Download Word
Download PDF1 Subsection 7B(1) (note)
Omit “Note”, substitute “Note 1”.
2 At the end of subsection 7B(1)
Add:
Note 2: This subsection is affected by subsection 16CA(1).
3 Subsection 7B(2) (note)
Omit “Note”, substitute “Note 1”.
4 At the end of subsection 7B(2)
Add:
Note 2: This subsection is affected by subsection 16CA(1).
5 After Division 2 of Part III
Insert:
Division 3 — Re-identification of de-identified personal information
16CA Application of this Division in relation to certain acts
Acts that are not exempt for the purposes of paragraph 7(1)(ee)
(1) For the purposes of this Division and any provision of this Act that has effect in relation to a provision of this Division:
(a) an act done by an organisation that is an individual is not, despite subsection 7B(1), exempt for the purposes of paragraph 7(1)(ee) if the act is a contravention of subsection 16D(1) or 16E(1) or 16F(3), (4) or (10); and
(b) an act done by an organisation referred to in paragraphs 7B(2)(a) and (b) is not, despite subsection 7B(2), exempt for the purposes of paragraph 7(1)(ee) if the act is a contravention of subsection 16D(1) or 16E(1) or 16F(3), (4) or (10).
Acts done by entities employed by, or in the service of, a State or Territory authority other than in course of employment or service
(2) To avoid doubt, this Division applies in relation to an act done by an entity that is employed by, or engaged to provide services to, a State or Territory authority, if the act is done other than in the performance of the entity’s duties of employment or in accordance with the entity’s contract for services.
16D De-identified personal information must not be re-identified
(1) An entity contravenes this subsection if:
(a) information has been published by, or on behalf of, an agency (the responsible agency ) in a generally available publication; and
(b) the information was published on the basis that it was de-identified personal information; and
(c) on or after 29 September 2016, the entity does an act with the intention of achieving the result that the information is no longer de-identified; and
(d) the act has the result that the information is no longer de-identified.
Note 1: The ancillary offence provisions in Part 2.4 of the Criminal Code apply in relation to the offence created by subsection (6) of this section. See sections 11.1 (attempt), 11.2 (aiding, abetting, counselling or procuring), 11.4 (incitement) and 11.5 (conspiracy) of the Criminal Code .
Note 2: Section 80V of this Act (which deals with ancillary contravention of a civil penalty provision) applies in relation to subsection (7) of this section.
(2) Subsection (1) does not apply if:
(a) the entity is an agency; and
(b) either:
(i) the act was done in connection with the performance of the agency’s functions or activities; or
(ii) the agency was required or authorised to do the act by or under an Australian law or a court/tribunal order.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (2) (see subsection 13.3(3) of the Criminal Code ).
(3) Subsection (1) does not apply if:
(a) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and
(b) the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (3) (see subsection 13.3(3) of the Criminal Code ).
(4) Subsection (1) does not apply if:
(a) the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and
(b) the act was done in accordance with the agreement.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (4) (see subsection 13.3(3) of the Criminal Code ).
(5) Subsection (1) does not apply if:
(a) the entity is an exempt entity for the purposes of this section in accordance with a determination in force under section 16G; and
(b) the act was done for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (5) (see subsection 13.3(3) of the Criminal Code ).
Offence
(6) An entity commits an offence if the entity contravenes subsection (1).
Penalty: Imprisonment for 2 years or 120 penalty units.
Civil penalty
(7) An entity is liable to a civil penalty if the entity contravenes subsection (1).
Civil penalty: 600 penalty units.
16E Re-identified personal information must not be disclosed
(1) An entity contravenes this subsection if:
(a) information has been published by, or on behalf of, an agency (the responsible agency ) in a generally available publication; and
(b) the information was published on the basis that it was de-identified personal information; and
(c) on or after 29 September 2016, the entity does an act that has the result that the information is no longer de-identified; and
(d) the entity is aware that the information is no longer de-identified; and
(e) on or after 29 September 2016, the entity discloses the information to a person or entity other than the responsible agency.
Note 1: The ancillary offence provisions in Part 2.4 of the Criminal Code apply in relation to the offence created by subsection (7) of this section. See sections 11.1 (attempt), 11.2 (aiding, abetting, counselling or procuring), 11.4 (incitement) and 11.5 (conspiracy) of the Criminal Code .
Note 2: Section 80V of this Act (which deals with ancillary contravention of a civil penalty provision) applies in relation to subsection (8) of this section.
(2) Paragraph (1)(c) applies regardless of whether the entity intended the act to have the result that the information is no longer de-identified.
(3) Subsection (1) does not apply if:
(a) the entity is an agency; and
(b) either:
(i) the information was disclosed in connection with the performance of the agency’s functions or activities; or
(ii) the agency was required or authorised to disclose the information by or under an Australian law or a court/tribunal order.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (3) (see subsection 13.3(3) of the Criminal Code ).
(4) Subsection (1) does not apply if:
(a) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and
(b) the information was disclosed for the purposes of meeting (directly or indirectly) an obligation under the contract.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (4) (see subsection 13.3(3) of the Criminal Code ).
(5) Subsection (1) does not apply if:
(a) the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and
(b) the information was disclosed in accordance with the agreement.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (5) (see subsection 13.3(3) of the Criminal Code ).
(6) Subsection (1) does not apply if:
(a) the entity is an exempt entity for the purposes of this section in accordance with a determination in force under section 16G; and
(b) the information was disclosed for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.
Note: In criminal proceedings, a defendant bears an evidential burden in relation to the matter in subsection (6) (see subsection 13.3(3) of the Criminal Code ).
Offence
(7) An entity commits an offence if the entity contravenes subsection (1).
Penalty: Imprisonment for 2 years or 120 penalty units.
Civil penalty
(8) An entity is liable to a civil penalty if the entity contravenes subsection (1).
Civil penalty: 600 penalty units.
16F Entity must notify responsible agency if de-identified personal information is re-identified
(1) This section applies if:
(a) information has been published by, or on behalf of, an agency (the responsible agency ) in a generally available publication; and
(b) the information was published on the basis that it was de-identified personal information; and
(c) on or after 29 September 2016, an entity does an act that has the result that the information is no longer de-identified; and
(d) the entity becomes aware that the information is no longer de-identified.
(2) Paragraph (1)(c) applies regardless of:
(a) whether the entity intended to do the act; or
(b) whether the entity intended the act to have the result that the information is no longer de-identified.
Civil penalties
(3) As soon as practicable after becoming aware that the information is no longer de-identified, the entity must notify the responsible agency, in writing, of that fact.
Civil penalty: 200 penalty units.
(4) The entity must not use the information, or disclose the information to a person or entity other than the responsible agency, after becoming aware that the information is no longer de-identified.
Civil penalty: 200 penalty units.
(5) Subsections (3) and (4) do not apply if:
(a) the entity is an agency; and
(b) either:
(i) the act was done in connection with the performance of the agency’s functions or activities; or
(ii) the agency was required or authorised to do the act by or under an Australian law or a court/tribunal order.
(6) Subsections (3) and (4) do not apply if:
(a) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and
(b) the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract.
(7) Subsections (3) and (4) do not apply if:
(a) the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and
(b) the act was done in accordance with the agreement.
(8) Subsections (3) and (4) do not apply if:
(a) the entity is an exempt entity for the purposes of this section in accordance with a determination in force under section 16G; and
(b) the act was done for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.
Responsible agency may give entity directions etc.
(9) If the entity notifies the responsible agency that the information is no longer de-identified:
(a) the agency may give the entity written directions for dealing with the information; and
(b) the agency must, as soon as practicable after being notified, give the Commissioner a written notice explaining what has occurred in relation to the information.
Civil penalty
(10) An entity that is given a direction under paragraph (9)(a) must comply with the direction.
Civil penalty: 200 penalty units.
16G Minister may determine that entity is an exempt entity for certain purposes
(1) The Minister may determine that an entity, or an entity included in a class of entities, is an exempt entity for the purposes of one or more of sections 16D, 16E and 16F in relation to one or more purposes specified in the determination, if the Minister is satisfied it is in the public interest to do so.
Note: For variation and revocation of a determination made under subsection (1), see subsection 33(3) of the Acts Interpretation Act 1901 .
(2) A determination made under subsection (1) may specify any of the following purposes:
(a) research involving cryptology;
(b) research involving information security;
(c) research involving data analysis;
(d) any other purpose that the Minister considers appropriate.
(3) A determination under subsection (1) may be made subject to any conditions specified in the determination.
(4) Before making a determination under subsection (1), the Minister must consult the Commissioner.
(5) A determination made under subsection (1) is a legislative instrument, but section 42 (disallowance) of the Legislation Act 2003 does not apply to the determination.
6 At the end of subsection 33C(1)
Add:
; (f) whether the methods used by agencies for de-identifying personal information are effective to protect individuals from being identifiable or reasonably identifiable.
7 Section 36A
Omit:
The Commissioner may also, on his or her own initiative, investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1.
substitute:
The Commissioner may also, on his or her own initiative:
(a) investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1; or
(b) investigate an act that may contravene a provision of Division 3 of Part III (which relates to re-identifying personal information that has been de-identified).
8 Section 36A
Omit “range powers”, substitute “range of powers”.
9 Section 36A
Omit:
After an investigation, the Commissioner may make a determination in relation to the investigation. An entity to which a determination relates must comply with certain declarations included in the determination. Court proceedings may be commenced to enforce a determination.
substitute:
After an investigation, the Commissioner may make a determination in relation to the investigation. An entity to which a determination made under section 52 relates must comply with certain declarations included in the determination. Court proceedings may be commenced to enforce a determination made under section 52.
10 After subsection 40(2)
Insert:
(2A) The Commissioner may, on the Commissioner’s own initiative, investigate an act that may contravene subsection 16D(1) or 16E(1) or 16F(3), (4) or (10) if:
(a) the Commissioner has received a notice under paragraph 16F(9)(b); or
(b) the Commissioner becomes aware that an entity may have contravened subsection 16D(1) or 16E(1) or 16F(3), (4) or (10).
11 At the end of subsection 42(2)
Add “or (2A)”.
12 Subsection 43(1AA)
After “subsection 40(2)”, insert “or (2A)”.
13 Subsection 43A(1)
After “this Division”, insert “(other than under subsection 40(2A))”.
14 Subsection 49(1)
After “verification offence”, insert “, a re-identification offence”.
15 At the end of paragraph 49(1)(a)
Add “and”.
16 After paragraph 49(1)(b)
Insert:
(ba) in the case of an investigation under subsection 40(2A) of an act that may constitute an offence against subsection 16D(6) or 16E(7)—give a copy of all information relating to the investigation held by the Commissioner to the Commissioner of Police or the Director of Public Prosecutions, as the case may be; and
17 Subsection 49(4)
Insert:
re-identification offence means:
(a) an offence against subsection 16D(6) or 16E(7); or
(b) an offence against section 6 of the Crimes Act 1914 , or section 11.1, 11.2, 11.4 or 11.5 of the Criminal Code , being an offence that relates to an offence referred to in paragraph (a) of this definition.
18 Section 52 (heading)
Repeal the heading, substitute:
19 After section 53
Insert:
(1) After investigating an act of an entity under subsection 40(2A), the Commissioner may determine, in writing, that it would be inappropriate for any further action to be taken in relation to the matter.
(2) If the Commissioner makes a determination under subsection (1), the Commissioner must notify the entity, in writing, that no further action is to be taken in relation to the matter.
20 Application of amendments
Paragraphs 16D(1)(a), 16E(1)(a) and 16F(1)(a) of the Privacy Act 1988 , as inserted by this Part, apply in relation to information that was published by, or on behalf of, an agency before or after the commencement of this item.
21 Transitional—obligations of entities in relation to information that was re-identified on or after 29 September 2016 and before commencement
(1) This item applies if:
(a) subsection 16F(1) of the Privacy Act 1988 (the Act ), as inserted by this Part, applies in relation to information and an entity; and
(b) the entity had become aware, before the commencement of this item, that the information was no longer de-identified.
(2) Subsection 16F(3) of the Act, as inserted by this Part, applies in relation to the entity as if that subsection required the entity to notify the responsible agency, in writing, as soon as practicable after the commencement of this item, that the information is no longer de-identified.
(3) Subsection 16F(4) of the Act, as inserted by this Part, applies in relation to the entity after the commencement of this item.
Australian Information Commissioner Act 2010
22 Paragraph 25(l)
After “section 52”, insert “or 53AA”.