Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment (Private Sector) Bill 2000

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

1998-1999-2000

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

THE SENATE

 

 

Privacy Amendment (Private Sector) Bill 2000

 

 

Schedule of the amendments made by the Senate

 

 

 

 

 

(1)     Opp (1) [Sheet 2032]

          Clause 2, page 1 (lines 17 to 22), omit subclause (1), substitute:

             (1)  Subject to this section, this Act commences on 1 July 2001.

(2)     Opp (2) [Sheet 2032]

          Clause 3, page 2 (line 20), at the end of paragraph (b), add:

; and        (iv)  provides individuals with mechanisms by which they can obtain appropriate redress for interferences with privacy; and

                             (v)  provides the Privacy Commissioner with the means to monitor and prevent the systematic abuse of privacy by organisations.

(3)     Dem (1) [Sheet 2044]

          Schedule 1, page 6 (after line 5), after item 11, insert:

11A  Subsection 6(1)

Insert:

DNA sample includes:

                     (a)  a human tissue sample from which DNA is intended to be extracted; or

                     (b)  DNA extracted from such a tissue sample and other molecules (such as ribonucleic acids and polypeptides) from which DNA may be derived;

but does not include a tissue sample that is taken:

                     (c)  as a biopsy or an autopsy specimen, or as a clinical specimen solely for the purpose of conducting an immediate clinical or diagnostic test that is not a DNA test; or

                     (d)  as a blood sample solely for the purpose of storage and distribution by a blood bank.

(4)     Opp (3) [Sheet 2032] ( As amended by Dem (1) [Sheet 2045] )

          Schedule 1, item 12, page 6 (lines 6 to 26), omit the item, substitute:

12  Subsection 6(1)

Insert:

employee record , in relation to an employee, means a record of personal information relating to the employment of the employee other than an exempt employee record. Examples of personal information relating to the employment of the employee are health information about the employee (including genetic information or information about DNA samples) and personal information about all or any of the following:

                     (a)  the terms and conditions of employment of the employee;

                     (b)  the employee’s personal and emergency contact details;

                     (c)  the employee’s salary or wages;

                     (d)  the employee’s membership of a professional or trade association;

                     (e)  the employee’s trade union membership;

                      (f)  the employee’s recreation, long service, sick, personal, maternity, paternity or other leave;

                     (g)  the employee’s taxation, banking or superannuation affairs.

(5)     Opp (4) [Sheet 2032]

          Schedule 1, page 7 (after line 22), after item 13, insert:

13A  Subsection 6(1)

Insert:

exempt employee record , in relation to an employee, means a record of personal information relating to the employment of the employee and relating to all or any of the following:

                     (a)  the engagement, training, disciplining or resignation of the employee;

                     (b)  the termination of the employment of the employee; or

                     (c)  the employee’s performance or conduct.

(6)     Dem (2) [Sheet 2044]

          Schedule 1, page 7 (after line 22), after item 13, insert:

13A  Subsection 6(1)

Insert:

family member , in relation to a person, means another person who is related by blood to that person.

(7)     Dem (3) [Sheet 2044]

          Schedule 1, page 7 (after line 25), after item 14, insert:

14A  Subsection 6(1)

Insert:

genetic information , in relation to a person or a family member of that person, means:

                     (a)  information from a DNA sample about genotype; or

                     (b)  information from mutation analysis; or

                     (c)  information about nucleotide and polypeptide sequences; or

                     (d)  information about genes or gene products.

(8)     Dem (4) [Sheet 2044]

          Schedule 1, item 16, page 8 (line 13), at the end of the definition of health information , add:

; and, except where the contrary intention appears, includes genetic information.

(9)     Opp (6) [Sheet 2032]

          Schedule 1, page 9 (after line 15), after item 22, insert:

22AA  Subsection 6(1) (definition of personal information )

Repeal the definition of personal information, substitute:

personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual:

                     (a)  whose identity is apparent from the information or opinion; or

                     (b)  who can be identified, directly or indirectly, by reference to the information or opinion.

(10)   Opp (7) [Sheet 2032]

          Schedule 1, page 11 (after line 29), after item 33, insert:

33A  Subsection 6(1)

Insert:

tenancy information means information or an opinion about an individual collected in connection with the provision of residential accommodation to the individual that is also personal information.

(11)   Opp (8) [Sheet 2032]

          Schedule 1, item 36, page 14 (line 20), omit “In this Act”, substitute “Subject to subsections (1A) and (1B), in this Act”.

(12)   Opp (9) [Sheet 2032]

          Schedule 1, item 36, page 15 (after line 6), after subsection (1), insert:

          (1A)  Notwithstanding subsection (1), a small business operator is deemed to be an organisation with respect to its actions and practices in relation to:

                     (a)  an employee record it holds; and

                     (b)  tenancy information it holds.

          (1B)  Notwithstanding subsection (1), a small business operator is deemed to be an organisation if it accepts online payment for goods or services.

(13)   Opp (10) [Sheet 2032]

          Schedule 1, item 36, page 18 (lines 3 and 4), omit paragraph (c), substitute:

                     (c)  discloses personal information about another individual to anyone else other than:

                              (i)  with the consent of the other individual; or

                             (ii)  as required or authorised by or under legislation.

(14)   Opp (11) [Sheet 2032]

          Schedule 1, item 36, page 18 (lines 23 to 29), omit subsection (7).

(15)   Opp (12) [Sheet 2032]

          Schedule 1, item 36, page 21 (lines 11 to 13), omit the note.

(16)   Opp (13) [Sheet 2032]

          Schedule 1, item 36, page 21 (lines 21 to 23), omit subsection (4), substitute:

             (4)  A small business operator may not revoke a choice to be treated as an organisation.

(17)   Opp (14) [Sheet 2032]

          Schedule 1, item 42, page 24 (line 30), omit “ Employee records ”, substitute “ Exempt employee records ”.

(18)   Opp (15) [Sheet 2032]

          Schedule 1, item 42, page 25 (line 3), omit “employee record”, substitute “exempt employee record”.

(19)   Opp (16) [Sheet 2032]

          Schedule 1, item 42, page 27 (after line 22), at the end of section 7C, add:

             (7)  Nothing in this section permits a political representative, a contractor or a subcontractor to sell or disclose personal information collected or held by the political representative, contractor or subcontractor to any entity that does not have the benefit of this exemption.

(20)   Opp (17) [Sheet 2032]

          Schedule 1, item 52, page 31 (line 25), at the end of subsection 13B(1), add:

                   ; provided that:

                     (c)  such collection or disclosure would not exceed the reasonable expectations of the community; and

                     (d)  the organisation which initially collected the information has complied with National Privacy Principle 1.

(21)   Opp (18) [Sheet 2032]

          Schedule 1, item 54, page 35 (lines 16 to 18), omit subsection (3), substitute:

             (3)  National Privacy Principles 2, 6 and 11 apply in relation to personal information held by an organisation regardless of whether the organisation holds the personal information as a result of collection occurring before or after the commencement of this section, provided that, in respect of personal information collected before the commencement of this section, an organisation is not required to comply with those Principles where such compliance would place an unreasonable administrative burden on the organisation or cause the organisation unreasonable expense.

(22)   Opp (19) [Sheet 2032]

          Schedule 1, item 58, page 39 (line 34), at the end of subsection (3), add:

; and (m)          the code requires the adjudicator to maintain a summary of each complaint resolved with or without a determination, finding, declaration, order or direction identifying the nature of the complaint, the code provisions applied in resolving it, the nature of the settlement, and any issues of law which were raised in the complaint; and

                     (n)  the code requires the adjudicator to provide a copy of these summaries to the Commissioner at least annually.

(23)   Opp (20) [Sheet 2032]

          Schedule 1, item 58, page 42 (after line 18), at the end of the item, add:

18BH  Review of operation of approved privacy codes

             (1)  The Commissioner may, if in his or her view the circumstances so warrant:

                     (a)  following receipt of a report referred to in 18BB(3)(i); or

                     (b)  following receipt of the summaries referred to in 18BB(3)(n); or

                     (c)  on his or her own motion;

                   conduct a review of the operation of an approved privacy code.

             (2)  The circumstances under subsection (1) may include:

                     (a)  the number, nature and outcome of complaints made to an adjudicator; and

                     (b)  the code provisions applied in resolving complaints; and

                     (c)  information received by the Commissioner that indicates that obligations under the code may not have been met by an organisation bound by the code.

             (3)  In undertaking a review under this subsection, the Commissioner may do all or any of the following:

                     (a)  review the complaints process;

                     (b)  inspect the records of the adjudicator;

                     (c)  review the results of complaints;

                     (d)  interview the adjudicator.

(24)   Opp (21) [Sheet 2032]

          Schedule 1, item 58, page 42 (after line 18), at the end of the item, add:

18BI  Review of decisions under an approved privacy code

                   A person who is aggrieved by a decision made by an adjudicator under an approved privacy code may apply to the Commissioner for a review of the decision.

(25)   Opp (22) [Sheet 2032]

          Schedule 1, item 58, page 42 (after line 18), at the end of the item, add:

18 BJ  Powers of the Commissioner in respect of applications for review

                   On an application for a review under section 18BI, the Commissioner may:

                     (a)  make a determination setting aside a decision under the privacy code, or a part of a decision, with effect from the date of the determination; or

                     (b)  exercise all the powers conferred on the Commissioner to investigate complaints made directly to the Commissioner; or

                     (c)  make a fresh determination in accordance with section 52.

(26)   Opp (23) [Sheet 2032]

          Schedule 1, item 59, page 42 (after line 32), at the end of the item, add:

                   (ad)  to review the operation of privacy codes under section 18BH;

                    (ae)  to review decisions that an adjudicator may make under an approved privacy code under section 18BI, to set aside those decisions and to make fresh determinations.

(27)   Opp (24) [Sheet 2032]

          Schedule 1, item 99, page 56 (after line 24), at the end of the item, add:

55C  Privacy Commissioner may issue breach notice

             (1)  The Commissioner may issue a breach notice to an organisation which, in the opinion of the Commissioner, has not complied with a determination issued under section 52.

             (2)  Before issuing a breach notice, the Commissioner must provide the organisation with an opportunity to be heard.

             (3)  The breach notice must specify:

                     (a)  the nature of the breach; and

                     (b)  the steps which the organisation must take to rectify the breach; and

                     (c)  a reasonable period (of not more than 12 months) in which the organisation must rectify the breach.

(28)   Opp (25) [Sheet 2032]

          Schedule 1, item 99, page 56 (after line 24), at the end of the item, add:

55D  Imposition and recovery of penalty

             (1)  Where an organisation to which a breach notice has been issued fails to comply with the breach notice within the time specified in the breach notice, a penalty may be imposed by the Federal Court.

             (2)  The maximum penalty that may be imposed under subsection (1) for a failure to comply with a breach notice is $50,000.

             (3)  A penalty under this section may be sued for and recovered by:

                     (a)  the Commissioner; or

                     (b)  a person who is affected by the serious privacy breach.

             (4)  A proceeding under this section must be commenced not later than 6 years after the commission of the breach.

(29)   Opp (26) [Sheet 2032]

          Schedule 1, item 139, page 75 (line 11), after “individual,”, insert “other than health information,”.

(30)   Opp (27) [Sheet 2032]

          Schedule 1, item 139, page 75 (lines 14 to 18), omit paragraphs (a) and (b), substitute:

                     (a)  providing access would pose a serious and imminent threat to the life or health of any individual; or

(31)   Opp (28) [Sheet 2032]

          Schedule 1, item 139, page 76 (after line 14), after subclause 6.1, insert:

         6.1A  Subject to subclauses 6.1B and 6.1C, if an organisation holds health information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:

                     (a)  the provision of the information would constitute a significant risk to the life or health of:

                              (i)  the individual; or

                             (ii)  any other person; or

                     (b)  the provision of the information would contravene:

                              (i)  a law of the Commonwealth or of a State or Territory;

                             (ii)  an order of a court of competent jurisdiction; or

                     (c)  the information consists of or includes material or information concerning an individual given in confidence to the person who was responsible for receiving or recording the information, by a person other than:

                              (i)  the individual;

                             (ii)  a guardian of the individual; or

                            (iii)  a health service provider in the course of, or otherwise in relation to, the provider’s treatment of the individual,

and, in addition, health information may not be disclosed if:

                     (d)  the individual notifies the person responsible for the information to the effect that the individual does not wish the information to be disclosed and the person responsible for the information marks the information or record accordingly; or

                     (e)  the individual:

                              (i)  becomes a legally incompetent person; or

                             (ii)  dies.

          6.1B  Health information about an individual that contains factual matter is subject to the provisions of subclause 6.1A regardless of when the information was collected.

          6.1C  Health information about an individual that contains matters of opinion is subject to the provisions of subclause 6.1A if the information was collected on or after the date of the commencement of this Act.

(32)   Dem (8) [Sheet 2044]

          Schedule 1, item 139, page 80 (after line 25), after subclause 10.4, insert:

     (10.4A)  Without limiting subclause 10.4, an organisation must take all practicable and reasonable steps to permanently de-identify genetic information before disclosing it, having regard to the need for privacy protection of genetic information in relation to an individual to take into account the privacy of that individual’s family members.

     (10.4B)  Nothing in this clause prevents an organisation from disclosing genetic information with the consent of the subject.

(33)   Opp (29) [Sheet 2032]

          Schedule 1, item 139, page 80 (after line 29), at the end of the item, add:

11  Special protection for children

          11.1  An organisation which:

                     (a)  operates a commercial service which is directed at children; or

                     (b)  operates a commercial service directed at a general audience but for which there is a reasonable expectation that personal information will be collected from children;

                     must:

                     (c)  provide parents with notice of the information collection practices of the organisation;

                     (d)  obtain parental consent before collecting, using or disclosing personal information about a child, which consent may be revoked by a parent at any time;

                     (e)  obtain new consent from parents when the information collection practices of the organisation change in a material way;

                      (f)  allow parents to access and correct personal information collected from their children;

                     (g)  delete information collected from children at the request of parents;

                     (h)  not require a child to provide more information than is reasonably necessary to participate in the service offered by the organisation; and

                      (i)  ensure that personal information collected from children is maintained with confidentiality, security and integrity.

          11.2  In this clause:

child means a person aged 13 or under.

(34)   Opp (30) [Sheet 2032]

          Schedule 2, before item 1, page 81 (line 4), omit “Administrative Decisions (Judicial Review) Act 1977” .

(35)   Opp (31) [Sheet 2032]

          Schedule 2, items 1 and 2, page 81 (lines 5 to 11), omit the items.

 

 

 

 

 

 

HARRY EVANS

Clerk of the Senate

 

 

The Senate

30 November 2000