APP entities
(1) An act or practice of an APP entity is an interference with the privacy of an individual if:
(a) the act or practice breaches an Australian Privacy Principle in relation to personal information about the individual; or
(b) the act or practice breaches a registered APP code that binds the entity in relation to personal information about the individual.
Credit reporting
(2) An act or practice of an entity is an interference with the privacy of an individual if:
(a) the act or practice breaches a provision of Part IIIA in relation to personal information about the individual; or
(b) the act or practice breaches the registered CR code in relation to personal information about the individual and the code binds the entity.
(3) An act or practice of an organisation is an interference with the privacy of an individual if:
(a) the act or practice relates to personal information about the individual; and
(b) the organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract); and
(c) the act or practice does not breach:
(i) an Australian Privacy Principle; or
(ii) a registered APP code that binds the organisation;
in relation to the personal information because of a provision of the contract that is inconsistent with the principle or code; and
(d) the act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision.
Note: See subsections 6A(2) and 6B(2) for when an act or practice does not breach an Australian Privacy Principle or a registered APP code.
(4) An act or practice is an interference with the privacy of an individual if:
(a) it is an act or practice of a file number recipient and the act or practice breaches a rule issued under section 17 in relation to tax file number information that relates to the individual; or
(b) the act or practice involves an unauthorised requirement or request for disclosure of the tax file number of the individual.
Notification of eligible data breaches etc.
(4A) If an entity (within the meaning of Part IIIC) contravenes subsection 26WH(2), 26WK(2), 26WL(3) or 26WR(10), the contravention is taken to be an act that is an interference with the privacy of an individual .
Other interferences with privacy
(5) An act or practice is an interference with the privacy of an individual if the act or practice:
(a) constitutes a breach of Part 2 of the Data - matching Program (Assistance and Tax) Act 1990 or the rules issued under section 12 of that Act; or
(b) constitutes a breach of the rules issued under section 135AA of the National Health Act 1953 .
Note: Other Acts may provide that an act or practice is an interference with the privacy of an individual. For example, see the Healthcare Identifiers Act 2010 , the Anti - Money Laundering and Counter - Terrorism Financing Act 2006 and the Personal Property Securities Act 2009 .