PRIVACY AND DATA PROTECTION ACT 2014 - SECT 78 Compliance notice

PRIVACY AND DATA PROTECTION ACT 2014 - SECT 78

S. 78(1) amended by No. 20/2017 s. 106(6)(a).

    (1)     The Information Commissioner may serve a compliance notice on an organisation, if it appears to the Information Commissioner that—

        (a)     the organisation has done an act or engaged in a practice in contravention of an Information Privacy Principle (including an act or practice that is in contravention of an applicable code of practice) or an approved information usage arrangement; and

        (b)     the act or practice—

              (i)     constitutes a serious or flagrant contravention; or

              (ii)     is of a kind that has been done or engaged in by the organisation on at least 5 separate occasions within the previous 2 years.

    (2)     A compliance notice requires the organisation to take specified action within a specified period for the purpose of ensuring compliance with the Information Privacy Principle, applicable code of practice or approved information usage arrangement.

S. 78(3) amended by No. 20/2017 s. 106(6)(a).

    (3)     If the Information Commissioner is satisfied, on the application of an organisation on which a compliance notice is served, that it is not reasonably possible to take the action specified in the notice within the period specified in the notice, the Information Commissioner may extend the period specified in the notice on the organisation giving the Information Commissioner an undertaking to take the specified action within the extended period.

S. 78(4) amended by No. 20/2017 s. 106(6)(a).

    (4)     The Information Commissioner may only extend a period under subsection (3) if an application for the extension is made before the period specified in the notice expires.

S. 78(5) amended by No. 20/2017 s. 106(6).

    (5)     The Information Commissioner may act under subsection (1) on the Information Commissioner's own initiative or on an application by an individual who was a complainant under Division 8.

S. 78(6) amended by No. 20/2017 s. 106(6)(a).

    (6)     In deciding whether or not to serve a compliance notice, the Information Commissioner may have regard to the extent to which the organisation has complied with a decision of VCAT under Subdivision 5 of Division 8.

S. 78(7) inserted by No. 11/2021 s. 165.

    (7)     A compliance notice must be served in accordance with section 83C.

S. 79 substituted by No. 20/2017 s. 86.