Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Stott Despoja: privacy amendment bill

Contents

1............ Short title............................................................................................

2............ Commencement..................................................................................

3............ Schedule..............................................................................................

Schedule 1—Amendment of the Privacy Act 1988                                  

 



A Bill for an Act to amend the Privacy Act 1988 to extend the application of the Act to the private sector, expand the number and coverage of the Information Privacy Principles, and for related purposes

The Parliament of Australia enacts:

1   Short title

                   This Act may be cited as the Privacy Amendment Act 1997 .

2   Commencement

                   This Act commences on the day on which it receives the Royal Assent.

3   Schedule

                   Each Act that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.



 

   

1  After section 5A

Insert:

5B   Extension of Act to private sector

             (1)  For the purpose of giving effect to Australia’s obligations under the International Covenant on Civil and Political Rights, particularly Article 17 of that Covenant, this Act applies to all persons (including unincorporated bodies) who are not agencies apart from this section as if they were agencies.

             (2)  This Act also applies to each corporation that is not an agency apart from this section as if it were an agency.

             (3)  This Act also applies to each trading corporation and financial corporation that is not an agency apart from this section as if it were an agency while doing things for the purposes of its trading activities or financial activities.

5C   Act not to extend to certain matters

                   This Act does not extend to an act or practice done:

                     (a)  for personal or family reasons; or

                     (b)  for the purposes of household affairs; or

                     (c)  for journalistic, literary or artistic purposes.

2  Section 6

Insert:

Code of Practice means a code of practice issued by the Commissioner under section 18BA.

3  Section 6

Insert:

unique identifier means an identifier that:

                     (a)  is assigned to an individual by an agency for the purposes of the operations of the agency; and

                     (b)  uniquely identifies the individual in relation to the agency otherwise than by using the individual’s name.

4  Section 14 (paragraph 1(a) of Principle 1)

After “the collector”, insert “and that purpose is made known at or before the time of collection”.

5  Section 14 (at the end of Principle 1)

Add:

             ; and (c)  the collection is done in a way that the person about whom the information is collected is informed about his or her rights about the collection at the time of collection.

6  Section 14 (at the end of paragraph (1) of Principle 10)

Add:

                ; or (f)  the use is authorised by a Code of Practice.

7  Section 14 (at the end of paragraph (1) of Principle 11)

Add:

                ; or (f)  the disclosure is authorised by a Code of Practice.

8  At the end of section 14

Add:

Principle 12

Justifiable purpose

                   A collector or record-keeper will not use or implement systems or practices for collecting or retaining personal information if doing so would produce a danger to privacy that outweighs the reasonable need to use or implement the systems or practices.

Principle 13

Limit on retention of personal information

                   Personal information must not be kept longer than is reasonably necessary for its lawful use. It must then be destroyed or made anonymous.

Principle 14

No disadvantage

                   A collector must not, as a condition of the supply of goods or services, require an individual to consent to the collection, use or disclosure of information concerning the individual beyond that reasonably required by the collector for its lawful purposes.

Principle 15

Anonymity

                   Each individual should be given the option of not identifying himself or herself when entering into a transaction unless the nature of the transaction makes identification necessary. Collectors should design their systems to facilitate this choice.

Principle 16

Unique identifiers

             (1)  A collector or record-keeper must not:

                     (a)  assign a unique identifier to an individual unless the assignment of the identifier is necessary to enable the collector or record-keeper to carry out its lawful functions; or

                     (b)  require an individual to disclose a unique identifier assigned to the individual unless the disclosure is for one of the purposes for which the unique identifier was assigned.

             (2)  If a unique identifier is assigned to an individual for a particular purpose, a collector or record-keeper must not use the unique identifier for another purpose unless it is expressly authorised to do so by the law.

9  At the end of section 15

Add:

             (3)  Information Privacy Principles 12 and 13 apply to information contained in a record in the possession or under the control of an agency, whether the information was collected before, or is collected after, the commencement of the Privacy Amendment Act 1997 .

10  Section 16

Omit “that breaches an Information Privacy Principle”, substitute:

that:

                     (a)  breaches an Information Privacy Principle; or

                     (b)  if a Code of Practice applies to the act or practice in relation to the agency, breaches the Code of Practice.

11  After Part III

Insert:

18BA   Issue of Codes of Practice

             (1)  The Commissioner may, by notice in the Gazette , issue a Code of Practice.

             (2)  A Code of Practice may be issued on the Commissioner’s own initiative, on the application of a person who represents the interests of a class of agency or an industry, profession or calling, or on the direction of the Minister.

             (3)  A notice under subsection (1) must specify:

                     (a)  the people to whom the Code of Practice applies; and

                     (b)  the places where copies of the Code can be obtained.

18BB   Commencement of Codes of Practice

                   A Code of Practice commences when a resolution approving the code is passed by each House of the Parliament.

18BC   Who Codes of Practice apply to

                   A Code of Practice may apply:

                     (a)  generally or to a specified person or a specified class of people; or

                     (b)  to a specified agency, industry, profession or calling; or

                     (c)  to a specific act or practice.

18BD   What Codes of Practice do

                   A Code of Practice may:

                     (a)  modify the operation of the Information Privacy Principles by:

                              (i)  prescribing standards that are more stringent or less stringent than the standards applicable under the Information Privacy Principles; or

                             (ii)  exempting action (whether generally or by a specified person or class of persons) from one or more Information Privacy Principle; or

                     (b)  prescribe how one or more Information Privacy Principle is to be applied or complied with; or

                     (c)  provide for review of the Code by the Commissioner; or

                     (d)  provide for expiry of the Code.

18BE   Notification of intention to issue Code

             (1)  The Commissioner must not issue a Code of Practice unless:

                     (a)  the Commissioner has given public notice of his or her intention to issue the Code; and

                     (b)  the Commissioner has:

                              (i)  done everything reasonably possible to advise the people who will be affected by the Code of the terms of the Code and the reasons for it; and

                             (ii)  given those persons or their representatives a reasonable opportunity to consider the proposed Code and to make submissions on it.

             (2)  A notice under paragraph (1)(a) must specify:

                     (a)  the places where copies of the proposed Code can be obtained; and

                     (b)  an address where submissions on it may be sent.

             (3)  This section does not stop the Commissioner adopting additional means of publicising a proposed Code of Practice and consulting on it.

12  Subsection 20(1)

Repeal the subsection, substitute:

             (1)  The Commissioner holds office for 7 years, and is not eligible for re-appointment.

13  Paragraph 27(1)(a)

After “Principle”, insert “or otherwise adversely affects an individual’s privacy”.

14  After paragraph 27(1)(m)

Insert:

                   (ma)  to make public statements about privacy;

                   (mb)  to prepare, and to publish in the manner the Commissioner considers appropriate, guidelines for:

                              (i)  deciding what constitutes an adverse effect on an individual’s privacy;

                             (ii)  the issue of a determination under Part VI;

                   (mc)  to provide assistance to agencies in relation to compliance with Information Privacy Principle 12;

15  After section 27

Insert:

27A   Functions of Commissioner in relation to Codes of Practice

                   The Commissioner has the following additional functions:

                     (a)  to issue Codes of Practice;

                     (b)  to investigate an act or practice of an agency that may breach a Code of Practice that applies to an agency;

                     (c)  to investigate systems or practices referred to in Information Privacy Principle 12;

                     (d)  to monitor compliance with Codes of Practice;

                     (e)  to investigate systems and practices for compliance with Codes of Practice.

16  Subsection 32(1)

After “or (r),”, insert “27A(c),”.

17  Section 37 (after table item 5)

Insert:

 

5A

Non-government unincorporated body

The chairman, president or other person principally responsible for the body’s operations

18  After section 96

Insert:

96A   Nomination of individual as being responsible for privacy matters

                   An agency must, if requested in writing to do so by the Commissioner, nominate an individual who is employed in or by the agency as being the person who is responsible for the agency’s compliance with this Act.

19  Application

The amendment made by item 12 applies to appointments made after the commencement of this Act.