[Previous] [Next] [Up] [Title]

Division 1--Interferences with privacy


13 Interferences with privacy

For the purposes of this Act, an act or practice is an interference with the privacy of an individual if the act or practice:

(a) in the case of an act or practice engaged in by an agency (whether or not the agency is also a file number recipient, credit reporting agency or credit provider)--breaches an Information Privacy Principle in relation to personal information that relates to the individual;

(b) in the case of an act or practice engaged in by a file number recipient (whether or not the file number recipient is also an agency, organisation, credit reporting agency or credit provider)--breaches a guideline under section 17 in relation to tax file number information that relates to the individual;

(ba) constitutes a breach of Part 2 of the Data-matching Program (Assistance and Tax) Act 1990 or the guidelines in force under that Act;

(bb) constitutes a breach of the guidelines in force under section 135AA of the National Health Act 1953;

(c) involves an unauthorised requirement or request for disclosure of the tax file number of the individual; or

(d) in the case of an act or practice engaged in by a credit reporting agency or credit provider (whether or not the credit reporting agency or credit provider is also an agency, organisation or file number recipient)--constitutes a credit reporting infringement in relation to personal information that relates to the individual.

13A Interferences with privacy by organisations

General rule

(1) For the purposes of this Act, an act or practice of an organisation is an interference with the privacy of an individual if:

(a) the act or practice breaches an approved privacy code that binds the organisation in relation to personal information that relates to the individual; or

(b) both of the following apply:

(i) the act or practice breaches a National Privacy Principle in relation to personal information that relates to the individual;

(ii) the organisation is not bound by an approved privacy code in relation to the personal information; or

(c) all of the following apply:

(i) the act or practice relates to personal information that relates to the individual;

(ii) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract);

(iii) because of a provision of the contract that is inconsistent with an approved privacy code or a National Privacy Principle that applies to the organisation in relation to the personal information, the act or practice does not breach the code or Principle (see subsections 6A(2) and 6B(2));

(iv) the act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision; or

(d) the act or practice involves the organisation in a contravention of section 16F (which limits direct marketing using information collected under a Commonwealth contract) involving personal information that relates to the individual.

Note: Sections 13B, 13C and 13D contain exceptions to this rule.

Rule applies even if other rules also apply

(2) It does not matter whether the organisation is also a credit reporting agency, a credit provider or a file number recipient.

13B Related bodies corporate

Acts or practices that are not interferences with privacy

(1) Despite paragraphs 13A(1)(a) and (b), each of the following acts or practices of an organisation that is a body corporate is not an interference with the privacy of an individual:

(a) the collection of personal information (other than sensitive information) about the individual by the body corporate from a related body corporate;

(b) the disclosure of personal information (other than sensitive information) about the individual by the body corporate to a related body corporate.

Note: Subsection (1) lets related bodies corporate share personal information. However, in using or holding the information, they must comply with the National Privacy Principles or a binding approved privacy code. For example, there is an interference with privacy if:

(a) a body corporate uses personal information it has collected from a related body corporate; and

(b) the use breaches National Privacy Principle 2 (noting that the collecting body's primary purpose of collection will be taken to be the same as that of the related body) or a corresponding provision in a binding approved privacy code.

(1A) However, paragraph (1)(a) does not apply to the collection by a body corporate of personal information (other than sensitive information) from:

(a) a related body corporate that is not an organisation; or

(b) a related body corporate whose disclosure of the information to the body corporate is an exempt act or exempt practice for the purposes of paragraph 7(1)(ee); or

(c) a related body corporate whose disclosure of the information to the body corporate is not an interference with privacy because of section 13D.

Note: The effect of subsection (1A) is that a body corporate's failure to comply with the National Privacy Principles, or a binding approved privacy code, in collecting personal information about an individual from a related body corporate covered by that subsection is an interference with the privacy of the individual.

Relationship with paragraphs 13A(1)(c) and (d)

(2) Subsection (1) does not prevent an act or practice of an organisation from being an interference with the privacy of an individual under paragraph 13A(1)(c) or (d).

13C Change in partnership because of change in partners

Acts or practices that are not interferences with privacy

(1) If:

(a) an organisation (the new partnership) that is a partnership forms at the same time as, or immediately after, the dissolution of another partnership (the old partnership); and

(b) at least one person who was a partner in the old partnership is a partner in the new partnership; and

(c) the new partnership carries on a business that is the same as, or similar to, a business carried on by the old partnership; and

(d) the new partnership holds, immediately after its formation, personal information about an individual that the old partnership held immediately before its dissolution;

neither the disclosure (if any) by the old partnership, nor the collection (if any) by the new partnership, of the information that was necessary for the new partnership to hold the information immediately after its formation constitutes an interference with the privacy of the individual.

Note: Subsection (1) lets personal information be passed on from an old to a new partnership. However, in using or holding the information, they must comply with the National Privacy Principles or a binding approved privacy code. For example, the new partnership's use of personal information collected from the old partnership may constitute an interference with privacy if it breaches National Privacy Principle 2 or a corresponding provision in a binding approved privacy code.

Effect despite section 13A

(2) Subsection (1) has effect despite section 13A.

13D Overseas act required by foreign law

Acts or practices that are not interferences with privacy

(1) An act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable law of a foreign country.

Effect despite section 13A

(2) Subsection (1) has effect despite section 13A.

13E Effect on section 13 of sections 13B, 13C and 13D

Sections 13B, 13C and 13D do not prevent an act or practice of an organisation from being an interference with the privacy of an individual under section 13.

13F Act or practice not covered by section 13 or section 13A is not an interference with privacy

An act or practice that is not covered by section 13 or section 13A is not an interference with the privacy of an individual.


[Previous] [Next] [Up] [Title]