(2) To the extent (if any) that an organisation is not bound by an approved privacy code, the organisation must not do an act, or engage in a practice, that breaches a National Privacy Principle.
(3) This section, approved privacy codes and the National Privacy Principles have effect in addition to sections 18 and 18A and Part IIIA, and do not derogate from them.
(4) To avoid doubt, an act done, or practice engaged in, by an organisation without breaching an approved privacy code or the National Privacy Principles is not authorised by law (or by this Act) for the purposes of Part IIIA merely because it does not breach the code or the Principles.
Note: If an act or practice is otherwise authorised by law, exceptions to the prohibitions in the National Privacy Principles and Part IIIA may mean that the act or practice does not breach the Principles or certain provisions of that Part.
(2) This Act (except Divisions 4 and 5 of Part III and Part IIIA) applies to personal information that has been collected by an organisation only if the information is held by the organisation in a record.
(1A) National Privacy Principle 2 applies only in relation to personal information collected after the commencement of this section.
(2) National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to personal information held by an organisation regardless of whether the organisation holds the personal information as a result of collection occurring before or after the commencement of this section.
(3) National Privacy Principle 6 applies in relation to personal information collected after the commencement of this section. That Principle also applies to personal information collected by an organisation before that commencement and used or disclosed by the organisation after that commencement, except to the extent that compliance by the organisation with the Principle in relation to the information would:
(a) place an unreasonable administrative burden on the organisation; or
(b) cause the organisation unreasonable expense.
(4) National Privacy Principle 8 applies only to transactions entered into after the commencement of this section.
(2) National Privacy Principles 1, 3 (so far as it relates to collection of personal information) and 10 apply only in relation to the collection of personal information by the organisation after the delayed application period.
(3) National Privacy Principles 3 (so far as it relates to personal information used or disclosed), 4, 5, 7 and 9 apply in relation to the organisation only after the delayed application period. Those Principles then apply in relation to personal information held by the organisation as a result of collection occurring before, during or after that period.
(4) National Privacy Principles 2 and 6 apply only in relation to personal information collected by the organisation after the delayed application period.
(5) National Privacy Principle 8 applies only to transactions entered into with the organisation after the delayed application period.
(6) In this section:
delayed application period, for an organisation, means the period:
(a) starting at the later of the following times:
(i) the start of the day when this section commences;
(ii) when the organisation became an organisation; and
(b) ending at the earlier of the following times:
(i) immediately before the first anniversary of the day when this section commences;
(ii) when the organisation carries on either a business that is not a small business or a business that involves the provision of health services.
(a) the collection, holding, use, disclosure or transfer of personal information by an individual; or
(b) personal information held by an individual;
only for the purposes of, or in connection with, his or her personal, family or household affairs.
(a) for the purpose of meeting (directly or indirectly) an obligation under a Commonwealth contract; and
(b) by an organisation that is a contracted service provider for the contract.
Note: An organisation may be a contracted service provider for a Commonwealth contract whether or not the organisation is a party to the contract.
(2) An organisation that is a contracted service provider for the contract must not use or disclose the personal information for direct marketing, unless the use or disclosure is necessary to meet (directly or indirectly) an obligation under the contract.
(3) Subsection (2) has effect despite:
(a) an approved privacy code (if any) binding the organisation in relation to the personal information; and
(b) the National Privacy Principles.