relation to tax file number information that relates to the individual; or

                     (b)  the act or practice involves an unauthorised requirement or request for disclosure of the tax file number of the individual.

Other interferences with privacy

             (5)  An act or practice is an interference with the privacy of an individual if the act or practice:

                     (a)  constitutes a breach of Part 2 of the Data-matching Program (Assistance and Tax) Act 1990 or the rules issued under section 12 of that Act; or

                     (b)  constitutes a breach of the rules issued under section 135AA of the National Health Act 1953 .

Note:          Other Acts may provide that an act or practice is an interference with the privacy of an individual. For example, see the Healthcare Identifiers Act 2010 , the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Personal Property Securities Act 2009 .

43  Subsection 13B(1)

Omit "paragraphs 13A(1)(a) and (b)", substitute "subsection 13(1)".

44  Subsection 13B(1)

Omit "of an individual", substitute " of an individual ".

45  Subsection 13B(2)

Repeal the subsection, substitute:

Relationship with subsection 13(3)

             (2)  Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(3).

46  Subsection 13C(1)

Omit "of the individual", substitute " of the individual ".

47  Subsection 13C(2)

Repeal the subsection, substitute:

Effect of subsection (1)

             (2)  Subsection (1) has effect despite subsections 13(1) and (3).

48  Subsection 13D(1)

Omit "of an individual", substitute " of an individual ".

49  Subsection 13D(2)

Repeal the subsection, substitute:

Effect of subsection (1)

             (2)  Subsection (1) has effect despite subsections 13(1) and (3).

50  Sections 13E and 13F

Repeal the sections, substitute:

13E   Effect of sections 13B, 13C and 13D

                   Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under subsection 13(2), (4) or (5).

13F   Act or practice not covered by section 13 is not an interference with privacy

                   An act or practice that is not covered by section 13 is not an interference with the privacy of an individual .

13G   Serious and repeated interferences with privacy

                   An entity contravenes this subsection if:

                     (a)  the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or

                     (b)  the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

 Civil penalty:         2,000 penalty units.

51  Section 17

Repeal the section, substitute:

17   Rules relating to tax file number information

                   The Commissioner must, by legislative instrument, issue rules concerning the collection, storage, use and security of tax file number information.

52  Section 18 (heading)

Repeal the heading, substitute:

18   File number recipients to comply with rules

53  Section 18

Omit "guideline", substitute "rule".

54  Sections 27 to 29

Repeal the sections, substitute:

27   Functions of the Commissioner

             (1)  The Commissioner has the following functions:

                     (a)  the functions that are conferred on the Commissioner by or under:

                              (i)  this Act; or

                             (ii)  any other law of the Commonwealth;

                     (b)  the guidance related functions;

                     (c)  the monitoring related functions;

                     (d)  the advice related functions;

                     (e)  to do anything incidental or conducive to the performance of any of the above functions.

             (2)  The Commissioner has power to do all things necessary or convenient to be done for, or in connection with, the performance of the Commissioner's functions.

             (3)  Without limiting subsection (2), the Commissioner may establish a panel of persons with expertise in relation to a particular matter to assist the Commissioner in performing any of the Commissioner's functions.

             (4)  Section 38 of the Healthcare Identifiers Act 2010 , rather than section 12B of this Act, applies in relation to an investigation of an act or practice referred to in subsection 29(1) of that Act in the same way as it applies to Parts 3 and 4 of that Act.

Note:          Section 38 of the Healthcare Identifiers Act 2010 deals with the additional effect of Parts 3 and 4 of that Act.

28   Guidance related functions of the Commissioner

             (1)  The following are the guidance related functions of the Commissioner:

                     (a)  making guidelines for the avoidance of acts or practices that may or might be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals;

                     (b)  making, by legislative instrument, guidelines for the purposes of paragraph (d) of Australian Privacy Principle 6.3;

                     (c)  promoting an understanding and acceptance of:

                              (i)  the Australian Privacy Principles and the objects of those principles; and

                             (ii)  a registered APP code; and

                            (iii)  the provisions of Part IIIA and the objects of those provisions; and

                            (iv)  the registered CR code;

                     (d)  undertaking educational programs for the purposes of promoting the protection of individual privacy.

             (2)  The Commissioner may publish the guidelines referred to in paragraphs (1)(a) and (b) in such manner as the Commissioner considers appropriate.

             (3)  The educational programs referred to in paragraph (1)(d) may be undertaken by:

                     (a)  the Commissioner; or

                     (b)  a person or authority acting on behalf of the Commissioner.

             (4)  Guidelines made under paragraph (1)(a) are not a legislative instrument.

28A   Monitoring related functions of the Commissioner

Credit reporting and tax file number information

             (1)  The following are the monitoring related functions of the Commissioner:

                     (a)  monitoring the security and accuracy of information held by an entity that is information to which Part IIIA applies;

                     (b)  examining the records of entities to ensure that the entities:

                              (i)  are not using information to which Part IIIA applies for unauthorised purposes; and

                             (ii)  are taking adequate measures to prevent the unlawful disclosure of such information;

                     (c)  examining the records of the Commissioner of Taxation to ensure that the Commissioner:

                              (i)  is not using tax file number information for purposes beyond his or her powers; and

                             (ii)  is taking adequate measures to prevent the unlawful disclosure of the tax file number information that he or she holds;

                     (d)  evaluating compliance with the rules issued under section 17;

                     (e)  monitoring the security and accuracy of tax file number information kept by file number recipients.

Other matters

             (2)  The following are also the monitoring related functions of the Commissioner:

                     (a)  examining a proposed enactment that would require or authorise acts or practices of an entity that might otherwise be interferences with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals;

                     (b)  examining a proposal for data matching or linkage that may involve an interference with the privacy of individuals, or which may otherwise have any adverse effects on the privacy of individuals;

                     (c)  ensuring that any adverse effects of the proposed enactment or the proposal on the privacy of individuals are minimised;

                     (d)  undertaking research into, and monitoring developments in, data processing and technology (including data matching and linkage) to ensure that any adverse effects of such developments on the privacy of individuals are minimised;

                     (e)  reporting to the Minister the results of that research and monitoring;

                      (f)  monitoring and reporting on the adequacy of equipment and user safeguards.

             (3)  The functions referred to in paragraphs (2)(a) and (b) may be performed by the Commissioner:

                     (a)  on request by a Minister or Norfolk Island Minister; or

                     (b)  on the Commissioner's own initiative.

             (4)  If the reporting referred to in paragraph (2)(e) or (f) is done in writing, the instrument is not a legislative instrument.

28B   Advice related functions of the Commissioner

             (1)  The following are the advice related functions of the Commissioner:

                     (a)  providing advice to a Minister, Norfolk Island Minister or entity about any matter relevant to the operation of this Act;

                     (b)  informing the Minister of action that needs to be taken by an agency in order to comply with the Australian Privacy Principles;

                     (c)  providing reports and recommendations to the Minister in relation to any matter concerning the need for, or the desirability of, legislative or administrative action in the interests of the privacy of individuals;

                     (d)  providing advice to file number recipients about:

                              (i)  their obligations under the Taxation Administration Act 1953 in relation to the confidentiality of tax file number information; or

                             (ii)  any matter relevant to the operation of this Act.

             (2)  The functions referred to in paragraphs (1)(a), (c) and (d) may be performed by the Commissioner on request or on the Commissioner's own initiative.

             (3)  The Commissioner may perform the function referred to in paragraph (1)(b) whenever the Commissioners think it is necessary to do so.

             (4)  If the Minister is informed under paragraph (1)(b) in writing, or the report referred to in paragraph (1)(c) is provided in writing, the instrument is not a legislative instrument.

29   Commissioner must have due regard to the objects of the Act

                   The Commissioner must have due regard to the objects of this Act in performing the Commissioner's functions, and exercising the Commissioner's powers, conferred by this Act.

Note:          The objects of this Act are set out in section 2A.

55  Subparagraph 30(1)(b)(ii)

Repeal the subparagraph, substitute:

                             (ii)  does not consider that it is reasonably possible that the matter that gave rise to the investigation can be conciliated successfully or has attempted to conciliate the matter without success.

56  Subsection 30(3)

Omit "under paragraph 27(1)(a), 28(1)(b) or (c) or 28A(1)(b)".

57  Subsection 30(3)

After "credit provider" (first occurring), insert "that is an interference with the privacy of an individual under subsection 13(1), (2) or (4)".

58  Subsection 30(6)

Repeal the subsection.

59  Subsection 31(1)

Omit "paragraph 27(1)(b)", substitute "paragraph 28A(2)(a)".

60  Subsection 31(2)

Omit "agency or organisation", substitute "entity".

61  Section 32 (heading)

Repeal the heading, substitute:

32   Commissioner may report to the Minister if the Commissioner has monitored certain activities etc.

62  Subsection 32(1)

Repeal the subsection, substitute:

             (1)  If the Commissioner has:

                     (a)  monitored an activity in the performance of a function under paragraph 28(1)(d), 28A(1)(a), (b), (d) or (e) or (2)(b), (c) or (d) or 28B(1)(b) or (c); or

                     (b)  conducted an assessment under section 33C;

the Commissioner may report to the Minister about the activity or assessment, and must do so if so directed by the Minister.

63  Subsection 32(2)

After "activity", insert "or assessment".

64  After section 33B

Insert:

Division 3A -- Assessments by, or at the direction of, the Commissioner

33C   Commissioner may conduct an assessment relating to the Australian Privacy Principles etc.

             (1)  The Commissioner may conduct an assessment of the following matters:

                     (a)  whether personal information held by an APP entity is being maintained and handled in accordance with the following:

                              (i)  the Australian Privacy Principles;

                             (ii)  a registered APP code that binds the entity;

                     (b)  whether information held by an entity is being maintained and handled in accordance with the following to the extent that they apply to the information:

                              (i)  the provisions of Part IIIA;

                             (ii)  the registered CR code if it binds the entity;

                     (c)  whether tax file number information held by a file number recipient is being maintained and handled in accordance with any relevant rules issued under section 17;

                     (d)  whether the data matching program (within the meaning of the Data-matching Program (Assistance and Tax) Act 1990 ) of an agency complies with Part 2 of that Act and the rules issued under section 12 of that Act;

                     (e)  whether information to which section 135AA of the National Health Act 1953 applies is being maintained and handled in accordance with the rules issued under that section.

             (2)  The Commissioner may conduct the assessment in such manner as the Commissioner considers fit.

33D   Commissioner may direct an agency to give a privacy impact assessment

             (1)  If:

                     (a)  an agency proposes to engage in an activity or function involving the handling of personal information about individuals; and

                     (b)  the Commissioner considers that the activity or function might have a significant impact on the privacy of individuals;

the Commissioner may, in writing, direct the agency to give the Commissioner, within a specified period, a privacy impact assessment about the activity or function.

             (2)  A direction under subsection (1) is not a legislative instrument.

Privacy impact assessment

             (3)  A privacy impact assessment is a written assessment of an activity or function that:

                     (a)  identifies the impact that the activity or function might have on the privacy of individuals; and

                     (b)  sets out recommendations for managing, minimising or eliminating that impact.

             (4)  Subsection (3) does not limit the matters that the privacy impact assessment may deal with.

             (5)  A privacy impact assessment is not a legislative instrument.

Failure to comply with a direction

             (6)  If an agency does not comply with a direction under subsection (1), the Commissioner must advise both of the following of the failure:

                     (a)  the Minister;

                     (b)  if another Minister is responsible for the agency--that other Minister.

Review

             (7)  Before the fifth anniversary of the commencement of this section, the Minister must cause a review to be undertaken of whether this section should apply in relation to organisations.

Division 3B -- Enforceable undertakings

33E   Commissioner may accept undertakings

             (1)  The Commissioner may accept any of the following undertakings:

                     (a)  a written undertaking given by an entity that the entity will, in order to comply with this Act, take specified action;

                     (b)  a written undertaking given by an entity that the entity will, in order to comply with this Act, refrain from taking specified action;

                     (c)  a written undertaking given by an entity that the entity will take specified action directed towards ensuring that the entity does not do an act, or engage in a practice, in the future that interferes with the privacy of an individual.

             (2)  The undertaking must be expressed to be an undertaking under this section.

             (3)  The entity may withdraw or vary the undertaking at any time, but only with the consent of the Commissioner.

             (4)  The Commissioner may, by written notice given to the entity, cancel the undertaking.

             (5)  The Commissioner may publish the undertaking on the Commissioner's website.

33F   Enforcement of undertakings

             (1)  If:

                     (a)  an entity gives an undertaking under section 33E; and

                     (b)  the undertaking has not been withdrawn or cancelled; and

                     (c)  the Commissioner considers that the entity has breached the undertaking;

the Commissioner may apply to the Federal Court or Federal Magistrates Court for an order under subsection (2).

             (2)  If the court is satisfied that the entity has breached the undertaking, the court may make any or all of the following orders:

                     (a)  an order directing the entity to comply with the undertaking;

                     (b)  any order that the court considers appropriate directing the person to compensate any other person who has suffered loss or damage as a result of the breach;

                     (c)  any other order that the court considers appropriate.

65  Subsections 34(1) and (2)

Omit "functions referred to in section 27", substitute "Commissioner's functions".

66  At the end of Part IV

Add:

35A   Commissioner may recognise external dispute resolution schemes

             (1)  The Commissioner may, by written notice, recognise an external dispute resolution scheme:

                     (a)  for an entity or a class of entities; or

                     (b)  for a specified purpose.

             (2)  In considering whether to recognise an external dispute resolution scheme, the Commissioner must take the following matters into account:

                     (a)  the accessibility of the scheme;

                     (b)  the independence of the scheme;

                     (c)  the fairness of the scheme;

                     (d)  the accountability of the scheme;

                     (e)  the efficiency of the scheme;

                      (f)  the effectiveness of the scheme;

                     (g)  any other matter the Commissioner considers relevant.

             (3)  The Commissioner may:

                     (a)  specify a period for which the recognition of an external dispute resolution scheme is in force; and

                     (b)  make the recognition of an external dispute resolution scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the scheme; and

                     (c)  vary or revoke:

                              (i)  the recognition of an external dispute resolution scheme; or

                             (ii)  the period for which the recognition is in force; or

                            (iii)  a condition to which the recognition is subject.

             (4)  A notice under subsection (1) is not a legislative instrument.

67  Part V (heading)

Repeal the heading, substitute:

Part V -- Investigations etc.

68  Before Division 1 of Part V

Insert:

Division 1A -- Introduction

36A   Guide to this Part

In general, this Part deals with complaints and investigations about acts or practices that may be an interference with the privacy of an individual.

An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual. If a complaint is made, the Commissioner is required to investigate the act or practice except in certain circumstances.

The Commissioner may also, on his or her own initiative, investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1.

The Commissioner has a range powers relating to the conduct of investigations including powers:

               (a)     to conciliate complaints; and

              (b)     to make preliminary inquiries of any person; and

               (c)     to require a person to give information or documents, or to attend a compulsory conference; and

              (d)     to transfer matters to an alternative complaint body in certain circumstances.

After an investigation, the Commissioner may make a determination in relation to the investigation. An entity to which a determination relates must comply with certain declarations included in the determination. Court proceedings may be commenced to enforce a determination.

69  Subsection 36(7) (note)

Omit "Section 70A contains", substitute "Sections 98A to 98C contain".

70  Subsection 36(8)

Omit "one of paragraphs 13(b) to (d) (inclusive)", substitute "subsection 13(2), (4) or (5)".

71  Subsection 36(8)

After "person", insert "or entity".

72  Subsection 38(1)

Omit "or accepted under subsection 40(1B)".

73  Paragraph 38(1)(a)

After "person", insert "or entity".

74  Subsection 38(2)

Omit "or accepted under subsection 40(1B)".

75  Subsection 38B(2)

Omit all the words after "representative", substitute:

                   complaint:

                     (a)  if the complaint was lodged without the consent of the member--at any time; or

                     (b)  otherwise--at any time before the Commissioner begins to hold an inquiry into the complaint.

76  Add at the end of subsection 38B(2)

Add:

Note:          If a class member withdraws from a representative complaint that relates to a matter, the former member may make a complaint under section 36 that relates to the matter.

77  Subsections 40(1B) and (1C)

Repeal the subsections, substitute:

          (1B)  Subsection (1A) does not apply if the complaint is about an act or practice that may breach:

                     (a)  section 20R, 20T, 21T or 21V (which are about access to, and correction of, credit reporting information etc.); or

                     (b)  a provision of the registered CR code that relates to that section.

78  Subsection 40(2)

After "Commissioner may", insert ", on the Commissioner's own initiative,".

79  Paragraph 40(2)(a)

After "individual", insert "or a breach of Australian Privacy Principle 1".

80  Section 40A

Repeal the section, substitute:

40A   Conciliation of complaints

             (1)  If:

                     (a)  a complaint about an act or practice is made under section 36; and

                     (b)  the Commissioner considers it is reasonably possible that the complaint may be conciliated successfully;

the Commissioner must make a reasonable attempt to conciliate the complaint.

             (2)  Subsection (1) does not apply if the Commissioner has decided under section 41 or 50 not to investigate, or not to investigate further, the act or practice.

             (3)  If the Commissioner is satisfied that there is no reasonable likelihood that the complaint will be resolved by conciliation, the Commissioner must, in writing, notify the complainant and respondent of that matter.

             (4)  If a notification is given under subsection (3), the Commissioner may decide not to investigate, or not to investigate further, the act or practice.

             (5)  Evidence of anything said or done in the course of the conciliation is not admissible in any hearing before the Commissioner, or in any legal proceedings, relating to complaint or the act or practice unless:

                     (a)  the complainant and respondent otherwise agree; or

                     (b)  the thing was said or done in furtherance of the commission of a fraud or an offence, or the commission of an act that renders a person liable to a civil penalty.

81  Section 41 (heading)

Repeal the heading, substitute:

41   Commissioner may or must decide not to investigate etc. in certain circumstances

82  Subsection 41(1)

Omit ", or which the Commissioner has accepted under subsection 40(1B),".

83  At the end of paragraphs 41(1)(a) and (c)

Add "or".

84  Paragraph 41(1)(d)

Omit "or lacking in substance;", substitute ", lacking in substance or not made in good faith; or".

85  After paragraph 41(1)(d)

Insert:

                   (da)  an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances; or

                   (db)  the complainant has not responded, within the period specified by the Commissioner, to a request for information in relation to the complaint; or

                   (dc)  the act or practice is being dealt with by a recognised external dispute resolution scheme; or

                   (dd)  the act or practice would be more effectively or appropriately dealt with by a recognised external dispute resolution scheme; or

86  After subsection 41(1)

Insert:

          (1A)  The Commissioner must not investigate, or investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that the complainant has withdrawn the complaint.

87  Subsections 41(2) and (3)

Omit ", or accepted by the Commissioner under subsection 40(1B),".

88  Section 42

Before "Where", insert "(1)".

89  Section 42

Omit "or the Commissioner accepts a complaint under subsection 40(1B),".

90  Section 42

Omit "respondent", substitute "respondent or any other person".

91  At the end of section 42

Add:

             (2)  The Commissioner may make inquiries of any person for the purpose of determining whether to investigate an act or practice under subsection 40(2).

92  After subsection 43(1)

Insert:

       (1AA)  Before commencing an investigation of an act or practice of a person or entity under subsection 40(2), the Commissioner must inform the person or entity that the act or practice is to be investigated.

93  Subsection 43(2)

Omit "in private but otherwise".

94  Subsections 43(4), (5) and (6)

Repeal the subsections, substitute:

             (4)  The Commissioner may make a determination under section 52 in relation to an investigation under this Division without holding a hearing, if:

                     (a)  it appears to the Commissioner that the matter to which the investigation relates can be adequately determined in the absence of:

                              (i)  in the case of an investigation under subsection 40(1)--the complainant and respondent; or

                             (ii)  otherwise--the person or entity that engaged in the act or practice that is being investigated; and

                     (b)  the Commissioner is satisfied that there are no unusual circumstances that would warrant the Commissioner holding a hearing; and

                     (c)  an application for a hearing has not been made under section 43A.

95  Subsection 43(7)

Omit "afford the complainant or respondent an opportunity to appear before the Commissioner and to make submissions under subsection (5)", substitute "hold a hearing".

96  Subsection 43(8A)

Omit "an approved privacy code or the National Privacy Principles", substitute "the Australian Privacy Principles or a registered APP code".

97  After section 43

Insert:

43A   Interested party may request a hearing

             (1)  An interested party in relation to an investigation under this Division may, in writing, request that the Commissioner hold a hearing before the Commissioner makes a determination under section 52 in relation to the investigation.

             (2)  If an interested party makes request under subsection (1), the Commissioner must:

                     (a)  notify any other interested party of the request; and

                     (b)  give all interested parties a reasonable opportunity to make a submission about the request; and

                     (c)  decide whether or not to hold a hearing.

             (3)  In this section:

"interested party" in relation to an investigation means:

                     (a)  in the case of an investigation under subsection 40(1)--the complainant or respondent; or

                     (b)  otherwise--the person or entity that engaged in the act or practice that is being investigated.

98  Subsection 44(4)

Omit "sections 69 and", substitute "section".

99  Subsection 46(1)

Omit "(except an NPP complaint or a code complaint accepted under subsection 40(1B))".

100  Subsection 50(1)

Insert:

"alternative complaint body" means:

                     (a)  the Australian Human Rights Commission; or

                     (b)  the Ombudsman; or

                     (c)  the Postal Industry Ombudsman; or

                     (d)  the Overseas Students Ombudsman; or

                     (e)  the Public Service Commissioner; or

                      (f)  the Norfolk Island Public Service Board; or

                     (g)  a recognised external dispute resolution scheme.

101  At the end of paragraph 50(2)(a)

Add:

                             (v)  to a recognised external dispute resolution scheme; or

102  Subsection 50(2)

Omit "Australian Human Rights Commission, the Ombudsman, the Postal Industry Ombudsman, the Overseas Students Ombudsman or the Public Service Commissioner, as the case may be", substitute "alternative complaint body".

103  Paragraphs 50(2)(c) and (e)

Omit "Australian Human Rights Commission, the Ombudsman, the Postal Industry Ombudsman, the Overseas Students Ombudsman or the Public Service Commissioner", substitute "alternative complaint body".

104  At the end of paragraph 50(3)(a)

Add:

                             (v)  to the recognised external dispute resolution scheme; or

105  Subsection 50A(2) (note 2)

Repeal the note, substitute:

Note 2:       The Commissioner may determine under section 53B that the determination applies in relation to an agency if the organisation has not complied with the determination.

106  Subparagraph 52(1)(b)(i)

Omit "should" (wherever occurring), substitute "must".

107  After subparagraph 52(1)(b)(i)

Insert:

                            (ia)  a declaration that the respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued;

108  Subparagraph 52(1)(b)(ii)

Omit "should", substitute "must".

109  Subsection 52(1A)

Repeal the subsection, substitute:

          (1A)  After investigating an act or practice of a person or entity under subsection 40(2), the Commissioner may make a determination that includes one or more of the following:

                     (a)  a declaration that:

                              (i)  the act or practice is an interference with the privacy of one or more individuals; and

                             (ii)  the person or entity must not repeat or continue the act or practice;

                     (b)  a declaration that the person or entity must take specified steps within a specified period to ensure that the act or practice is not repeated or continued;

                     (c)  a declaration that the person or entity must perform any reasonable act or course of conduct to redress any loss or damage suffered by one or more of those individuals;

                     (d)  a declaration that one or more of those individuals are entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice;

                     (e)  a declaration that it would be inappropriate for any further action to be taken in the matter.

       (1AA)  The steps specified by the Commissioner under subparagraph (1)(b)(ia) or paragraph (1A)(b) must be reasonable and appropriate.

       (1AB)  The loss or damage referred to in paragraph (1)(b) or subsection (1A) includes:

                     (a)  injury to the feelings of the complainant or individual; and

                     (b)  humiliation suffered by the complainant or individual.

110  Subsection 52(1B)

After "subsection (1)", insert "or (1A)".

111  Subsections 52(3A) and (3B)

Repeal the subsections, substitute:

          (3A)  A determination under paragraph (1)(b) or subsection (1A) may include any order that the Commissioner considers necessary or appropriate.

112  Subsection 53A(1)

Omit "to which a contracted service provider for a Commonwealth contract is the respondent", substitute "that applies in relation to a contracted service provider for a Commonwealth contract".

113  Section 53B (heading)

Repeal the heading, substitute:

53B   Substituting an agency for a contracted service provider

114  Paragraph 53B(1)(a)

Repeal the paragraph, substitute:

                     (a)  a determination under section 52 applies in relation to a contracted service provider for a Commonwealth contract; and

115  After subparagraph 53B(1)(b)(i)

Insert:

                            (ia)  a declaration under paragraph 52(1A)(d) that one or more individuals are entitled to a specified amount by way of the compensation; or

116  Paragraph 53B(1)(c)

Omit "respondent", substitute "provider".

117  Paragraph 53B(1)(d)

After "complainant", insert "or individuals".

118  Paragraph 53B(1)(d)

Omit "subparagraph (b)(i) or (b)(ii)", substitute "paragraph (b)".

119  Subsection 53B(2)

After "writing that", insert "the determination under section 52 instead applies in relation to".

120  Subsection 53B(2)

Omit "is the respondent to the determination under section 52".

121  Subsection 53B(2) (at the end of the note)

Add "or individuals".

122  Subsection 54(1)

Omit "respondent to the determination is", substitute "determination applies in relation to".

123  Section 55

Repeal the section, substitute:

55   Obligations of organisations and small business operators

                   If the determination applies in relation to an organisation or small business operator, the organisation or operator:

                     (a)  must not repeat or continue conduct that is covered by a declaration included in the determination under sub-subparagraph 52(1)(b)(i)(B) or paragraph 52(1A)(a); and

                     (b)  must take the steps that are specified in a declaration included in the determination under subparagraph 52(1)(b)(ia) or paragraph 52(1A)(b) within the specified period; and

                     (c)  must perform the act or course of conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(ii) or paragraph 52(1A)(c).

124  Subsection 55A(1)

Omit "Any of the", substitute "The".

125  Paragraphs 55A(1)(a) to (c)

Repeal the paragraphs, substitute:

                     (a)  if the determination was made under subsection 52(1)--the complainant;

                     (b)  the Commissioner.

126  Subsection 55A(2)

Omit "respondent", substitute "person or entity in relation to which the determination applies".

127  Subsection 55A(2)

Omit "the complainant", substitute "an individual".

128  Subsection 55A(5)

Omit "respondent", substitute "person or entity in relation to which the determination applies".

129  Subsection 55A(5)

Omit "the complainant", substitute "an individual".

130  Paragraph 55A(6)(c)

Omit "appearance", substitute "hearing".

131  Paragraph 55A(6)(c)

Omit "under subsection 43(5)".

132  Subsection 55A(7A)

Omit "matters that paragraph 29(a) requires the Commissioner to have due regard to", substitute "objects of this Act".

133  Paragraphs 55B(1)(a) and (b) and (3)(a) and (b)

Repeal the paragraphs, substitute:

                     (a)  a specified APP entity had breached an Australian Privacy Principle; or

                     (b)  a specified APP entity had breached a registered APP code that binds the entity.

134  Subsection 57(1)

Omit "has an agency, or the principal executive of an agency, as the respondent", substitute "that applies in relation to an agency or the principal executive of an agency".

135  Section 58

Repeal the section, substitute:

58   Obligations of agencies

                   If this Division applies to a determination and the determination applies in relation to an agency, the agency:

                     (a)  must not repeat or continue conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(i) or paragraph 52(1A)(a); and

                     (b)  must take the steps that are specified in a declaration included in the determination under subparagraph 52(1)(b)(ia) or paragraph 52(1A)(b) within the specified period; and

                     (c)  must perform the act or course of conduct that is covered by a declaration included in the determination under subparagraph 52(1)(b)(ii) or paragraph 52(1A)(c).

136  Section 59

Omit "the principal executive of an agency is the respondent to a determination to which this Division applies", substitute "this Division applies to a determination and the determination applies in relation to the principal executive of an agency".

137  Paragraph 59(b)

After "subparagraph 52(1)(b)(i)", insert "or paragraph 52(1A)(a)".

138  After paragraph 59(b)

Insert:

                   (ba)  that the steps specified in a declaration included in the determination under subparagraph 52(1)(b)(ia) or paragraph 52(1A)(b) are taken within the specified period; and

139  At the end of paragraph 59(c)

Add "or paragraph 52(1A)(c)".

140  Subsection 60(1)

After "subparagraph 52(1)(b)(iii)", insert ", paragraph 52(1A)(d)".

141  Subsection 60(1)

After "complainant", insert "or individual".

142  Subsection 60(2)

Omit "respondent is", substitute "determination applies in relation to".

143  Subsection 60(2)

After "complainant" (wherever occurring), insert "or individual".

144  Section 61

Repeal the section.

145  Subsection 62(3)

Repeal the subsection, substitute:

             (3)  The application may be made by:

                     (a)  if the determination was made under subsection 52(1)--the complainant; or

                     (b)  the Commissioner.

146  Subsection 62(4)

Omit "respondent", substitute "agency or principal executive".

147  Paragraph 62(5)(a)

Omit "section 61", substitute "section 96".

148  At the end of section 62

Add:

             (6)  In this section:

"complainant" , in relation to a representative complaint, means a class member.

149  Subsection 63(2A)

Omit "NPP", substitute "APP".

150  Paragraphs 67(aa) and (ab)

Repeal the paragraphs.

151  Sections 69 and 70A

Repeal the sections.

152  Subsection 72(1)

Repeal the subsection.

153  Subsection 72(2) (heading)

Repeal the heading, substitute:

Determinations about an APP entity's acts and practices

154  Paragraph 72(2)(a)

Repeal the paragraph, substitute:

                     (a)  an act or practice of an APP entity breaches, or may breach:

                              (i)  an Australian Privacy Principle; or

                             (ii)  a registered APP code that binds the entity; but

155  Paragraph 72(2)(b)

Omit "organisation", substitute "entity".

156  Paragraph 72(2)(b)

Omit "Principle", substitute "principle".

157  Subsection 72(2)

Omit "make a written", substitute ", by legislative instrument, make a".

158  Subsection 72(3)

Omit "organisation is taken not to contravene section 16A if the organisation", substitute "APP entity is taken not to contravene section 15 or 26A if the entity".

159  Subsection 72(4)

Omit "make a written", substitute ", by legislative instrument, make a".

160  Subsection 72(4)

Omit "organisation is taken to contravene section 16A", substitute "APP entity is taken to contravene section 15 or 26A".

161  Subsection 72(4)

Omit "organisation does", substitute "APP entity does".

162  Subsection 72(4)

Omit "organisation or any other organisation", substitute "entity or any other APP entity".

163  Section 73 (heading)

Repeal the heading, substitute:

73   Application by APP entity

164  Subsection 73(1)

Omit "An agency or organisation", substitute "An APP entity".

165  Subsection 73(1)

Omit "the agency or organisation", substitute "the entity".

166  After subsection 73(1)

Insert:

          (1A)  If:

                     (a)  an application is made under subsection (1); and

                     (b)  the Commissioner is satisfied that the application is frivolous, vexatious, misconceived, lacking in substance or not made in good faith;

the Commissioner may, in writing, dismiss the application.

167  Section 74 (heading)

Repeal the heading, substitute:

74   Publication of application etc.

168  Subsection 74(1)

Omit all the words after "notice", substitute:

                   of:

                     (a)  the receipt by the Commissioner of an application; and

                     (b)  if the Commissioner dismisses an application under subsection 73(1A)--the dismissal of the application.

169  At the end of subsection 75(1)

Add "unless the Commissioner dismisses the application under subsection 73(1A)".

170  Subsection 79(3)

Repeal the subsection.

171  Section 80

Repeal the section.

172  Paragraph 80A(1)(a)

Omit "agency or organisation", substitute "APP entity".

173  Subparagraphs 80A(1)(a)(i) and (ii)

Repeal the subparagraphs, substitute:

                              (i)  an Australian Privacy Principle; or

                             (ii)  a registered APP code that binds the entity; and

174  Paragraph 80A(1)(b)

Omit "agency or organisation", substitute "entity".

175  Paragraph 80A(1)(b)

Omit "Principle", substitute "principle".

176  Subsection 80A(2)

Omit "make a written temporary public interest", substitute ", by legislative instrument, make a".

177  Paragraph 80A(2)(a)

Omit "agency or organisation", substitute "APP entity".

178  Subsection 80A(3)

Repeal the subsection, substitute:

             (3)  The Commissioner must specify in the determination a period of up to 12 months during which the determination is in force (subject to subsection 80D(2)).

179  Subsections 80B(1) and (2)

Repeal the subsections, substitute:

APP entity covered by a determination

             (1)  If an act or practice of an APP entity is the subject of a temporary public interest determination, the entity is taken not to breach section 15 or 26A if the entity does the act, or engages in the practice, while the determination is in force.

180  Subsection 80B(3)

Omit "make a written", substitute ", by legislative instrument, make a".

181  Subsection 80B(3)

Omit "organisation is taken to contravene section 16A", substitute "APP entity is taken to contravene section 15 or 26A".

182  Subsection 80B(3)

Omit "organisation does", substitute "APP entity does".

183  Subsection 80B(3)

Omit "organisation or another organisation", substitute "entity or another APP entity".

184  Section 80C

Repeal the section.

185  Paragraph 80D(2)(a)

Omit "subsection 72(1) or (2) (as appropriate)", substitute "subsection 72(2)".

186  Paragraph 80P(1)(a)

Omit "concerned".

187  Subsections 80P(4) and (5)

Repeal the subsections, substitute:

             (4)  An entity does not breach an Australian Privacy Principle, or a registered APP code that binds the entity, in respect of a collection, use or disclosure of personal information authorised by subsection (1).

188  Paragraphs 80Q(2)(a) and (b)

Repeal the paragraphs, substitute:

                     (a)  if the first person is an APP entity--a disclosure permitted under an Australian Privacy Principle or a registered APP code that binds the person;

189  After Part VIA

Insert:

Part VIB -- Civil penalty orders

Division 1 -- Civil penalty provisions

80U   Civil penalty provisions

                   A subsection of this Act (or a section of this Act that is not divided into subsections) is a civil penalty provision if the words "civil penalty" and one or more amounts in penalty units are set out at the foot of the subsection (or section).

80V   Ancillary contravention of civil penalty provisions

             (1)  An entity must not:

                     (a)  attempt to contravene a civil penalty provision; or

                     (b)  aid, abet, counsel or procure a contravention of a civil penalty provision; or

                     (c)  induce (by threats, promises or otherwise) a contravention of a civil penalty provision; or

                     (d)  be in any way, directly or indirectly, knowingly concerned in, or party to, a contravention of a civil penalty provision; or

                     (e)  conspire with others to effect a contravention of a civil penalty provision.

             (2)  An entity that contravenes subsection (1) in relation to a civil penalty provision is taken to have contravened the provision.

Division 2 -- Obtaining a civil penalty order

80W   Civil penalty orders

Application for order

             (1)  The Commissioner may apply to the Federal Court or Federal Magistrates Court for an order that an entity, that is alleged to have contravened a civil penalty provision, pay the Commonwealth a pecuniary penalty.

             (2)  The Commissioner must make the application within 6 years of the alleged contravention.

Court may order entity to pay pecuniary penalty

             (3)  If the court is satisfied that the entity has contravened the civil penalty provision, the court may order the entity to pay to the Commonwealth such pecuniary penalty for the contravention as the court determines to be appropriate.

Note:          Subsection (5) sets out the maximum penalty that the court may order the entity to pay.

             (4)  An order under subsection (3) is a civil penalty order .

Determining pecuniary penalty

             (5)  The pecuniary penalty must not be more than:

                     (a)  if the entity is a body corporate--5 times the amount of the pecuniary penalty specified for the civil penalty provision; or

                     (b)  otherwise--the amount of the pecuniary penalty specified for the civil penalty provision.

             (6)  In determining the pecuniary penalty, the court must take into account all relevant matters, including:

                     (a)  the nature and extent of the contravention; and

                     (b)  the nature and extent of any loss or damage suffered because of the contravention; and

                     (c)  the circumstances in which the contravention took place; and

                     (d)  whether the entity has previously been found by a court in proceedings under this Act to have engaged in any similar conduct.

80X   Civil enforcement of penalty

             (1)  A pecuniary penalty is a debt payable to the Commonwealth.

             (2)  The Commonwealth may enforce a civil penalty order as if it were an order made in civil proceedings against the entity to recover a debt due by the entity. The debt arising from the order is taken to be a judgement debt.

80Y   Conduct contravening more than one civil penalty provision

             (1)  If conduct constitutes a contravention of 2 or more civil penalty provisions, proceedings may be instituted under this Division against an entity in relation to the contravention of any one or more of those provisions.

             (2)  However, the entity is not liable to more than one pecuniary penalty under this Division in relation to the same conduct.

80Z   Multiple contraventions

             (1)  The Federal Court or Federal Magistrates Court may make a single civil penalty order against an entity for multiple contraventions of a civil penalty provision if:

                     (a)  proceedings for the contraventions are founded on the same facts; or

                     (b)  the contraventions form, or are part of, a series of contraventions of the same or a similar character.

             (2)  However, the pecuniary penalty must not exceed the sum of the maximum pecuniary penalties that could be ordered if a separate civil penalty order were made for each of the contraventions.

Note:          In determining the pecuniary penalty, the court must take into account all relevant matters including the matters mentioned in subsection 80W(6).

80ZA   Proceedings may be heard together

                   The Federal Court or Federal Magistrates Court may direct that 2 or more proceedings for civil penalty orders are to be heard together.

80ZB   Civil evidence and procedure rules for civil penalty orders

                   The Federal Court or Federal Magistrates Court must apply the rules of evidence and procedure for civil matters when hearing proceedings for a civil penalty order.

80ZC   Contravening a civil penalty provision is not an offence

                   A contravention of a civil penalty provision is not an offence.

Division 3 -- Civil proceedings and criminal proceedings

80ZD   Civil proceedings after criminal proceedings

                   The Federal Court or Federal Magistrates Court must not make a civil penalty order against an entity for a contravention of a civil penalty provision if the entity has been convicted of an offence constituted by conduct that is the same, or substantially the same, as the conduct constituting the contravention.

80ZE   Criminal proceedings during civil proceedings

             (1)  Proceedings for a civil penalty order against an entity for a contravention of a civil penalty provision are stayed if:

                     (a)  criminal proceedings are commenced or have already been commenced against the entity for an offence; and

                     (b)  the offence is constituted by conduct that is the same, or substantially the same, as the conduct alleged to constitute the contravention.

             (2)  The proceedings for the civil penalty order may be resumed if the entity is not convicted of the offence. Otherwise:

                     (a)  the proceedings are dismissed; and

                     (b)  costs must not be awarded in relation to the proceedings.

80ZF   Criminal proceedings after civil proceedings

                   Criminal proceedings may be commenced against an entity for conduct that is the same, or substantially the same, as conduct that would constitute a contravention of a civil penalty provision regardless of whether a civil penalty order has been made against the entity in relation to the contravention.

80ZG   Evidence given in proceedings for civil penalty order not admissible in criminal proceedings

             (1)  Evidence of information given, or evidence of production of documents, by an individual is not admissible in criminal proceedings against the individual if:

                     (a)  the individual previously gave the evidence or produced the documents in proceedings for a civil penalty order against the individual for an alleged contravention of a civil penalty provision (whether or not the order was made); and

                     (b)  the conduct alleged to constitute the offence is the same, or substantially the same, as the conduct alleged to constitute the contravention.

             (2)  However, subsection (1) does not apply to criminal proceedings in relation to the falsity of the evidence given by the individual in the proceedings for the civil penalty order.

190  After paragraph 82(2)(a)

Insert:

                    (aa)  the Privacy Commissioner (within the meaning of the Australian Information Commissioner Act 2010 ); and

191  Paragraph 82(2)(b)

Omit "6 other", substitute "8 other".

192  Subsection 82(3)

After "Commissioner", insert "and Privacy Commissioner (within the meaning of that Act)".

193  Paragraph 82(7)(a)

Repeal the paragraph, substitute:

                     (a)  at least one must be a person who has had at least 5 years' experience at a high level in industry or commerce; and

                    (aa)  at least one must be a person who has had at least 5 years' experience at a high level in public administration, or the service of a government or an authority of a government; and

                   (ab)  at least one must be a person who has had extensive experience in health privacy; and

194  Paragraph 82(7)(b)

Omit "shall", substitute "must".

195  At the end of paragraph 82(7)(b)

Add "and".

196  Paragraph 82(7)(c)

Repeal the paragraph, substitute:

                     (c)  at least one must be a person who has had extensive experience in information and communication technologies; and

197  Paragraphs 82(7)(d) and (e)

Omit "shall", substitute "must".

198  Paragraph 83(b)

Omit "guidelines", substitute "rules or guidelines".

199  Subsections 95(5), 95A(7) and 95AA(3)

Repeal the subsections.

200  After section 95C

Insert:

96   Review by the Administrative Appeals Tribunal

             (1)  An application may be made to the Administrative Appeals Tribunal for review of the following decisions of the Commissioner:

                     (a)  a decision under subsection 26H(1) not to register an APP code developed by an APP code developer;

                     (b)  a decision under subsection 26S(1) not to register a CR code developed by a CR code developer;

                     (c)  a decision under subsection 52(1) or (1A) to make a determination;

                     (d)  a decision under subsection 73(1A) to dismiss an application;

                     (e)  a decision under section 95 to refuse to approve the issue of guidelines;

                      (f)  a decision under subsection 95A(2) or (4) or 95AA(2) to refuse to approve guidelines;

                     (g)  a decision under subsection 95A(6) to revoke an approval of guidelines.

             (2)  An application under paragraph (1)(a) may only be made by the APP code developer that developed the APP code.

             (3)  An application under paragraph (1)(b) may only be made by the CR code developer that developed the CR code.

201  After section 98

Insert:

98A   Treatment of partnerships

             (1)  If, apart from this subsection, this Act would impose an obligation on a partnership, the obligation is imposed instead on each partner but may be discharged by any of the partners.

             (2)  If, apart from this subsection, an offence against this Act would be committed by a partnership, the offence is taken to have been committed by each partner.

             (3)  If, apart from this subsection, a partnership would contravene a civil penalty provision, the contravention is taken to have been committed by each partner.

             (4)  A partner does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the partner:

                     (a)  does not know of the circumstances that constitute the contravention of the provision concerned; or

                     (b)  knows of those circumstances but takes all reasonable steps to correct the contravention as soon as possible after the partner becomes aware of those circumstances.

Note:          In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code ).

98B   Treatment of unincorporated associations

             (1)  If, apart from this subsection, this Act would impose an obligation on an unincorporated association, the obligation is imposed instead on each member of the association's committee of management but may be discharged by any of the members.

             (2)  If, apart from this subsection, an offence against this Act would be committed by an unincorporated association, the offence is taken to have been committed by each member of the association's committee of management.

             (3)  If, apart from this subsection, an unincorporated association would contravene a civil penalty provision, the contravention is taken to have been committed by each member of the association's committee of management.

             (4)  A member of an unincorporated association's committee of management does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the member:

                     (a)  does not know of the circumstances that constitute the contravention of the provision concerned; or

                     (b)  knows of those circumstances but takes all reasonable steps to correct the contravention as soon as possible after the member becomes aware of those circumstances.

Note:          In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code ).

98C   Treatment of trusts

             (1)  If, apart from this subsection, this Act would impose an obligation on a trust, the obligation is imposed instead on each trustee of the trust but may be discharged by any of the trustees.

             (2)  If, apart from this subsection, an offence against this Act would be committed by a trust, the offence is taken to have been committed by each trustee of the trust.

             (3)  If, apart from this subsection, a trust would contravene a civil penalty provision, the contravention is taken to have been committed by each trustee of the trust.

             (4)  A trustee of a trust does not commit an offence against this Act because of subsection (2), or contravene a civil penalty provision because of subsection (3), if the trustee:

                     (a)  does not know of the circumstances that constitute the contravention of the provision concerned; or

                     (b)  knows of those circumstances but takes all reasonable steps to correct the contravention as soon as possible after the trustee becomes aware of those circumstances.

Note:          In criminal proceedings, a defendant bears an evidential burden in relation to the matters in subsection (4) (see subsection 13.3(3) of the Criminal Code ).

202  Subsection 99A(1)

After "this Act", insert "or for a civil penalty order".

203  Subsection 99A(2)

After "this Act", insert "or proceedings for a civil penalty order".

204  Subsection 99A(3)

After "this Act", insert "or for a civil penalty order".

205  Subsection 99A(4)

After "this Act", insert "or proceedings for a civil penalty order".

206  Subsection 99A(9)

Repeal the subsection.