Commonwealth Consolidated Acts Commonwealth Consolidated ActsBreaches to which this section applies
(1) This section applies to a breach (a privacy safeguard breach ) of any of the following:
(a) one or more of the privacy safeguards;
(b) the consumer data rules to the extent that those rules relate:
(i) to one or more of the privacy safeguards; or
(ii) to the privacy or confidentiality of CDR data;
(c) section 26WH, 26WK or 26WL or subsection 26WR(10) of the Privacy Act 1988 , as they apply because of section 56ES of this Act;
in relation to the CDR data of:
(d) a CDR consumer who is an individual; or
(e) a small business (within the meaning of the Privacy Act 1988 ) carried on by a CDR consumer for the CDR data.
(2) This section also applies to a breach of section 56ED (privacy safeguard 1).
Object
(3) The object of this section is for Part V of the Privacy Act 1988 to apply to an act or practice:
(a) of a CDR participant, designated gateway, accredited person or action service provider for a type of CDR action; and
(b) that may be:
(i) a privacy safeguard breach relating to CDR data covered by subsection (1); or
(ii) a breach of section 56ED (privacy safeguard 1);
in a corresponding way to the way that Part applies to an act or practice of an organisation, person or entity that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1.
Note: That Part is about investigations of interferences with privacy etc.
Extended application of Part V of the Privacy Act 1988
(4) Part V of the Privacy Act 1988 , and any other provision of that Act that relates to that Part, also apply in relation to:
(a) a CDR participant for CDR data; or
(b) a designated gateway for CDR data; or
(c) an accredited person who may become an accredited data recipient of CDR data; or
(d) an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules;
as if the substitutions in the following table, and the modifications in subsection (5), were made.
Substitutions to be made | ||
Item | Subject to subsection (6), for a reference in Part V to ... | ... substitute a reference to ... |
1 | interference with the privacy of an individual | a privacy safeguard breach relating to the CDR data of: (a) a CDR consumer who is an individual; or (b) a small business (within the meaning of the Privacy Act 1988 ) carried on by a CDR consumer for the CDR data. |
2 | Australian Privacy Principle 1 | |
3 | individual | a person who: (a) is a CDR consumer for the CDR data to which the privacy safeguard breach (or possible privacy safeguard breach) relates; and (b) is an individual, or is carrying on a small business (within the meaning of the Privacy Act 1988 ) to which the CDR data relates. |
4 | recognised external dispute resolution scheme | an external dispute resolution scheme for which an instrument is in force under subsection 56DA(1) of this Act. |
5 | occupied by an agency, an organisation, a file number recipient, a credit reporting body or a credit provider | occupied by (or on behalf of): (a) a CDR participant for CDR data; or (b) a designated gateway for CDR data; or (c) an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules. |
Note 1: When CDR data and the other terms in the last column of the table appear in this notional version of Part V, they have the same meanings as in this Act.
Note 2: Table item 5 relates to subsection 68(1) of that Act.
(5) For the purposes of subsection (4), assume that:
(a) subsection 5B(4) of the Privacy Act 1988 were not enacted; and
(b) section 36 of that Act also stated that:
(i) in the case of a complaint about an act or practice of a CDR participant--the CDR participant is the respondent; or
(ii) in the case of a complaint about an act or practice of a designated gateway--the designated gateway is the respondent; or
(iii) in the case of a complaint about an act or practice of an accredited person who may become an accredited data recipient of CDR data--the accredited person is the respondent; or
(iv) in the case of a complaint about an act or practice of an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules--the action service provider is the respondent; and
(c) subsections 36(6) to (8), section 37, subsections 40(1B), 43(1A), (8), (8A) and (9) and 48(2), section 50A, sub - subparagraph 52(1)(b)(i)(A) and sections 53A and 53B of that Act were not enacted; and
(d) the paragraphs in each of subsections 55B(1) and (3) of that Act were replaced by:
(i) a paragraph that states that an act or practice of a specified CDR participant for CDR data has breached a privacy safeguard; and
(ii) a paragraph that states that an act or practice of a specified designated gateway for CDR data has breached a privacy safeguard; and
(iii) a paragraph that states that an act or practice of an accredited person who may become an accredited data recipient of CDR data has breached a privacy safeguard; and
(iv) a paragraph that states that an act or practice of an action service provider for a type of CDR action, who has been or may be disclosed CDR data under the consumer data rules, has breached a privacy safeguard; and
(e) Division 4 of Part V, and subsection 63(2A), of that Act were not enacted.
(6) For the purposes of item 3 of the table in subsection (4), disregard the reference to individual in the heading to section 39 of the Privacy Act 1988 .