Victorian Bills Victorian Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
PARLIAMENT OF VICTORIA
Information Privacy Act 2000
Act No.
TABLE OF PROVISIONS
Clause Page
PART 1--PRELIMINARY 1
1. Purposes 1
2. Commencement 2
3. Definitions 2
4. Interpretative provisions 8
5. Objects of Act 9
6. Relationship of this Act to other laws 9
7. Nature of rights created by this Act 9
8. Act binds the Crown 10
PART 2--APPLICATION OF THIS ACT 11
Division 1--Public Sector Organisations 11
9. Application of Act 11
Division 2--Exemptions 13
10. Courts, tribunals, etc. 13
11. Publicly-available information 13
12. Freedom of Information Act 1982 14
13. Law enforcement 15
PART 3--INFORMATION PRIVACY 16
14. Information Privacy Principles 16
15. Application of IPPs 16
16. Organisations to comply with IPPs 16
17. Effect of outsourcing 18
PART 4--CODES OF PRACTICE 20
18. Codes of practice 20
19. Process for approval of code of practice or code variation 21
20. Organisations bound by code of practice 23
21. Effect of approved code 24
22. Codes of practice register 25
23. Revocation of approval 25
i
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Clause Page
24. Effect of revocation of approval or variation or expiry of
approved code 26
PART 5--COMPLAINTS 28
Division 1--Making a Complaint 28
25. Complaints 28
26. Complaint referred to Privacy Commissioner 29
27. Complaints by minors and people with an impairment 30
Division 2--Procedure after a Complaint is Made 31
28. Privacy Commissioner must notify respondent 31
29. Circumstances in which Privacy Commissioner may decline to
entertain complaint 31
30. Privacy Commissioner may dismiss stale complaint 33
31. Minister may refer a complaint direct to Tribunal 34
32. What happens if conciliation is inappropriate? 34
Division 3--Conciliation of Complaints 35
33. Conciliation process 35
34. Power to obtain information and documents 35
35. Conciliation agreements 37
36. Evidence of conciliation is inadmissible 38
37. What happens if conciliation fails? 38
Division 4--Interim orders 39
38. Tribunal may make interim orders before hearing 39
Division 5--Jurisdiction of the Tribunal 40
39. When may the Tribunal hear a complaint? 40
40. Who are the parties to a proceeding? 40
41. Time limits for certain complaints 41
42. Inspection of exempt documents by Tribunal 41
43. What may the Tribunal decide? 42
PART 6--ENFORCEMENT OF INFORMATION PRIVACY
PRINCIPLES 46
44. Compliance notice 46
45. Power to obtain information and documents 47
46. Power to examine witnesses 48
47. Protection against self-incrimination 48
48. Offence not to comply with compliance notice 49
49. Application for review 49
PART 7--PRIVACY COMMISSIONER 51
ii
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Clause Page
50. Privacy Commissioner 51
51. Remuneration and allowances 51
52. Terms and conditions of appointment 51
53. Vacancy, resignation 52
54. Suspension of Privacy Commissioner 52
55. Acting appointment 53
56. Validity of acts and decisions 53
57. Staff 54
58. Functions 54
59. Powers 57
60. Privacy Commissioner to have regard to certain matters 58
61. Delegation 58
62. Annual reports 58
63. Other reports 58
PART 8--GENERAL 60
64. Capacity to consent or make a request or exercise right of access 60
65. Failure to attend etc. before Privacy Commissioner 62
66. Protection from liability 63
67. Secrecy 64
68. Employees and agents 66
69. Charges for access 66
70. Offences by organisations or bodies 66
71. Prosecutions 67
72. Supreme Court--limitation of jurisdiction 67
73. Regulations 67
PART 9--AMENDMENT OF CERTAIN ACTS 68
74. Amendment of Parliamentary Committees Act 1968 68
75. Amendment of Magistrates' Court Act 1989 68
76. Amendment of Public Sector Management and Employment
Act 1998 68
77. Amendment of Victorian Civil and Administrative Tribunal
Act 1998 68
78. New section 15A inserted in Ombudsman Act 1973 70
79. New section 20B inserted in Ombudsman Act 1973 70
80. Amendment of Information Privacy Act 2000 70
__________________
SCHEDULES 71
SCHEDULE 1--The information privacy principles 71
iii
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Clause Page
SCHEDULE 2--Health information 80
NOTES 82
INDEX 83
iv
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
PARLIAMENT OF VICTORIA
Initiated in Assembly 24 May 2000
A BILL
to establish a regime for the responsible collection and handling of
personal information in the Victorian public sector, to amend the
Parliamentary Committees Act 1968, the Ombudsman Act 1973
and certain other Acts and for other purposes.
Information Privacy Act 2000
The Parliament of Victoria enacts as follows:
PART 1--PRELIMINARY
1. Purposes1
The main purposes of this Act are--
(a) to establish a regime for the responsible
5 collection and handling of personal
information in the Victorian public sector;
1
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 2
Act No.
(b) to provide individuals with rights of access
to information about them held by
organisations, including information held by
contracted service providers;
5 (c) to provide individuals with the right to
require an organisation to correct
information about them held by the
organisation, including information held by
contracted service providers;
10 (d) to provide remedies for interferences with
the information privacy of an individual;
(e) to provide for the appointment of a Privacy
Commissioner.
2. Commencement
15 (1) Subject to sub-section (2), this Act comes into
operation on a day or days to be proclaimed.
(2) If a provision referred to in sub-section (1) (except
section 80) does not come into operation before
1 September 2001, it comes into operation on that
20 day.
3. Definitions
In this Act--
"applicable code of practice", in relation to an
organisation, means an approved code of
25 practice by which the organisation is bound;
"approved code of practice" means a code of
practice approved under Part 4 as varied and
in operation for the time being;
"body" means body (whether incorporated or
30 not);
"child" means a person under the age of 18 years;
"code administrator", in relation to a code of
practice, means an independent code
2
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 3
Act No.
administrator appointed in accordance with
the code to whom complaints may be made
in accordance with the code alleging a
contravention of the code;
5 "Commonwealth-regulated organisation"
means an agency within the meaning of the
Privacy Act 1988 of the Commonwealth and
to which that Act applies;
"consent" means express consent or implied
10 consent;
"correct", in relation to personal information,
means alter that information by way of
amendment, deletion or addition;
"Council" has the same meaning as in the Local
15 Government Act 1989;
"disability" has the same meaning as in the
Disability Services Act 1991;
"enactment" means an Act or a Commonwealth
Act or an instrument of a legislative
20 character made under an Act or a
Commonwealth Act;
"Federal Privacy Commissioner" means the
Privacy Commissioner appointed under the
Privacy Act 1988 of the Commonwealth;
25 "generally available publication" means a
publication (whether in paper or electronic
form) that is generally available to members
of the public and includes information held
on a public register;
30 "illness" means a physical, mental or emotional
illness, and includes a suspected illness;
"individual" means a natural person;
3
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 3
Act No.
"Information Privacy Principle" means any of
the Information Privacy Principles set out in
Schedule 1;
"insolvent under administration" means--
5 (a) a person who is an undischarged
bankrupt; or
(b) a person for whom a debt agreement
has been made under Part IX of the
Bankruptcy Act 1966 of the
10 Commonwealth (or the corresponding
provisions of the law of another
jurisdiction) if the debt agreement has
not ended or has not been terminated;
or
15 (c) a person who has executed a deed of
arrangement under Part X of the
Bankruptcy Act 1966 of the
Commonwealth (or the corresponding
provisions of the law of another
20 jurisdiction) if the terms of the deed
have not been fully complied with; or
(d) a person whose creditors have accepted
a composition under Part X of the
Bankruptcy Act 1966 of the
25 Commonwealth (or the corresponding
provisions of the law of another
jurisdiction) if a final payment has not
been made under that composition;
"IPP" means Information Privacy Principle;
30 "law enforcement agency" means--
(a) the police force of Victoria or of any
other State or of the Northern Territory;
or
(b) the Australian Federal Police; or
4
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 3
Act No.
(c) the National Crime Authority; or
(d) the Commissioner appointed under
section 8A of the Corrections Act
1986; or
5 (e) the Business Licensing Authority
established under Part 2 of the
Business Licensing Authority Act
1998; or
(f) a commission established by a law of
10 Victoria or the Commonwealth or of
any other State or a Territory with the
function of investigating matters
relating to criminal activity generally or
of a specified class or classes; or
15 (g) an agency responsible for the
performance of functions or activities
directed to--
(i) the prevention, detection,
investigation, prosecution or
20 punishment of criminal offences
or breaches of a law imposing a
penalty or sanction for a breach;
or
(ii) the management of property
25 seized or restrained under laws
relating to the confiscation of the
proceeds of crime or the
enforcement of such laws, or of
orders made under such laws; or
30 (h) an agency responsible for the execution
or implementation of an order or
decision made by a court or tribunal,
including an agency that--
(i) executes warrants; or
5
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 3
Act No.
(ii) provides correctional services,
including a contractor within the
meaning of the Corrections Act
1986, or a sub-contractor of that
5 contractor, but only in relation to
a function or duty or the exercise
of a power conferred on it by or
under that Act; or
(iii) makes decisions relating to the
10 release of persons from custody;
or
(i) an agency responsible for the protection
of the public revenue under a law
administered by it;
15 "officer", in relation to a body corporate, has the
meaning given by section 82A of the
Corporations Law of Victoria;
"organisation" means a person or body that is an
organisation to which this Act applies by
20 force of Division 1 of Part 2;
"parent", in relation to a child, includes--
(a) a step-parent;
(b) an adoptive parent;
(c) a foster parent;
25 (d) a guardian;
(e) a person who has custody or daily care
and control--
of the child;
"personal information" means information or an
30 opinion (including information or an opinion
forming part of a database), whether true or
not, and whether recorded in a material form
or not, about an individual whose identity is
6
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 3
Act No.
apparent, or can reasonably be ascertained,
from the information or opinion, but does not
include information of a kind to which
Schedule 2 applies;
5 "personal privacy" means privacy of personal
information;
"Privacy Commissioner" means Privacy
Commissioner appointed under Part 7;
"public register" means a document held by a
10 public sector agency or a Council and open
to inspection by members of the public
(whether or not on payment of a fee) by
force of a provision made by or under an Act
other than the Freedom of Information Act
15 1982 or the Public Records Act 1973
containing information that--
(a) a person or body was required or
permitted to give to that public sector
agency or Council by force of a
20 provision made by or under an Act; and
(b) would be personal information if the
document were not a generally
available publication;
"public sector agency" means an Agency or
25 public authority within the meaning of the
Public Sector Management and
Employment Act 1998;
"State contract" means a contract between an
organisation and another person or body
30 (whether an organisation for the purposes of
this Act or not) under which services are to
be provided to one (the outsourcing
organisation) by the other (the contracted
service provider) in connection with the
35 performance of functions of the outsourcing
7
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 4
Act No.
organisation, including services that the
outsourcing organisation is to provide to
other persons or bodies;
"third party", in relation to personal
5 information, means a person or body other
than the organisation holding the information
and the individual to whom the information
relates;
"Tribunal" means Victorian Civil and
10 Administrative Tribunal established by the
Victorian Civil and Administrative
Tribunal Act 1998.
4. Interpretative provisions
(1) For the purposes of this Act, an organisation holds
15 personal information if the information is
contained in a document that is in the possession
or under the control of the organisation, whether
alone or jointly with other persons or bodies,
irrespective of where the document is situated,
20 whether in or outside Victoria.
(2) If a provision of this Act refers to an IPP by a
number, the reference is a reference to the IPP
designated by that number.
(3) A reference in this Act to a contracted service
25 provider is a reference to a person or body in the
capacity of contracted service provider and
includes a reference to a subcontractor of the
contracted service provider (or of another such
subcontractor) for the purposes (whether direct or
30 indirect) of the State contract.
(4) Without limiting section 37(a) of the
Interpretation of Legislation Act 1984, a
reference in this Act to an organisation using a
neuter pronoun includes a reference to an
8
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 5
Act No.
organisation that is a natural person, unless the
contrary intention appears.
5. Objects of Act
The objects of this Act are--
5 (a) to balance the public interest in the free flow
of information with the public interest in
protecting the privacy of personal
information in the public sector;
(b) to promote awareness of responsible
10 personal information handling practices in
the public sector;
(c) to promote the responsible and transparent
handling of personal information in the
public sector.
15 6. Relationship of this Act to other laws
(1) If a provision made by or under this Act is
inconsistent with a provision made by or under
any other Act that other provision prevails and the
provision made by or under this Act is (to the
20 extent of the inconsistency) of no force or effect.
(2) Without limiting sub-section (1), nothing in this
Act affects the operation of the Freedom of
Information Act 1982 or any right, privilege,
obligation or liability conferred or imposed under
25 that Act or any exemption arising under that Act.
7. Nature of rights created by this Act
(1) Nothing in this Act--
(a) gives rise to any civil cause of action; or
(b) without limiting paragraph (a), operates to
30 create in any person any legal right
enforceable in a court or tribunal--
9
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 8
Act No.
otherwise than in accordance with the procedures
set out in this Act.
(2) A contravention of this Act does not create any
criminal liability except to the extent expressly
5 provided by this Act.
8. Act binds the Crown
(1) This Act binds the Crown in right of Victoria and,
so far as the legislative power of the Parliament
permits, the Crown in all its other capacities.
10 (2) Nothing in this Act makes the Crown in any of its
capacities liable to be prosecuted for an offence.
_______________
10
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 9
Act No.
PART 2--APPLICATION OF THIS ACT
Division 1--Public Sector Organisations
9. Application of Act
(1) This Act applies to--
5 (a) a Minister;
(b) a Parliamentary Secretary, including the
Parliamentary Secretary of the Cabinet;
(c) a member of the Parliament of Victoria, but
only in relation to personal information
10 given by an organisation to him or her in his
or her capacity as a member of Parliament;
(d) a public sector agency;
(e) a Council;
(f) a body established or appointed for a public
15 purpose by or under an Act;
(g) a body established or appointed for a public
purpose by the Governor in Council, or by a
Minister, otherwise than under an Act;
(h) a person holding an office or position
20 established by or under an Act or to which
he or she was appointed by the Governor in
Council, or by a Minister, otherwise than
under an Act;
(i) a court or tribunal;
25 (j) the police force of Victoria;
(k) a contracted service provider, but only in
relation to its provision of services under a
State contract which contains a provision of
a kind referred to in section 17(2);
11
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 9
Act No.
(l) any other body that is declared, or to the
extent that it is declared, by an Order under
sub-section (2)(a) to be an organisation for
the purposes of this sub-section--
5 excluding any person or body that is a
Commonwealth-regulated organisation or
declared, or to the extent that it is declared, by an
Order under sub-section (2)(b) not to be an
organisation for the purposes of the relevant
10 paragraph of this sub-section.
(2) The Governor in Council may, by Order published
in the Government Gazette--
(a) declare a body to be, either wholly or to the
extent specified in the Order, an organisation
15 for the purposes of sub-section (1); or
(b) declare a body referred to in paragraph (f) or
(g) of sub-section (1), or a person holding an
office or position referred to in paragraph (h)
of sub-section (1), not to be an organisation
20 for the purposes of that paragraph, either
wholly or to the extent specified in the
Order.
(3) The Minister may only recommend to the
Governor in Council the making of an Order
25 under sub-section (2)(b) in respect of a body or
person if satisfied that the collection, holding,
management, use, disclosure and transfer by that
body or person of personal information is more
appropriately governed by another scheme
30 (whether contained in an enactment or given
legislative force by an enactment) which would
apply if that person or body were not an
organisation for the purposes of the relevant
paragraph of sub-section (1), either wholly or to
35 the extent specified in the Order.
12
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 10
Act No.
(4) A person or body to which this Act applies by
force of sub-section (1) is an organisation for the
purposes of this Act, either wholly or to the
relevant extent.
5 (5) This section is subject to Division 2.
Division 2--Exemptions
10. Courts, tribunals, etc.
Nothing in this Act or in any IPP applies in
respect of the collection, holding, management,
10 use, disclosure or transfer of personal
information--
(a) in relation to its or his or her judicial or
quasi-judicial functions, by--
(i) a court or tribunal; or
15 (ii) the holder of a judicial or quasi-judicial
office or other office pertaining to a
court or tribunal in his or her capacity
as the holder of that office; or
(b) in relation to those matters which relate to
20 the judicial or quasi-judicial functions of the
court or tribunal, by--
(i) a registry or other office of a court or
tribunal; or
(ii) the staff of such a registry or other
25 office in their capacity as members of
that staff.
11. Publicly-available information
(1) Nothing in this Act or in any IPP applies to a
document containing personal information, or to
30 the personal information contained in a document,
that is--
(a) a generally available publication; or
13
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 12
Act No.
(b) kept in a library, art gallery or museum for
the purposes of reference, study or
exhibition; or
(c) a public record under the control of the
5 Keeper of Public Records that is available
for public inspection in accordance with the
Public Records Act 1973; or
(d) archives within the meaning of the Copyright
Act 1968 of the Commonwealth.
10 (2) Sub-section (1) does not take away from
section 16(4) which imposes duties on a public
sector agency or a Council in administering a
public register.
12. Freedom of Information Act 1982
15 Nothing in IPP 6 or any applicable code of
practice modifying the application of IPP 6 or
prescribing how IPP 6 is to be applied or
complied with applies to--
(a) a document containing personal information,
20 or to the personal information contained in a
document, that is--
(i) a document of an agency within the
meaning of the Freedom of
Information Act 1982; or
25 (ii) an official document of a Minister
within the meaning of that Act--
and access can only be granted to that
document or information, and that
information can only be corrected, in
30 accordance with the procedures set out in,
and in the form required or permitted by, that
Act; or
14
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 13
Act No.
(b) a document containing personal information,
or to the personal information contained in a
document, to which access would not be
granted under the Freedom of Information
5 Act 1982 because of section 6 of that Act.
13. Law enforcement
It is not necessary for a law enforcement agency
to comply with IPP 1.3 to 1.5, 2.1, 6.1 to 6.8, 7.1
to 7.4, 9.1 or 10.1 if it believes on reasonable
10 grounds that the non-compliance is necessary--
(a) for the purposes of one or more of its, or any
other law enforcement agency's, law
enforcement functions or activities; or
(b) for the enforcement of laws relating to the
15 confiscation of the proceeds of crime; or
(c) in connection with the conduct of
proceedings commenced, or about to be
commenced, in any court or tribunal; or
(d) in the case of the police force of Victoria, for
20 the purposes of its community policing
functions.
_______________
15
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 14
Act No.
PART 3--INFORMATION PRIVACY
14. Information Privacy Principles
(1) The Information Privacy Principles are set out in
Schedule 1.
5 (2) Nothing in any Information Privacy Principle
affects the operation or extent of any exemption
arising under Division 2 of Part 2 and those
Principles must be construed accordingly.
(3) For the purposes of this Act, an act done or
10 practice engaged in by an organisation is an
interference with the privacy of an individual if,
and only if, the act or practice is contrary to, or
inconsistent with an Information Privacy Principle
or an applicable code of practice.
15 15. Application of IPPs
(1) IPP 1 and IPP 10 apply only in relation to
information collected on or after the
commencement of this section.
(2) The remaining Information Privacy Principles
20 apply in relation to all personal information,
whether collected by the organisation before or
after the commencement of this section.
16. Organisations to comply with IPPs
(1) On and from the first anniversary of the
25 commencement of section 15, an organisation
must not do an act, or engage in a practice, that
contravenes an Information Privacy Principle in
respect of personal information collected, held,
managed, used, disclosed or transferred by it.
30 (2) Sub-section (1) does not apply to the doing of an
act, or the engaging in of a practice, by an
organisation that, but for this sub-section, would
16
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 16
Act No.
constitute a contravention of an Information
Privacy Principle, if--
(a) the doing of the act or the engaging in of the
practice is necessary for the performance of
5 a contract to which the organisation is a
party entered into by the organisation before
26 May 2000; and
(b) the act is done or the practice is engaged in
before the second anniversary of the
10 commencement of section 15 or the end of
any extension of that period granted in
relation to that contract under sub-section
(3).
(3) On the application of an organisation before the
15 second anniversary of the commencement of
section 15 or before the expiry of any extension of
that period granted under this sub-section, the
Privacy Commissioner may grant an extension of
that period in relation to a specified contract if he
20 or she is of the opinion that the organisation is
doing its best--
(a) to comply with the IPPs consistent with its
obligations under the contract; and
(b) to seek to have the contract re-negotiated to
25 enable the organisation to comply fully with
the IPPs.
(4) A public sector agency or a Council must, in
administering a public register, so far as is
reasonably practicable not do an act or engage in a
30 practice that would contravene an Information
Privacy Principle in respect of information
collected, held, managed, used, disclosed or
transferred by it in connection with the
administration of the public register if that
35 information were personal information.
17
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 17
Act No.
17. Effect of outsourcing
(1) Subject to this section, the status or effect for the
purposes of this Act of an act or practice is not
affected by the existence or operation of a State
5 contract.
(2) A State contract may provide for the contracted
service provider to be bound by the Information
Privacy Principles and any applicable code of
practice with respect to any act done, or practice
10 engaged in, by the contracted service provider for
the purposes of the State contract in the same way
and to the same extent as the outsourcing
organisation would have been bound by them in
respect of that act or practice had it been directly
15 done or engaged in by the outsourcing
organisation.
(3) If a provision of a kind referred to in sub-section
(2) is in force under a State contract, the
Information Privacy Principles and any applicable
20 code of practice apply to an act done, or practice
engaged in, by the contracted service provider in
the same way and to the same extent as they
would have applied to the outsourcing
organisation in respect of that act or practice had
25 it been directly done or engaged in by the
outsourcing organisation.
(4) An act or practice that is an interference with the
privacy of an individual done or engaged in by a
contracted service provider for the purposes of the
30 State contract must, for the purposes of this Act
and any applicable code of practice, be taken to
have been done or engaged in by the outsourcing
organisation as well as the contracted service
provider unless--
35 (a) the outsourcing organisation establishes that
a provision of a kind referred to in sub-
18
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 17
Act No.
section (2) was in force under the State
contract at the relevant time in relation to the
act or practice; and
(b) the IPP or applicable code of practice to
5 which the act or practice is contrary, or with
which it is inconsistent, is capable of being
enforced against the contracted service
provider in accordance with the procedures
set out in this Act.
10 (5) Section 68(1) does not apply to an act done or
practice engaged in by a contracted service
provider acting within the scope of a State
contract.
_______________
15
19
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 18
Act No.
PART 4--CODES OF PRACTICE
18. Codes of practice
(1) An organisation can discharge its duty to comply
with an Information Privacy Principle in respect
5 of personal information collected, held, managed,
used, disclosed or transferred by it by complying
with a code of practice approved under this Part
and binding on the organisation.
(2) A code of practice may--
10 (a) modify the application of any one or more of
the Information Privacy Principles by
prescribing standards, whether or not in
substitution for any Information Privacy
Principle, that are at least as stringent as the
15 standards prescribed by the Information
Privacy Principle; or
(b) prescribe how any one or more of the
Information Privacy Principles are to be
applied, or are to be complied with.
20 (3) A code of practice may apply in relation to any
one or more of the following--
(a) any specified information or class of
information;
(b) any specified organisation or class of
25 organisation;
(c) any specified activity or class of activity;
(d) any specified industry, profession or calling
or class of industry, profession or calling.
(4) A code of practice may also--
30 (a) impose controls on an organisation that
matches data for the purpose of producing or
20
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 19
Act No.
verifying information about an identifiable
individual; or
(b) in relation to charging--
(i) set guidelines to be followed in
5 determining charges; or
(ii) prescribe circumstances in which no
charge may be imposed; or
(c) prescribe--
(i) procedures for dealing with complaints
10 alleging a contravention of the code,
including the appointment of an
independent code administrator to
whom complaints may be made; or
(ii) remedies available where a complaint is
15 substantiated; or
(d) provide for the review of the code by the
Privacy Commissioner; or
(e) provide for the expiry of the code.
(5) Sub-section (1) applies also to a public sector
20 agency or a Council in seeking to discharge its
duty to comply, so far as is reasonably practicable,
with an Information Privacy Principle in relation
to a public register as imposed by section 16(4)
and this Part has effect accordingly.
25 19. Process for approval of code of practice or code
variation
(1) An organisation may seek approval of a code of
practice, or of a variation of an approved code of
practice, by submitting the code or variation to the
30 Privacy Commissioner.
(2) The Governor in Council, on the recommendation
of the Minister acting on the advice received from
the Privacy Commissioner under sub-section (3),
21
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 19
Act No.
may by notice published in the Government
Gazette approve a code of practice or a variation
of an approved code of practice.
(3) The Privacy Commissioner may advise the
5 Minister to recommend to the Governor in
Council that a code of practice, or a variation of
an approved code of practice, be approved if in his
or her opinion--
(a) the code or variation is consistent with the
10 objects of this Act in relation to the personal
information to which the code applies; and
(b) the code of practice prescribes standards that
are at least as stringent as the standards
prescribed by the Information Privacy
15 Principles; and
(c) the code specifies the organisations bound
(either wholly or to a limited extent) by the
code or a way of determining the
organisations that are, or will be, bound
20 (either wholly or to a limited extent) by the
code; and
(d) only organisations that consent to be bound
by the code are, or will be, bound by the
code.
25 (4) Before deciding whether or not to advise the
Minister to recommend approval of a code of
practice or of a variation of an approved code of
practice, the Privacy Commissioner--
(a) may consult any person or body that the
30 Privacy Commissioner considers it
appropriate to consult; and
(b) must have regard to the extent to which
members of the public have been given an
opportunity to comment on the code or
35 variation.
22
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 20
Act No.
(5) A code of practice or variation comes into
operation at the beginning of--
(a) the day on which the notice of approval
under sub-section (2) is published in the
5 Government Gazette; or
(b) such later day as is expressed in that notice
as the day on which the code or variation
comes into operation.
20. Organisations bound by code of practice
10 (1) An approved code of practice binds--
(a) any organisation--
(i) that sought approval of it; or
(ii) that consents to be bound by the
approved code; and
15 (b) any organisation that, by notice in writing
given to the Privacy Commissioner, states
that it intends to be bound by the approved
code of practice as it is then in operation and
that is capable of applying to the
20 organisation.
(2) A notice under sub-section (1)(b) may indicate an
intention that the organisation be bound by the
approved code of practice--
(a) generally; or
25 (b) only in respect of specified information or a
specified class of information collected,
held, used or disclosed by it; or
(c) only in respect of any specified activity or
class of activity.
30 (3) A notice under sub-section (1)(b) has no effect
unless the Privacy Commissioner approves it.
23
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 21
Act No.
(4) The Privacy Commissioner may approve a notice
under sub-section (1)(b) if satisfied that the
approved code of practice is capable of applying
to the organisation to the extent set out in the
5 notice.
(5) An organisation is bound by an approved code of
practice--
(a) in the case of an organisation referred to in
sub-section (1)(a), on and from the coming
10 into operation of the code; and
(b) in the case of an organisation referred to in
sub-section (1)(b), on and from the date
expressed in the notice under that sub-
section as the date on and from which the
15 organisation will be bound by the code or the
date on which the organisation is notified of
the Privacy Commissioner's approval of the
notice, whichever is the later.
(6) An organisation bound by an approved code of
20 practice may, by notice in writing given to the
Privacy Commissioner, state that it intends to
cease to be bound by that code.
(7) An organisation ceases to be bound by an
approved code of practice on and from the date of
25 the notice under sub-section (6) or such later date
as is expressed in that notice as the date on and
from which the organisation will cease to be
bound by the code.
21. Effect of approved code
30 If an approved code of practice is in operation and
binding on an organisation, an act done, or
practice engaged in, by the organisation that
contravenes the code, even though that act or
practice would not otherwise contravene any
35 Information Privacy Principle, is, for the purposes
24
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 22
Act No.
of this Act, deemed to be a contravention of an
Information Privacy Principle and may be dealt
with as provided by that code and this Act.
22. Codes of practice register
5 (1) The Privacy Commissioner must cause a register
of all approved codes of practice to be established
and maintained and for that purpose may
determine the form of the register.
(2) A person may during business hours--
10 (a) inspect the register and any documents that
form part of it; or
(b) on the payment of any fee required by the
regulations, obtain a copy of any entry in, or
document forming part of, the register.
15 23. Revocation of approval
(1) The Governor in Council, on the recommendation
of the Minister acting on advice received from the
Privacy Commissioner under sub-section (3), may
by notice published in the Government Gazette
20 revoke the approval of a code of practice or of a
variation of an approved code of practice.
(2) The Privacy Commissioner may act under sub-
section (1) on his or her own initiative or on an
application for revocation made to him or her by
25 an individual or organisation.
(3) The Privacy Commissioner may advise the
Minister to recommend to the Governor in
Council that a code of practice, or a variation of
an approved code of practice, be revoked.
30 (4) Before deciding whether or not to advise the
Minister to recommend revocation of the approval
of a code of practice or of a variation of an
approved code of practice, the Privacy
Commissioner--
25
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 24
Act No.
(a) must consult the organisation that sought
approval of the code or variation and may
consult any other person or body that the
Privacy Commissioner considers it
5 appropriate to consult; and
(b) must have regard to the extent to which
members of the public have been given an
opportunity to comment on the proposed
revocation.
10 (5) An approved code of practice or approved
variation ceases to be in operation at the
beginning of--
(a) the day on which the notice of revocation
under sub-section (1) is published in the
15 Government Gazette; or
(b) such later day as is expressed in that notice
as the day on which the code or variation
ceases to be in operation.
24. Effect of revocation of approval or variation or expiry
20 of approved code
(1) The revocation of the approval of a code of
practice or of a variation of an approved code of
practice, or the expiry of an approved code of
practice, or the ceasing of an organisation to be
25 bound by a code of practice, does not--
(a) revive anything not in force or existing at the
time at which the revocation, expiry or
cessation becomes operative; or
(b) affect the previous operation of the code or
30 anything duly done or suffered under, or in
relation to, the code; or
(c) affect any right, privilege, obligation or
liability acquired, accrued or incurred under,
or in relation to, the code; or
26
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 24
Act No.
(d) affect any penalty incurred in respect of any
contravention of the code or in respect of any
offence against section 48(1) committed in
relation to a compliance notice issued
5 because of any contravention of the code; or
(e) affect any investigation, legal proceeding or
remedy in respect of any such right,
privilege, obligation, liability or penalty as is
mentioned in paragraphs (c) and (d)--
10 and any such investigation, legal proceeding or
remedy may be instituted, continued or enforced
and any such penalty may be imposed as if the
code or variation had not been revoked or the
code had not expired or the organisation had not
15 ceased to be bound by the code.
(2) Subject to sub-section (1), if a variation of an
approved code of practice is revoked, the code
takes effect without that variation as from the
beginning of the day on which the variation ceases
20 to be in operation in all respects as if the variation
had not been made.
(3) Nothing in this section prevents the application to
an organisation of an IPP (without any
modification) on and from the day on which an
25 applicable code of practice, that modified the
application of that IPP, ceases to be in operation.
_______________
27
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 25
Act No.
PART 5--COMPLAINTS
Division 1--Making a Complaint
25. Complaints
(1) An individual in respect of whom personal
5 information is, or has at any time been, held by an
organisation may complain to the Privacy
Commissioner about an act or practice that may
be an interference with the privacy of the
individual.
10 (2) A complaint may be made under sub-section (1)
if--
(a) there is no applicable code of practice in
relation to the holding of the information by
the organisation; or
15 (b) there is an applicable code of practice in
relation to the holding of the information by
the organisation but that code does not
provide for the appointment of a code
administrator to whom complaints may be
20 made; or
(c) there is an applicable code of practice in
relation to the holding of the information by
the organisation that provides for the
appointment of a code administrator and not
25 less than 45 days before complaining under
sub-section (1) the individual complained to
the code administrator in accordance with
the procedures set out in that code but has
received no response or a response that the
30 individual considers to be inadequate.
(3) In the case of an act or practice that may be an
interference with the privacy of 2 or more
individuals, any one of those individuals may
28
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 26
Act No.
make a complaint under sub-section (1) on behalf
of all of the individuals with their consent.
(4) A complaint must be in writing and lodged with
the Privacy Commissioner by hand, facsimile or
5 other electronic transmission or post.
(5) It is the duty of employees in the office of the
Privacy Commissioner to provide appropriate
assistance to an individual who wishes to make a
complaint and requires assistance to formulate the
10 complaint.
(6) The complaint must specify the respondent to the
complaint.
(7) If the organisation represents the Crown, the State
shall be the respondent.
15 (8) If the organisation does not represent the Crown
and--
(a) is a legal person, the organisation shall be
the respondent; or
(b) is an unincorporated body, the members of
20 the committee of management of the
organisation shall be the respondents.
(9) A failure to comply with sub-section (6) does not
render the complaint, or any step taken in relation
to it, a nullity.
25 26. Complaint referred to Privacy Commissioner
The Privacy Commissioner may treat a complaint
referred to him or her by the Ombudsman under
section 15A of the Ombudsman Act 1973 as if it
were a complaint made under section 25(1).
29
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 27
Act No.
27. Complaints by minors and people with an impairment
(1) A complaint may be made--
(a) by a child; or
(b) on behalf of a child by--
5 (i) a parent of the child; or
(ii) any other individual chosen by the
child or by a parent of the child; or
(iii) any other individual who, in the
opinion of the Privacy Commissioner,
10 has a sufficient interest in the subject-
matter of the complaint.
(2) A child who is capable of understanding the
general nature and effect of choosing an
individual to make a complaint on his or her
15 behalf may do so even if he or she is otherwise
incapable of exercising powers.
(3) If an individual is unable to complain because of
impairment, a complaint may be made on behalf
of that individual by--
20 (a) another individual authorised by that
individual to complain on his or her behalf;
or
(b) if that individual is unable to authorise
another individual, any other individual on
25 his or her behalf who, in the opinion of the
Privacy Commissioner, has a sufficient
interest in the subject-matter of the
complaint.
(4) In this section, "impairment" has the same
30 meaning as in the Equal Opportunity Act 1995.
30
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 28
Act No.
Division 2--Procedure after a Complaint is Made
28. Privacy Commissioner must notify respondent
The Privacy Commissioner must notify the
respondent in writing of the complaint as soon as
5 practicable after receiving it.
29. Circumstances in which Privacy Commissioner may
decline to entertain complaint
(1) The Privacy Commissioner may decline to
entertain a complaint made under section 25(1) by
10 notifying the complainant and the respondent in
writing to that effect within 90 days after the day
on which the complaint was lodged if the Privacy
Commissioner considers that--
(a) the act or practice about which the complaint
15 has been made is not an interference with the
privacy of an individual; or
(b) the act or practice is subject to an applicable
code of practice and all appropriate
mechanisms for seeking redress available
20 under that code have not been exhausted; or
(c) although a complaint has been made to the
Privacy Commissioner about the act or
practice, the complainant has not complained
to the respondent; or
25 (d) the complaint to the Privacy Commissioner
was made more than 45 days after the
complainant became aware of the act or
practice; or
(e) the complaint is frivolous, vexatious,
30 misconceived or lacking in substance; or
(f) the act or practice is the subject of an
application under another enactment and the
31
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 29
Act No.
subject matter of the complaint has been, or
is being, dealt with adequately under that
enactment; or
(g) the act or practice could be made the subject
5 of an application under another enactment
for a more appropriate remedy; or
(h) the complainant has complained to the
respondent about the act or practice and
either--
10 (i) the respondent has dealt, or is dealing,
adequately with the complaint; or
(ii) the respondent has not yet had an
adequate opportunity to deal with the
complaint; or
15 (i) the complaint was made under section 27, on
behalf of a child or a person with an
impairment, by an individual who has an
insufficient interest in the subject matter of
the complaint.
20 (2) A notice under sub-section (1) must state that the
complainant, by notice in writing given to the
Privacy Commissioner, may require the Privacy
Commissioner to refer the complaint to the
Tribunal for hearing under Division 5.
25 (3) If the act or practice could be made the subject of
an application under--
(a) the Privacy Act 1988 of the Commonwealth;
or
(b) the Ombudsman Act 1973--
30 the Privacy Commissioner may refer the
complaint to the Federal Privacy Commissioner or
the Ombudsman, as the case may be, and notify
the complainant and the respondent in writing of
the referral.
32
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 30
Act No.
(4) Before declining to entertain a complaint, the
Privacy Commissioner may, by notice in writing,
invite any person--
(a) to attend before the Privacy Commissioner,
5 or an employee in the office of the Privacy
Commissioner, for the purpose of discussing
the subject matter of the complaint; or
(b) to produce any documents specified in the
notice.
10 (5) Within 60 days after receiving the Privacy
Commissioner's notice declining to entertain a
complaint, the complainant, by notice in writing
given to the Privacy Commissioner, may require
him or her to refer the complaint to the Tribunal
15 for hearing under Division 5.
(6) The Privacy Commissioner must comply with a
notice under sub-section (5).
(7) If the complainant does not notify the Privacy
Commissioner under sub-section (5), the Privacy
20 Commissioner may dismiss the complaint.
(8) As soon as possible after a dismissal under sub-
section (7), the Privacy Commissioner must, by
written notice, notify the complainant and the
respondent of the dismissal.
25 (9) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
30. Privacy Commissioner may dismiss stale complaint
(1) The Privacy Commissioner may dismiss a
30 complaint if he or she has had no substantive
response from the complainant in the period of
90 days following a request by the Privacy
Commissioner for a response in relation to the
complaint.
33
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 31
Act No.
(2) As soon as possible after a dismissal under sub-
section (1), the Privacy Commissioner must, by
notice in writing, notify the complainant and the
respondent of the dismissal.
5 (3) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
31. Minister may refer a complaint direct to Tribunal
(1) If the Minister considers that the subject matter of
10 a complaint raises an issue of important public
policy, the Minister may refer the complaint
directly to the Tribunal for hearing under
Division 5, whether or not the Privacy
Commissioner has considered it or the complaint
15 is in the process of being conciliated.
(2) The Minister is not a party to a proceeding on a
complaint referred to the Tribunal under sub-
section (1) unless joined by the Tribunal.
32. What happens if conciliation is inappropriate?
20 (1) If the Privacy Commissioner does not consider it
reasonably possible that a complaint may be
conciliated successfully under Division 3, he or
she must notify the complainant and the
respondent in writing.
25 (2) A notice under sub-section (1) must state that the
complainant, by notice in writing given to the
Privacy Commissioner, may require the Privacy
Commissioner to refer the complaint to the
Tribunal for hearing under Division 5.
30 (3) Within 60 days after receiving the Privacy
Commissioner's notice under sub-section (1), the
complainant, by notice in writing given to the
Privacy Commissioner, may require him or her to
refer the complaint to the Tribunal for hearing
35 under Division 5.
34
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 33
34
Act No.
(4) The Privacy Commissioner must comply with a
notice under sub-section (3).
(5) If the complainant does not notify the Privacy
Commissioner under sub-section (3), the Privacy
5 Commissioner may dismiss the complaint.
(6) As soon as possible after a dismissal under sub-
section (5), the Privacy Commissioner must, by
written notice, notify the complainant and the
respondent of the dismissal.
10 (7) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
Division 3--Conciliation of Complaints
33. Conciliation process
15 (1) If the Privacy Commissioner considers it
reasonably possible that a complaint may be
conciliated successfully, he or she must make all
reasonable endeavours to conciliate the complaint.
(2) Sub-section (1) does not apply to a complaint--
20 (a) that the Privacy Commissioner has declined
to entertain under section 29 or dismissed
under section 30; or
(b) that the Minister has referred to the Tribunal
under section 31.
25 (3) The Privacy Commissioner may require a party to
attend a conciliation either personally or by a
representative who has authority to settle the
matter on behalf of the party.
34. Power to obtain information and documents
35
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Act No.
(1) If the Privacy Commissioner has reason to believe
that a person has information or a document
relevant to a conciliation under this Division, the
Privacy Commissioner may give to the person a
5 written notice requiring the person--
(a) to give the information to the Privacy
Commissioner in writing signed by the
person or, in the case of a body corporate, by
an officer of the body corporate; or
10 (b) to produce the document to the Privacy
Commissioner.
(2) If the Privacy Commissioner has reason to believe
that a person has information relevant to a
conciliation under this Division, the Privacy
15 Commissioner may give to the person a written
notice requiring the person to attend before the
Privacy Commissioner at a time and place
specified in the notice to answer questions
relevant to the complaint.
20 (3) The Privacy Commissioner is not entitled to
require an agency within the meaning of the
Freedom of Information Act 1982 or a Minister
to give any information if the Secretary to the
Department of Premier and Cabinet furnishes to
25 the Privacy Commissioner a certificate certifying
that the giving of that information (including in
answer to a question) would involve the
disclosure of information which, if included in a
document of the agency or an official document of
30 the Minister, would cause the document to be an
exempt document of a kind referred to in section
28(1) of the Freedom of Information Act 1982.
(4) The Privacy Commissioner may not conduct an
35 investigation in respect of a certificate under sub-
section (3) or question whether the information is
36
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 35
Act No.
of a kind referred to in section 28(1) of the
Freedom of Information Act 1982 or a decision
to sign such a certificate.
35. Conciliation agreements
5 (1) If, following conciliation, the parties to the
complaint reach agreement with respect to the
subject matter of the complaint--
(a) at the request of any party made within
30 days after agreement is reached, a written
10 record of the conciliation agreement is to be
prepared by the parties or the Privacy
Commissioner; and
(b) the record must be signed by or on behalf of
each party and certified by the Privacy
15 Commissioner; and
(c) the Privacy Commissioner must give each
party a copy of the signed and certified
record.
(2) Any party, after notifying in writing the other
20 party, may lodge a copy of the signed and
certified record with the Tribunal for registration.
(3) Subject to sub-section (4), the Tribunal must
register the record and give a certified copy of the
registered record to each party.
25 (4) If the Tribunal, constituted by a presidential
member, considers that it may not be practicable
to enforce, or to supervise compliance with, a
conciliation agreement, the Tribunal may refuse to
register the record of the agreement.
30 (5) On registration, the record must be taken to be an
order of the Tribunal in accordance with its terms
and may be enforced accordingly.
37
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 36
Act No.
(6) The refusal of the Tribunal to register the record
of a conciliation agreement does not affect the
validity of the agreement.
36. Evidence of conciliation is inadmissible
5 Evidence of anything said or done in the course of
a conciliation is not admissible in proceedings
before the Tribunal or any other legal proceedings
relating to the subject matter of the complaint,
unless all parties to the conciliation otherwise
10 agree.
37. What happens if conciliation fails?
(1) If the Privacy Commissioner has attempted
unsuccessfully to conciliate a complaint, he or she
must notify the complainant and the respondent in
15 writing.
(2) A notice under sub-section (1) must state that the
complainant, by notice in writing given to the
Privacy Commissioner, may require the Privacy
Commissioner to refer the complaint to the
20 Tribunal for hearing under Division 5.
(3) Within 60 days after receiving the Privacy
Commissioner's notice under sub-section (1), the
complainant, by notice in writing given to the
Privacy Commissioner, may require the Privacy
25 Commissioner to refer the complaint to the
Tribunal for hearing under Division 5.
(4) The Privacy Commissioner must comply with a
notice under sub-section (3).
(5) If the complainant does not notify the Privacy
30 Commissioner under sub-section (3), the Privacy
Commissioner may dismiss the complaint.
(6) As soon as possible after a dismissal under sub-
section (5), the Privacy Commissioner must, by
written notice, notify the complainant and the
35 respondent of the dismissal.
38
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 38
Act No.
(7) A complainant may take no further action under
this Act in relation to the subject matter of a
complaint dismissed under this section.
Division 4--Interim orders
5 38. Tribunal may make interim orders before hearing
(1) A complainant or a respondent or the Privacy
Commissioner may apply to the Tribunal for an
interim order to prevent any party to the complaint
from acting in a manner prejudicial to
10 negotiations or conciliation or to any decision or
order the Tribunal might subsequently make.
(2) An application may be made under sub-section (1)
at any time before the complaint is referred to the
Tribunal.
15 (3) In making an interim order, the Tribunal must
have regard to--
(a) whether or not the complainant has
established a prima facie case with respect to
the complaint; and
20 (b) any possible detriment or advantage to the
public interest in making the order; and
(c) any possible detriment to the complainant's
or the respondent's case if the order is not
made.
25 (4) An interim order applies for the period, not
exceeding 28 days, specified in it and may be
extended from time to time by the Tribunal.
(5) The party against whom the interim order is
sought is a party to the proceeding on an
30 application under sub-section (1).
(6) In making an interim order, the Tribunal--
39
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 39
40
Act No.
(a) may require any undertaking as to costs or
damages that it considers appropriate; and
(b) may make provision for the lifting of the
order if specified conditions are met.
5 (7) The Tribunal may assess any costs or damages
referred to in sub-section (6)(a).
(8) Nothing in this section affects or takes away from
the Tribunal's power under section 123 of the
Victorian Civil and Administrative Tribunal
10 Act 1998 to make orders of an interim nature in a
proceeding in the Tribunal in respect of a
complaint.
Division 5--Jurisdiction of the Tribunal
39. When may the Tribunal hear a complaint?
15 (1) The Tribunal may hear a complaint--
(a) referred to it by the Privacy Commissioner
under section 29, 32 or 37;
(b) referred to it by the Minister under
section 31.
20 (2) The Tribunal also has the jurisdiction conferred
by section 38.
(3) Where a certificate has been given in respect of a
document under section 34(3) or 45(3), the
powers of the Tribunal do not extend to reviewing
25 the decision to give the certificate and shall be
limited to determining whether a document has
been properly classified as an exempt document of
a kind referred to in section 28(1) of the Freedom
of Information Act 1982.
30 40. Who are the parties to a proceeding?
40
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Act No.
(1) The complainant and the respondent are parties to
a proceeding in respect of a complaint referred to
in section 39(1).
(2) The Privacy Commissioner is not a party to a
5 proceeding in respect of a complaint referred to in
section 39(1)(a) unless joined by the Tribunal.
41. Time limits for certain complaints
(1) The Tribunal must commence hearing a complaint
within 30 days after its referral to the Tribunal if
10 the complaint was referred to it by the Minister
under section 31.
(2) The Tribunal, constituted by a presidential
member, may extend the period of 30 days under
sub-section (1) by one further period of not more
15 than 30 days.
42. Inspection of exempt documents by Tribunal
(1) Subject to sub-section (2) and to any order made
by the Tribunal under section 51(2) of the
Victorian Civil and Administrative Tribunal
20 Act 1998, the Tribunal must do all things
necessary to ensure that--
(a) any document produced to the Tribunal in
proceedings under this Act that is claimed to
be an exempt document of a kind referred to
25 in section 28(1) of the Freedom of
Information Act 1982, or the contents of
that document, is not disclosed to any person
other than--
(i) a member of the Tribunal as constituted
30 for the proceedings; or
(ii) a member of the staff of the Tribunal in
the course of the performance of his or
her duties as a member of that staff; and
41
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 43
Act No.
(b) the document is returned to the respondent at
the conclusion of the proceedings.
(2) The Tribunal may make such orders as it thinks
necessary having regard to the nature of the
5 proceedings.
(3) If the applicant is represented by a qualified legal
practitioner, orders under sub-section (2) may
include an order that the contents of a document
produced to the Tribunal that is claimed to be an
10 exempt document be disclosed to that legal
practitioner.
(4) In making an order under sub-section (2), the
Tribunal must be guided by the principle that the
contents of a document that is claimed to be an
15 exempt document should not normally be
disclosed except in accordance with an order of
the Tribunal under section 51(2) of the Victorian
Civil and Administrative Tribunal Act 1998.
(5) If a complaint under section 39 relates to a
20 document or part of a document in relation to
which disclosure has been refused on the grounds
specified in section 28 of the Freedom of
Information Act 1982, the Tribunal may, if it
regards it as appropriate to do so, announce its
25 findings in terms which neither confirm nor deny
the existence of the document in question.
43. What may the Tribunal decide?
(1) After hearing the evidence and representations
that the parties to a complaint desire to adduce or
30 make, the Tribunal may--
(a) find the complaint or any part of it proven
and make any one or more of the following
orders--
(i) an order restraining the respondent, or
35 the organisation of which the
42
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 43
Act No.
respondents are members of the
committee of management, from
repeating or continuing any act or
practice the subject of the complaint
5 which the Tribunal has found to
constitute an interference with the
privacy of an individual;
(ii) an order that the respondent perform or
carry out any reasonable act or course
10 of conduct to redress any loss or
damage suffered by the complainant,
including injury to the complainant's
feelings or humiliation suffered by the
complainant, by reason of the act or
15 practice the subject of the complaint;
(iii) an order that the complainant is entitled
to a specified amount, not exceeding
$100 000, by way of compensation for
any loss or damage suffered by the
20 complainant, including injury to the
complainant's feelings or humiliation
suffered by the complainant, by reason
of the act or practice the subject of the
complaint;
25 (iv) if the act or practice the subject of the
complaint is subject to an approved
code of practice, an order that the code
administrator take specified steps in the
matter, which may include using
30 conciliation or mediation, securing an
apology or undertaking as to future
conduct from the respondent or the
payment of compensation, not
exceeding $100 000, by the respondent;
35 or
43
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 43
Act No.
(b) find the complaint or any part of it proven
but decline to take any further action in the
matter; or
(c) find the complaint or any part of it not
5 proven and make an order that the complaint
or part be dismissed; or
(d) in any case, make an order that the
complainant is entitled to a specified amount
to reimburse the complainant for expenses
10 reasonably incurred by the complainant in
connection with the making of the complaint
and the proceedings held in respect of it
under this Act.
(2) In an order under sub-paragraph (i) or (ii) of
15 paragraph (a) of sub-section (1) arising out of a
breach of IPP 6.5 or 6.6, the Tribunal may include
an order that--
(a) an organisation or respondent make an
appropriate correction to the personal
20 information; or
(b) an organisation or respondent attach to the
record of personal information a statement
provided by the complainant of a correction
sought by the complainant.
25 (3) If an order of the Tribunal relates to a public
register, the Privacy Commissioner must, as soon
as practicable after its making, report the order to
the Minister responsible for the public sector
agency or Council that administers that public
30 register.
(4) The Privacy Commissioner may include in a
report under sub-section (3) recommendations in
relation to any matter that concerns the need for,
or the desirability of, legislative or administrative
35 action in the interests of personal privacy.
44
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Act No.
_______________
45
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 44
Act No.
PART 6--ENFORCEMENT OF INFORMATION PRIVACY
PRINCIPLES
44. Compliance notice
(1) The Privacy Commissioner may serve a
5 compliance notice on an organisation, if it appears
to him or her that--
(a) the organisation has done an act or engaged
in a practice in contravention of an
Information Privacy Principle, including an
10 act or practice that is in contravention of an
applicable code of practice; and
(b) the act or practice--
(i) constitutes a serious or flagrant
contravention; or
15 (ii) is of a kind that has been done or
engaged in by the organisation on at
least 5 separate occasions within the
previous 2 years.
(2) A compliance notice requires the organisation to
20 take specified action within a specified period for
the purpose of ensuring compliance with the
Information Privacy Principle or applicable code
of practice.
(3) If the Privacy Commissioner is satisfied, on the
25 application of an organisation on which a
compliance notice is served, that it is not
reasonably possible to take the action specified in
the notice within the period specified in the
notice, the Privacy Commissioner may extend the
30 period specified in the notice on the giving to him
or her by the organisation of an undertaking to
take the specified action within the extended
period.
46
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 45
Act No.
(4) The Privacy Commissioner may only extend a
period under sub-section (3) if an application for
the extension is made before the period specified
in the notice expires.
5 (5) The Privacy Commissioner may act under sub-
section (1) on his or her own initiative or on an
application by an individual who was a
complainant under Part 5.
(6) In deciding whether or not to serve a compliance
10 notice, the Privacy Commissioner may have
regard to the extent to which the organisation has
complied with a decision of the Tribunal under
Division 5 of Part 5.
45. Power to obtain information and documents
15 (1) If the Privacy Commissioner has reason to believe
that a person has information or a document
relevant to a decision to serve a compliance notice
under section 44(1), the Privacy Commissioner
may give to the person a written notice requiring
20 the person--
(a) to give the information to the Privacy
Commissioner in writing signed by the
person or, in the case of a body corporate, by
an officer of the body corporate; or
25 (b) to produce the document to the Privacy
Commissioner.
(2) If the Privacy Commissioner has reason to believe
that a person has information relevant to a
decision to serve a compliance notice under
30 section 44(1), the Privacy Commissioner may give
to the person a written notice requiring the person
to attend before the Privacy Commissioner at a
time and place specified in the notice to answer
questions relevant to the decision.
47
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 46
Act No.
(3) The Privacy Commissioner is not entitled to
require an agency within the meaning of the
Freedom of Information Act 1982 or a Minister
to give any information if the Secretary to the
5 Department of Premier and Cabinet furnishes to
the Privacy Commissioner a certificate certifying
that the giving of that information (including in
answer to a question) would involve the
disclosure of information which, if included in a
10 document of the agency or an official document of
the Minister, would cause the document to be an
exempt document of a kind referred to in section
28(1) of the Freedom of Information Act 1982.
(4) The Privacy Commissioner may not conduct an
15 investigation in respect of a certificate under sub-
section (3) or question whether the information is
of a kind referred to in section 28(1) of the
Freedom of Information Act 1982 or a decision
to sign such a certificate.
20 46. Power to examine witnesses
(1) The Privacy Commissioner may administer an
oath or affirmation to a person required under
section 45(2) to attend before the Privacy
Commissioner and may examine the person on
25 oath or affirmation.
(2) The oath or affirmation to be taken or made by a
person for the purposes of this section is an oath
or affirmation that the answers the person will
give will be true.
30 47. Protection against self-incrimination
(1) It is a reasonable excuse for a natural person to
refuse or fail to give information or answer a
question or to produce a document when required
to do so under this Part if giving the information
35 or answering the question or producing the
document might tend to incriminate the person.
48
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 48
49
Act No.
(2) This section does not limit section 45(3).
48. Offence not to comply with compliance notice
(1) An organisation must comply with a compliance
notice served on it under section 44(1) that is in
5 effect.
Penalty: In the case of a body corporate,
3000 penalty units;
In any other case, 600 penalty units.
(2) A compliance notice served under section 44(1)
10 does not take effect--
(a) until the expiry of the period specified in the
notice; or
(b) until the expiry of any extended period fixed
under section 44(3); or
15 (c) until the expiry of the period within which an
application for review of the decision to
serve the notice may be made to the Tribunal
under section 49(1); or
(d) if an application is made under section 49(1)
20 for review of the decision to serve the notice,
unless and until the review has been
determined in favour of the Privacy
Commissioner--
whichever is the later.
25 (3) An offence against sub-section (1) is an indictable
offence.
49. Application for review
(1) An individual or organisation whose interests are
affected by a decision of the Privacy
49
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Act No.
Commissioner under section 44(1) to serve a
compliance notice may apply to the Tribunal for
review of the decision.
(2) An application for review must be made within
5 28 days after the later of--
(a) the day on which the decision is made; or
(b) if, under the Victorian Civil and
Administrative Tribunal Act 1998, the
individual or organisation requests a
10 statement of reasons for the decision, the day
on which the statement of reasons is given to
the individual or organisation or the
individual or organisation is informed under
section 46(5) of that Act that a statement of
15 reasons will not be given.
(3) The Privacy Commissioner is a party to a
proceeding on a review under this section.
_______________
50
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 50
Act No.
PART 7--PRIVACY COMMISSIONER
50. Privacy Commissioner
(1) There shall be a Privacy Commissioner who shall
be appointed by the Governor in Council.
5 (2) The Privacy Commissioner shall not be a member
of the Parliament of Victoria or of the
Commonwealth or of any other State or a
Territory.
51. Remuneration and allowances
10 The Privacy Commissioner is entitled to be paid
the remuneration and allowances that are
determined by the Governor in Council.
52. Terms and conditions of appointment
(1) Subject to this Part, the Privacy Commissioner
15 holds office for the period, not exceeding 7 years,
that is specified in the instrument of appointment
but is eligible for re-appointment.
(2) Subject to this Part, the Privacy Commissioner
holds office on the terms and conditions
20 determined by the Governor in Council.
(3) The Privacy Commissioner is entitled to leave of
absence as determined by the Governor in
Council.
(4) The Privacy Commissioner must not engage,
25 directly or indirectly, in paid employment outside
the duties of Privacy Commissioner.
(5) The Public Sector Management and
Employment Act 1998 does not apply to the
Privacy Commissioner in respect of the office of
30 Privacy Commissioner, except as provided in
section 16 of that Act.
51
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 53
Act No.
53. Vacancy, resignation
(1) The Privacy Commissioner ceases to hold office if
he or she--
(a) becomes an insolvent under administration;
5 or
(b) is convicted of an indictable offence or an
offence which, if committed in Victoria,
would be an indictable offence; or
(c) nominates for election for either House of
10 the Parliament of Victoria or of the
Commonwealth or of any other State or a
Territory.
(2) The Privacy Commissioner may resign by notice
in writing delivered to the Governor in Council.
15 54. Suspension of Privacy Commissioner
(1) The Governor in Council may suspend the Privacy
Commissioner from office.
(2) The Minister must cause to be laid before each
House of Parliament a full statement of the
20 grounds of suspension within 7 sitting days of that
House after the suspension.
(3) The Privacy Commissioner must be removed from
office by the Governor in Council if each House
of Parliament within 20 sitting days after the day
25 when the statement is laid before it declares by
resolution that the Privacy Commissioner ought to
be removed from office.
(4) The Governor in Council must remove the
suspension and restore the Privacy Commissioner
30 to office unless each House makes a declaration of
the kind specified in sub-section (3) within the
time specified in that sub-section.
52
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 55
Act No.
55. Acting appointment
(1) The Governor in Council may appoint a person to
act in the office of Privacy Commissioner--
(a) during a vacancy in that office; or
5 (b) during a period or all periods when the
person holding that office is absent from
duty or is, for any reason, unable to perform
the duties of the office.
(2) An appointment under sub-section (1) is for the
10 period, not exceeding 6 months, that is specified
in the instrument of appointment.
(3) A person is not eligible to be appointed under sub-
section (1) if the person is a member of the
Parliament of Victoria or of the Commonwealth or
15 of any other State or a Territory.
(4) The Governor in Council may at any time remove
the acting Privacy Commissioner from office.
(5) While a person is acting in the office of the
Privacy Commissioner in accordance with this
20 section, the person--
(a) has, and may exercise, all the powers and
must perform all the duties of that office
under this Act; and
(b) is entitled to be paid the remuneration and
25 allowances that the Privacy Commissioner
would have been entitled to for performing
those duties.
56. Validity of acts and decisions
An act or decision of the Privacy Commissioner
30 or acting Privacy Commissioner is not invalid
only because--
(a) of a defect or irregularity in or in connection
with his or her appointment; or
53
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 57
Act No.
(b) in the case of an acting Privacy
Commissioner, that the occasion for so
acting had not arisen or had ceased.
57. Staff
5 (1) There may be employed under Part 3 of the
Public Sector Management and Employment
Act 1998 any employees that are necessary for the
purposes of this Act.
(2) The Privacy Commissioner may engage as many
10 consultants as are required for the exercise of his
or her functions.
58. Functions
The functions of the Privacy Commissioner are--
(a) to promote an understanding and acceptance
15 of the Information Privacy Principles and of
the objects of those Principles;
(b) in accordance with Part 4, to consider at the
request of an organisation whether to advise
the Minister to recommend to the Governor
20 in Council the approval of a code of practice
(or of a variation of an approved code of
practice) in relation to that organisation;
(c) in accordance with Part 4, to consider at the
request of an individual or organisation, or
25 on his or her own initiative, whether to
advise the Minister to recommend to the
Governor in Council the revocation of the
approval of a code of practice or of a
variation of an approved code of practice;
30 (d) to issue guidelines in relation to the
development of codes of practice and
variations of a kind referred to in
paragraph (b);
54
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 58
Act No.
(e) to issue guidelines on procedures to be
adopted, consistent with the procedures
under the Freedom of Information Act
1982, where--
5 (i) the organisation holding the personal
information is an agency within the
meaning of that Act or a Minister; and
(ii) the personal information is contained in
a document of the agency, or an official
10 document of a Minister, within the
meaning of that Act;
(f) to publish model terms capable of being
adopted by an organisation in a contract or
arrangement with a recipient of personal
15 information being transferred by the
organisation outside Victoria;
(g) to examine the practice of an organisation
with respect to personal information
maintained by that organisation for the
20 purpose of ascertaining whether or not the
information is maintained according to the
Information Privacy Principles or any
applicable code of practice;
(h) subject to this Act, to receive complaints
25 about an act or practice of an organisation--
(i) that may contravene an Information
Privacy Principle; or
(ii) that may interfere with the privacy of
an individual or may otherwise have an
30 adverse effect on the privacy of an
individual--
and, if the Privacy Commissioner considers
it appropriate to do so, to endeavour, by
conciliation, to effect a settlement of the
35 matters that gave rise to the complaint;
55
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 58
Act No.
(i) to issue compliance notices under Part 6 and
to carry out an investigation for this purpose;
(j) to conduct or commission audits of records
of personal information maintained by an
5 organisation for the purpose of ascertaining
whether the records are maintained
according to the Information Privacy
Principles or any applicable code of practice;
(k) to monitor and report on the adequacy of
10 equipment and user safeguards;
(l) to examine and assess any proposed
legislation that would require or authorise
acts or practices of an organisation that may,
in the absence of the legislation, be
15 interferences with the privacy of an
individual or that may otherwise have an
adverse effect on the privacy of an
individual, and to report to the Minister the
results of the examination and assessment;
20 (m) to undertake research into, and to monitor
developments in, data processing and
computer technology (including data
matching and data linkage) to ensure that
any adverse effects of such developments on
25 personal privacy are minimised, and to
report to the Minister the results of the
research and monitoring;
(n) to make reports and recommendations to the
Minister, or the Minister responsible for a
30 public sector agency or a Council
administering a public register, in relation to
any matter that concerns the need for, or the
desirability of, legislative or administrative
action in the interests of personal privacy;
35 (o) for the purpose of promoting the protection
of personal privacy, to undertake educational
56
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 58
59
Act No.
programs on the Privacy Commissioner's
own behalf or in co-operation with other
persons or bodies whose functions concern
the protection of personal privacy;
5 (p) to make public statements in relation to any
matter affecting personal privacy or the
privacy of any class of individual;
(q) to receive and invite representations from
members of the public on any matter
10 affecting personal privacy;
(r) to consult and co-operate with other persons
and bodies concerned with personal privacy;
(s) to provide advice (with or without a request)
to any individual or organisation on any
15 matter relevant to the operation of this Act;
(t) to examine and assess (with or without a
request) the impact on personal privacy of
any act or practice, or proposed act or
practice, of an organisation;
20 (u) to make suggestions to any individual or
organisation in relation to any matter that
concerns the need for, or the desirability of,
action by that individual or organisation in
the interests of personal privacy;
25 (v) to gather information that, in the opinion of
the Privacy Commissioner, will assist the
Privacy Commissioner in carrying out his or
her functions under this Act;
(w) to review any approved code of practice,
30 whether or not expressly authorised to do so
by the code.
59. Powers
57
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Act No.
The Privacy Commissioner has power to do all
things that are necessary or convenient to be done
for or in connection with the performance of his or
her functions.
5 60. Privacy Commissioner to have regard to certain
matters
The Privacy Commissioner must have regard to
the objects of this Act in the performance of his or
her functions and the exercise of his or her powers
10 under this Act.
61. Delegation
(1) The Privacy Commissioner may, by instrument,
delegate to an employee referred to in
section 57(1) any of his or her powers under this
15 Act other than this power of delegation.
(2) The Privacy Commissioner may, by instrument,
delegate to any person any of his or her powers
under Division 3 of Part 5.
62. Annual reports
20 The Privacy Commissioner must each year
include the following information in the report of
operations of the office under Part 7 of the
Financial Management Act 1994--
(a) the number of audits of records of personal
25 information conducted under section 58(j)
during the preceding financial year; and
(b) the organisations in respect of which those
audits were conducted.
63. Other reports
30 (1) In addition to the report of operations under Part 7
of the Financial Management Act 1994, the
Privacy Commissioner may report to the Minister
on any act or practice that the Privacy
Commissioner considers to be an interference
58
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 63
Act No.
with the privacy of an individual, whether or not a
complaint has been made under section 25(1).
(2) The Minister may cause a copy of a report
referred to in sub-section (1) to be laid before
5 each House of the Parliament.
(3) The Privacy Commissioner may from time to
time, in the public interest, publish reports and
recommendations relating generally to the Privacy
Commissioner's functions under this Act or to any
10 matter investigated by the Privacy Commissioner,
whether or not the matters to be dealt with in any
such report have been the subject of a report to the
Minister.
_______________
15
59
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 64
Act No.
PART 8--GENERAL
64. Capacity to consent or make a request or exercise
right of access
(1) If an IPP or an applicable code of practice
5 requires the consent of an individual to the
collection, use or disclosure of personal
information or to the transfer of personal
information to someone who is outside Victoria,
the power to give that consent may be exercised
10 on behalf of an individual who is incapable of
giving consent by an authorised representative of
that individual, if the consent is reasonably
necessary for the lawful performance of functions
or duties or exercise of powers in respect of the
15 individual by the authorised representative.
(2) If an IPP or an applicable code of practice
empowers an individual to request access to, or
the correction of, personal information or confers
on an individual a right of access to personal
20 information, the power to make that request, or
the right of access, may be exercised--
(a) by the individual personally, except if the
individual is a child who is incapable of
making the request; and
25 (b) by an authorised representative of the
individual if--
(i) the individual is incapable of making
the request or exercising the right of
access; and
30 (ii) the personal information to be accessed
is reasonably necessary for the lawful
performance of functions or duties or
exercise of powers in respect of the
60
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 64
Act No.
individual by the authorised
representative.
(3) For the purposes of sub-sections (1) and (2), an
individual is incapable of giving consent, making
5 the request or exercising the right of access if he
or she is incapable by reason of age, injury,
disease, senility, illness, disability, physical
impairment or mental disorder of--
(a) understanding the general nature and effect
10 of giving the consent, making the request or
exercising the right of access (as the case
requires); or
(b) communicating the consent or refusal of
consent, making the request or personally
15 exercising the right of access (as the case
requires)--
despite the provision of reasonable assistance by
another individual.
(4) An authorised representative of an individual must
20 not give consent or request access to, or the
correction of, personal information if the
authorised representative knows or believes that
the consent or request does not accord with the
wishes expressed, and not changed or withdrawn,
25 by the individual before he or she became
incapable of giving consent or requesting access
and any purported consent given or request made
in those circumstances is void.
(5) An organisation may refuse a request by an
30 authorised representative of an individual for
access to the personal information of the
individual if the organisation reasonably believes
that access by the authorised representative may
endanger the individual.
61
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 65
Act No.
(6) In this section, "authorised representative", in
relation to an individual, means a person who is--
(a) a guardian of the individual; or
(b) an attorney for the individual under an
5 enduring power of attorney; or
(c) an agent for the individual within the
meaning of the Medical Treatment Act
1988; or
(d) an administrator or a person responsible
10 within the meaning of the Guardianship
and Administration Act 1986; or
(e) a parent of an individual, if the individual is
a child; or
(f) otherwise empowered under law to perform
15 any functions or duties or exercise powers as
an agent of or in the best interests of the
individual--
except to the extent that acting as an authorised
representative of the individual is inconsistent
20 with an order made by a court or tribunal.
65. Failure to attend etc. before Privacy Commissioner
A person must not, without reasonable excuse--
(a) refuse or fail--
(i) to attend before the Privacy
25 Commissioner; or
(ii) to be sworn or make an affirmation; or
(iii) to give information; or
(iv) to answer a question or produce a
document--
30 when so required by the Privacy
Commissioner under this Act; or
62
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 66
Act No.
(b) wilfully obstruct, hinder or resist the Privacy
Commissioner or an employee in the office
of the Privacy Commissioner or a delegate of
the Privacy Commissioner in--
5 (i) performing, or attempting to perform, a
function or duty under this Act; or
(ii) exercising, or attempting to exercise, a
power under this Act; or
(c) furnish information or make a statement to
10 the Privacy Commissioner knowing that it is
false or misleading in a material particular.
Penalty: 60 penalty units.
66. Protection from liability
(1) A person who lodges a complaint under
15 section 25(1) is not personally liable for any loss,
damage or injury suffered by another person by
reason only of the lodging of the complaint.
(2) A person who produces a document, or gives any
information or evidence, to the Privacy
20 Commissioner under this Act is not personally
liable for any loss, damage or injury suffered by
another person by reason only of that production
or giving.
(3) Sub-section (4) applies where--
25 (a) a person has been provided by an
organisation with access to personal
information; and
(b) the access was required by IPP 6 or an
applicable code of practice or the
30 organisation, or an employee or agent of the
organisation acting within the scope of his or
her actual or apparent authority, believed in
good faith that the access was required by
IPP 6 or an applicable code of practice.
63
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 67
Act No.
(4) The provision of access to personal information in
the circumstances referred to in sub-section (3)--
(a) is not to be regarded as making the
organisation, or any employee or agent of the
5 organisation, liable for defamation or breach
of confidence or guilty of a criminal offence
by reason only of the provision of access; or
(b) is not to be regarded as making any person
who provided the personal information to the
10 organisation liable for defamation or breach
of confidence in respect of any publication
involved in, or resulting from, the provision
of access by reason only of the provision of
access; or
15 (c) must not be taken for the purpose of the law
relating to defamation or breach of
confidence to constitute an authorisation or
approval of the publication of the
information by the person who is provided
20 with access to it.
(5) An organisation is not in breach of the
Information Privacy Principles or an applicable
code of practice by reason only of--
(a) collecting, using, disclosing or transferring
25 personal information; or
(b) providing access to personal information; or
(c) correcting personal information--
of an individual in response to a consent or
request by an authorised representative whose
30 consent or request is void by virtue of section
64(4).
67. Secrecy
(1) A person who is, or has been, the Privacy
Commissioner, an acting Privacy Commissioner, a
64
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 67
Act No.
delegate of the Privacy Commissioner, an
employee in the office of the Privacy
Commissioner or a consultant engaged by the
Privacy Commissioner must not, directly or
5 indirectly, make a record of, disclose or
communicate to any person any information
relating to the affairs of any individual or
organisation acquired in the performance of
functions or duties or the exercise of powers under
10 this Act, unless--
(a) it is necessary to do so for the purposes of, or
in connection with, the performance of a
function or duty or the exercise of a power
under this Act; or
15 (b) the individual or organisation to whom the
information relates gives written consent to
the making of the record, disclosure or
communication.
Penalty: 60 penalty units.
20 (2) Without limiting sub-section (1), the Privacy
Commissioner must not disclose or communicate
to any person, other than a person employed in the
office of the Privacy Commissioner, any
information given to the Privacy Commissioner
25 pursuant to a requirement made under Division 3
of Part 5 or Part 6 (including information
contained in a document required to be produced
to the Privacy Commissioner) unless he or she
has--
30 (a) notified the person from whom the
information was obtained of the proposal to
disclose or communicate that information;
and
(b) given that person a reasonable opportunity to
35 object to the disclosure or communication.
65
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 68
Act No.
68. Employees and agents
(1) Any act done or practice engaged in on behalf of
an organisation by an employee or agent of the
organisation acting within the scope of his or her
5 actual or apparent authority is to be taken, for the
purposes of this Act including a prosecution for an
offence against this Act, to have been done or
engaged in by the organisation and not by the
employee or agent unless the organisation
10 establishes that it took reasonable precautions and
exercised due diligence to avoid the act being
done or the practice being engaged in by its
employee or agent.
(2) If, for the purpose of investigating a complaint or
15 a proceeding for an offence against this Act, it is
necessary to establish the state of mind of an
organisation in relation to a particular act or
practice, it is sufficient to show--
(a) that the act was done or practice engaged in
20 by an employee or agent of the organisation
acting within the scope of his or her actual or
apparent authority; and
(b) that the employee or agent had that state of
mind.
25 69. Charges for access
An organisation may charge an individual the
prescribed fee for providing access to personal
information under this Act.
70. Offences by organisations or bodies
30 If this Act provides that an organisation or body is
guilty of an offence, that reference to an
organisation or body must, if the organisation or
body is unincorporated, be read as a reference to
66
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 71
Act No.
each member of the committee of management of
the organisation or body.
71. Prosecutions
(1) A proceeding for an offence against this Act may
5 only be brought by--
(a) a member of the police force; or
(b) the Privacy Commissioner; or
(c) a person authorised to do so, either generally
or in a particular case, by the Privacy
10 Commissioner.
(2) In a proceeding for an offence against this Act it
must be presumed, in the absence of evidence to
the contrary, that the person bringing the
proceeding was authorised to bring it.
15 72. Supreme Court--limitation of jurisdiction
It is the intention of section 7 to alter or vary
section 85 of the Constitution Act 1975.
73. Regulations
(1) The Governor in Council may make regulations
20 for or with respect to any matter or thing required
or permitted by this Act to be prescribed or
necessary to be prescribed to give effect to this
Act.
(2) Without limiting sub-section (1), the Governor in
25 Council may make regulations prescribing fees for
providing access to personal information under
this Act.
_______________
67
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 74
Act No.
PART 9--AMENDMENT OF CERTAIN ACTS
74. Amendment of Parliamentary Committees Act 1968
In section 4D(a) of the Parliamentary
Committees Act 1968, after sub-paragraph (iii)
5 insert--
"(iiia) unduly requires or authorises acts or
practices that may have an adverse effect on
personal privacy within the meaning of the
Information Privacy Act 2000; or".
10 75. Amendment of Magistrates' Court Act 1989
In Schedule 4 to the Magistrates' Court Act
1989, after item 38 insert--
"39. Non-compliance with compliance notice
Offences under section 48(1) of the
15 Information Privacy Act 2000.".
76. Amendment of Public Sector Management and
Employment Act 1998
In section 16(1) of the Public Sector
Management and Employment Act 1998, after
20 paragraph (h) insert--
"(i) the Privacy Commissioner in relation to the
office of the Privacy Commissioner.".
77. Amendment of Victorian Civil and Administrative
Tribunal Act 1998
25 In Schedule 1 to the Victorian Civil and
Administrative Tribunal Act 1998, after Part 11
insert--
30
68
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 77
Act No.
"PART 11A--INFORMATION PRIVACY ACT
2000
40A. Intervention by Privacy Commissioner
The Privacy Commissioner may intervene at
5 any time in a proceeding under the
Information Privacy Act 2000.
40B. Notification in other proceedings
(1) If an application is made under section 38
(interim order) or a referral under section 31
10 (Minister's referral) of the Information
Privacy Act 2000, the principal registrar
must notify the Privacy Commissioner.
(2) Sub-clause (1) does not apply in the case of
an application by the Privacy Commissioner
15 under section 38 of the Information Privacy
Act 2000.
40C. Privacy Commissioner may apply for
interim injunction
The Privacy Commissioner may apply for an
20 order granting an interim injunction under
section 123 in a proceeding under the
Information Privacy Act 2000 whether or
not he or she is a party to that proceeding.
40D. Compulsory conference
25 The presiding member at a compulsory
conference in a proceeding under the
Information Privacy Act 2000 may refer
any matter to the Privacy Commissioner for
investigation, negotiation or conciliation.
30 40E. Settlement offers
Sections 112 to 115 do not apply to a
proceeding under the Information Privacy
Act 2000.".
69
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
s. 78
Act No.
78. New section 15A inserted in Ombudsman Act 1973
In the Ombudsman Act 1973, after section 15
insert--
"15A. Referral of complaint
5 If the complaint could be made the subject of
an application under the Information
Privacy Act 2000, the Ombudsman may
refer the complaint to the Privacy
Commissioner and notify the complainant
10 and the respondent in writing of the
referral.".
79. New section 20B inserted in Ombudsman Act 1973
In the Ombudsman Act 1973, after section 20A
insert--
15 "20B. Communication of information to the
Privacy Commissioner
The Ombudsman or the Acting Ombudsman
may communicate to the Privacy
Commissioner appointed under the
20 Information Privacy Act 2000 any
information obtained or received in the
course or as a result of the exercise of the
functions of the Ombudsman under this Act,
being information relevant to the
25 performance of functions or duties by the
Privacy Commissioner.".
80. Amendment of Information Privacy Act 2000
In section 3 of the Information Privacy Act
2000, in the definition of "Commonwealth-
30 regulated organisation" after "agency" insert
", or an organisation, ".
__________________
70
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
SCHEDULES
SCHEDULE 1
THE INFORMATION PRIVACY PRINCIPLES
In these Principles--
5 "unique identifier" means an identifier (usually a number)
assigned by an organisation to an individual uniquely to
identify that individual for the purposes of the operations of
the organisation but does not include an identifier that
consists only of the individual's name;
10 "sensitive information" means information or an opinion about
an individual's--
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
15 (iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual preferences or practices; or
20 (ix) criminal record--
that is also personal information;
1. Principle 1--Collection
1.1 An organisation must not collect personal information
unless the information is necessary for one or more of its
25 functions or activities.
1.2 An organisation must collect personal information only by
lawful and fair means and not in an unreasonably intrusive
way.
1.3 At or before the time (or, if that is not practicable, as soon as
30 practicable after) an organisation collects personal
information about an individual from the individual, the
71
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
organisation must take reasonable steps to ensure that the
individual is aware of--
(a) the identity of the organisation and how to contact it;
and
5 (b) the fact that he or she is able to gain access to the
information; and
(c) the purposes for which the information is collected;
and
(d) to whom (or the types of individuals or organisations
10 to which) the organisation usually discloses
information of that kind; and
(e) any law that requires the particular information to be
collected; and
(f) the main consequences (if any) for the individual if all
15 or part of the information is not provided.
1.4 If it is reasonable and practicable to do so, an organisation
must collect personal information about an individual only
from that individual.
1.5 If an organisation collects personal information about an
20 individual from someone else, it must take reasonable steps
to ensure that the individual is or has been made aware of
the matters listed in IPP 1.3 except to the extent that making
the individual aware of the matters would pose a serious
threat to the life or health of any individual.
25 2. Principle 2--Use and Disclosure
2.1 An organisation must not use or disclose personal
information about an individual for a purpose (the
secondary purpose) other than the primary purpose of
collection unless--
30 (a) both of the following apply--
(i) the secondary purpose is related to the primary
purpose of collection and, if the personal
information is sensitive information, directly
related to the primary purpose of collection;
35 (ii) the individual would reasonably expect the
organisation to use or disclose the information
for the secondary purpose; or
(b) the individual has consented to the use or disclosure;
or
72
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
(c) if the use or disclosure is necessary for research, or
the compilation or analysis of statistics, in the public
interest, other than for publication in a form that
identifies any particular individual--
5 (i) it is impracticable for the organisation to seek
the individual's consent before the use or
disclosure; and
(ii) in the case of disclosure--the organisation
reasonably believes that the recipient of the
10 information will not disclose the information;
or
(d) the organisation reasonably believes that the use or
disclosure is necessary to lessen or prevent--
(i) a serious and imminent threat to an individual's
15 life, health, safety or welfare; or
(ii) a serious threat to public health, public safety,
or public welfare; or
(e) the organisation has reason to suspect that unlawful
activity has been, is being or may be engaged in, and
20 uses or discloses the personal information as a
necessary part of its investigation of the matter or in
reporting its concerns to relevant persons or
authorities; or
(f) the use or disclosure is required or authorised by or
25 under law; or
(g) the organisation reasonably believes that the use or
disclosure is reasonably necessary for one or more of
the following by or on behalf of a law enforcement
agency--
30 (i) the prevention, detection, investigation,
prosecution or punishment of criminal offences
or breaches of a law imposing a penalty or
sanction;
(ii) the enforcement of laws relating to the
35 confiscation of the proceeds of crime;
(iii) the protection of the public revenue;
(iv) the prevention, detection, investigation or
remedying of seriously improper conduct;
73
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
(v) the preparation for, or conduct of, proceedings
before any court or tribunal, or implementation
of the orders of a court or tribunal; or
(h) the Australian Security Intelligence Organization
5 (ASIO) or the Australian Secret Intelligence Service
(ASIS), in connection with its functions, has
requested the organisation to disclose the personal
information and--
(i) the disclosure is made to an officer or employee
10 of ASIO or ASIS (as the case requires)
authorised in writing by the Director-General
of ASIO or ASIS (as the case requires) to
receive the disclosure; and
(ii) an officer or employee of ASIO or ASIS (as the
15 case requires) authorised in writing by the
Director-General of ASIO or ASIS (as the case
requires) for the purposes of this paragraph has
certified that the disclosure would be connected
with the performance by ASIO or ASIS (as the
20 case requires) of its functions.
2.2 If an organisation uses or discloses personal information
under paragraph 2.1(g), it must make a written note of the
use or disclosure.
3. Principle 3--Data Quality
25 3.1 An organisation must take reasonable steps to make sure
that the personal information it collects, uses or discloses is
accurate, complete and up to date.
4. Principle 4--Data Security
4.1 An organisation must take reasonable steps to protect the
30 personal information it holds from misuse and loss and from
unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps to destroy or
permanently de-identify personal information if it is no
longer needed for any purpose.
35 5. Principle 5--Openness
5.1 An organisation must set out in a document clearly
expressed policies on its management of personal
information. The organisation must make the document
available to anyone who asks for it.
74
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
5.2 On request by a person, an organisation must take
reasonable steps to let the person know, generally, what sort
of personal information it holds, for what purposes, and how
it collects, holds, uses and discloses that information.
5 6. Principle 6--Access and Correction
6.1 If an organisation holds personal information about an
individual, it must provide the individual with access to the
information on request by the individual, except to the
extent that--
10 (a) providing access would pose a serious and imminent
threat to the life or health of any individual; or
(b) providing access would have an unreasonable impact
on the privacy of other individuals; or
(c) the request for access is frivolous or vexatious; or
15 (d) the information relates to existing legal proceedings
between the organisation and the individual, and the
information would not be accessible by the process of
discovery or subpoena in those proceedings; or
(e) providing access would reveal the intentions of the
20 organisation in relation to negotiations with the
individual in such a way as to prejudice those
negotiations; or
(f) providing access would be unlawful; or
(g) denying access is required or authorised by or under
25 law; or
(h) providing access would be likely to prejudice an
investigation of possible unlawful activity; or
(i) providing access would be likely to prejudice--
(i) the prevention, detection, investigation,
30 prosecution or punishment of criminal offences
or breaches of a law imposing a penalty or
sanction; or
(ii) the enforcement of laws relating to the
confiscation of the proceeds of crime; or
35 (iii) the protection of public revenue; or
(iv) the prevention, detection, investigation or
remedying of seriously improper conduct; or
75
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
(v) the preparation for, or conduct of, proceedings
before any court or tribunal, or implementation
of its orders--
by or on behalf of a law enforcement agency; or
5 (j) ASIO, ASIS or a law enforcement agency performing
a lawful security function asks the organisation not to
provide access to the information on the basis that
providing access would be likely to cause damage to
the security of Australia.
10 6.2 However, where providing access would reveal evaluative
information generated within the organisation in connection
with a commercially sensitive decision-making process, the
organisation may give the individual an explanation for the
commercially sensitive decision rather than direct access to
15 the information.
6.3 If the organisation is not required to provide the individual
with access to the information because of one or more of
paragraphs 6.1(a) to (j) (inclusive), the organisation must, if
reasonable, consider whether the use of mutually agreed
20 intermediaries would allow sufficient access to meet the
needs of both parties.
6.4 If an organisation charges for providing access to personal
information, the organisation--
(a) must advise an individual who requests access to
25 personal information that the organisation will
provide access on the payment of the prescribed fee;
and
(b) may refuse access to the personal information until
the fee is paid.
30 6.5 If an organisation holds personal information about an
individual and the individual is able to establish that the
information is not accurate, complete and up to date, the
organisation must take reasonable steps to correct the
information so that it is accurate, complete and up to date.
35 6.6 If the individual and the organisation disagree about
whether the information is accurate, complete and up to
date, and the individual asks the organisation to associate
with the information a statement claiming that the
information is not accurate, complete or up to date, the
40 organisation must take reasonable steps to do so.
76
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
6.7 An organisation must provide reasons for denial of access or
a refusal to correct personal information.
6.8 If an individual requests access to, or the correction of,
personal information held by an organisation, the
5 organisation must--
(a) provide access, or reasons for the denial of access; or
(b) correct the personal information, or provide reasons
for the refusal to correct the personal information; or
(c) provide reasons for the delay in responding to the
10 request for access to or for the correction of personal
information--
as soon as practicable, but no later than 45 days after
receiving the request.
7. Principle 7--Unique Identifiers
15 7.1 An organisation must not assign unique identifiers to
individuals unless the assignment of unique identifiers is
necessary to enable the organisation to carry out any of its
functions efficiently.
7.2 An organisation must not adopt as its own unique identifier
20 of an individual a unique identifier of the individual that has
been assigned by another organisation unless--
(a) it is necessary to enable the organisation to carry out
any of its functions efficiently; or
(b) it has obtained the consent of the individual to the use
25 of the unique identifier; or
(c) it is an outsourcing organisation adopting the unique
identifier created by a contracted service provider in
the performance of its obligations to the organisation
under a State contract.
30 7.3 An organisation must not use or disclose a unique identifier
assigned to an individual by another organisation unless--
(a) the use or disclosure is necessary for the organisation
to fulfil its obligations to the other organisation; or
(b) one or more of paragraphs 2.1(d) to 2.1(g) applies to
35 the use or disclosure; or
(c) it has obtained the consent of the individual to the use
or disclosure.
77
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
7.4 An organisation must not require an individual to provide a
unique identifier in order to obtain a service unless the
provision of the unique identifier is required or authorised
by law or the provision is in connection with the purpose (or
5 a directly related purpose) for which the unique identifier
was assigned.
8. Principle 8--Anonymity
8.1 Wherever it is lawful and practicable, individuals must have
the option of not identifying themselves when entering
10 transactions with an organisation.
9. Principle 9--Transborder Data Flows
9.1 An organisation may transfer personal information about an
individual to someone (other than the organisation or the
individual) who is outside Victoria only if--
15 (a) the organisation reasonably believes that the recipient
of the information is subject to a law, binding scheme
or contract which effectively upholds principles for
fair handling of the information that are substantially
similar to the Information Privacy Principles; or
20 (b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a
contract between the individual and the organisation,
or for the implementation of pre-contractual measures
taken in response to the individual's request; or
25 (d) the transfer is necessary for the conclusion or
performance of a contract concluded in the interest of
the individual between the organisation and a third
party; or
(e) all of the following apply--
30 (i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the
individual to that transfer;
(iii) if it were practicable to obtain that consent, the
individual would be likely to give it; or
35 (f) the organisation has taken reasonable steps to ensure
that the information which it has transferred will not
be held, used or disclosed by the recipient of the
information inconsistently with the Information
Privacy Principles.
78
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 1
Act No.
10. Principle 10--Sensitive Information
10.1 An organisation must not collect sensitive information about
an individual unless--
(a) the individual has consented; or
5 (b) the collection is required under law; or
(c) the collection is necessary to prevent or lessen a
serious and imminent threat to the life or health of any
individual, where the individual whom the
information concerns--
10 (i) is physically or legally incapable of giving
consent to the collection; or
(ii) physically cannot communicate consent to the
collection; or
(d) the collection is necessary for the establishment,
15 exercise or defence of a legal or equitable claim.
10.2 Despite IPP 10.1, an organisation may collect sensitive
information about an individual if--
(a) the collection--
(i) is necessary for research, or the compilation or
20 analysis of statistics, relevant to government
funded targeted welfare or educational services;
or
(ii) is of information relating to an individual's
racial or ethnic origin and is collected for the
25 purpose of providing government funded
targeted welfare or educational services; and
(b) there is no reasonably practicable alternative to
collecting the information for that purpose; and
(c) it is impracticable for the organisation to seek the
30 individual's consent to the collection.
79
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 2
Act No.
SCHEDULE 2
HEALTH INFORMATION
1. Health Information
This Schedule applies to--
5 (a) information or an opinion about--
(i) the physical, mental or psychological health of
an individual; or
(ii) a disability (at any time) of an individual; or
(iii) an individual's expressed wishes about the
10 future provision of health services to him or
her; or
(iv) a health service provided, or to be provided, to
an individual--
that is also personal information; or
15 (b) other personal information collected to provide, or in
providing, a health service; or
(c) other personal information about an individual
collected in connection with the donation, or intended
donation, by the individual of his or her body parts,
20 organs or body substances--
but does not include personal information, or a class of
personal information or personal information contained in a
class of documents, that is prescribed not to be information
of a kind to which this Schedule applies.
25 2. Definitions
For the purposes of this Schedule--
"health service" means--
(a) an activity performed in relation to an
individual that is intended or claimed
30 (expressly or otherwise) by the individual or
the person performing it--
(i) to assess, record, maintain or improve the
individual's health; or
80
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Sch. 2
Act No.
(ii) to diagnose the individual's illness or
disability; or
(iii) to treat the individual's illness or
disability or suspected illness or
5 disability; or
(b) a disability, palliative care or aged care service;
or
(c) the dispensing on prescription of a drug or
medicinal preparation by a pharmacist--
10 but does not include a health service or a class of
health service, that is prescribed as an exempt health
service;
"individual" means a natural person in respect of whom
health information is, or has at any time been, held by
15 an organisation.
81
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Notes
Act No.
NOTES
1
The index attached to this Act does not form part of this Act and is
provided for convenience of reference only.
By Authority. Government Printer for the State of Victoria.
82
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Index
Act No.
INDEX
Subject Section
Act
amendments to other Acts 74ญ79
application 9
commencement 2
Crown bound by 8
interpretative provisions 4
nature of rights created by 7
objects 5
other laws prevail if inconsistency 6
purposes 1
Codes of practice
approval 19, 21
description and scope 18
cessation of operation 20, 23, 24
commencement of operation 19, 20
contravention of 44, 48
expiry 24
organisations bound by 20
register 22
revocation of approval 23, 24
variations 19, 24
Complaints
by minors or people with impairment 27
Commissioner's power to decline to entertain 29
conciliation 33ญ37
dismissal of 29, 30, 32, 37
inappropriateness of conciliation 32
interim orders 38
jurisdiction of Tribunal regarding 39ญ43
making of 25
notification of respondents 28
procedure for dealing with 28ญ32
referral to Ombudsman 29
referral to Privacy Commissioner 26
referral to Tribunal 29, 31, 32, 37
stale complaints 30
time limits 41
44
Compliance notices
non-compliance with 48
review of decision to serve 49
Conciliation
agreements 35
failure 37
inadmissability of evidence 36
inappropriateness 32
obtaining relevant information and documents 34
process 33
83
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Notes
Act No.
Subject Section
registration of record with Tribunal 35
Contracted service providers
bound by IPPs and codes of practice 17
interpretation of references to 4
Courts
exemption from provisions of Act 10
Definitions
applicable code of practice 3
approved code of practice 3
body 3
child 3
code administrator 3
Commonwealth-regulated organisation 3
consent 3
correct 3
Council 3
disability 3
enactment 3
Federal Privacy Commissioner 3
generally available publication 3
health service Sch. 2
illness 3
individual 3, Sch. 2
Information Privacy Principle 3
insolvent under administration 3
IPP 3
law enforcement agency 3
officer 3
organisation 3
parent 3
personal information 3
personal privacy 3
Privacy Commissioner 3
public register 3
public sector agency 3
sensitive information Sch. 1
State contract 3
third party 3
Tribunal 3
unique identifier Sch. 1
10ญ13
Exemptions
Fees
for access to personal information 69
for inspecting codes of practice register 22
Freedom of Information Act 1982
exempt documents under s. 28(1) 34, 39, 42, 45
personal information in documents regulated by 12
operation not affected by this Act 6
84
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Notes
Act No.
Subject Section
Sch. 2
Health information
Identification numbers See Unique identifiers
Impairment See People with an impairment
Information See Health information
Personal information
Publicly available information
14ญ17, Sch. 1
Information privacy principles
breach of IPP 6.5 or 6.6 43
contraventions 44, 48
interpretation of references to 4
See also Complaints
Judicial officers
exemptions from provisions of Act 10
Law enforcement agencies
exemptions from compliance with certain IPPs 13, Sch. 1
Liability
of organisations for acts of agents, employees 68
protection from 66
Minors
access to personal information by 64
complaints by 27
Notices
compliance notices 44, 48
Offences
by organisations or bodies 70
failure to attend before Privacy Commissioner 65
non-compliance with compliance notices 48
prosecutions 71
Ombudsman
referral of complaints by Privacy Commissioner to 29
referral of complaints to Privacy Commissioner by 26
43
Orders
interim orders 38
Outsourcing See Contract service providers
People with an impairment
capacity to give consent or exercise right of access 64
complaints by 27
Personal information
access to 64
consent to collection, use, disclosure, transfer 64
fees for access to 69, Sch. 1
12
regulated by Freedom of Information Act 1982
health information Sch. 2
interpretative provisions 4
information privacy principles Sch. 1
powers of authorised representatives 64
sensitive information Sch. 1
Privacy Commissioner
acting appointment 55
annual reports 62
appointment 50
85
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Notes
Act No.
Subject Section
as party to proceedings for review 49
delegation 61
duty to have regard to objects of Act 60
functions 58
powers in general 59
powers regarding
codes of practice 19, 20, 23
complaints 25ญ26, 28ญ30, 32
compliance notices 44
conciliation 33ญ35, 37
examination of witnesses 46
obtaining information and documents 45
removal from office 54
remuneration and allowances 51
reports 62ญ63
secrecy provisions 67
staff 57
suspension 54
terms and conditions of appointment 52
vacancy and resignation 53
validity of acts and decisions 56
71
Prosecutions
Public records
exemptions from provisions of Act 11
Public registers
administration of 16, 18, 43
Public sector organisations
application of Act to 9
bound by codes of practice 20
compliance with IPPs 16
interpretative provisions 4
liability for acts of agents and employees 68
offences by 70
use of unique identifiers Sch. 1
Publicly available information
exemptions from provisions of Act 11
73
Regulations
67
Secrecy
Self-incrimination
protection against 47
Supreme Court
limitation of jurisdiction 72
Tribunals
exemptions from provisions of Act 10
Sch. 1
Unique identifiers
Victorian Civil and Administrative Tribunal
findings and decisions 43
power to inspect exempt documents 42
interim orders 38
jurisdiction for hearing a complaint 39
86
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
Information Privacy Act 2000
Notes
Act No.
Subject Section
orders 43
parties to a proceeding 40
referral of complaints to 31, 32, 37, 39
registration of conciliation agreements 35
review of decision to serve compliance notices 49
time limits for hearing complaints 41
ญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญญ
87
541042B.I1-29/5/2000 BILL LA CIRCULATION 29/5/2000
[Index] [Search] [Download] [Related Items] [Help]