Commonwealth Consolidated Acts Commonwealth Consolidated Acts
1 Subsection 6(1)
Insert:
"APP code" has the meaning given by section 26C .
2 Subsection 6(1)
Insert:
"APP code developer" means:
(a) an APP entity; or
(b) a group of APP entities; or
(c) a body or association representing one or more APP entities.
3 Subsection 6(1) (definition of approved privacy code )
Repeal the definition.
4 Subsection 6(1) (definition of code complaint )
Omit "an approved privacy code", substitute "a registered APP code".
5 Subsection 6(1) (definition of Code of Conduct )
Repeal the definition.
6 Subsection 6(1)
Insert:
"Codes Register" has the meaning given by subsection 26U (1).
7 Subsection 6(1)
Insert:
"CR code" has the meaning given by section 26N .
8 Subsection 6(1)
Insert:
"CR code developer" means:
(a) an entity that is subject to Part IIIA; or
(b) a group of entities that are subject to Part IIIA; or
(c) a body or association representing one or more entities that are subject to Part IIIA.
9 Subsection 6(1) (definition of credit provider )
After "III,", insert "IIIB,".
10 Subsection 6(1) ( paragraph ( a) of the definition of credit reporting complaint )
Omit "the Code of Conduct", substitute "the registered CR code".
11 Subsection 6(1) (definition of credit reporting infringement )
Repeal the definition.
12 Subsection 6(1) (definition of privacy code )
Repeal the definition.
13 Subsection 6(1)
Insert:
"registered APP code" has the meaning given by section 26B .
14 Subsection 6(1)
Insert:
"registered CR code" has the meaning given by section 26M .
15 Subsection 6(3A)
Repeal the subsection.
16 At the end of subsection 6(7)
Add:
; or (g) being both an APP complaint and a code complaint.
17 Section 6B (heading)
Repeal the heading, substitute:
6B Breach of a registered APP code
18 Subsections 6B(1), (2), (3) and (4)
Omit "an approved privacy code", substitute "a registered APP code".
19 After section 6B
Insert:
6BA Breach of the registered CR code
For the purposes of this Act, an act or practice breaches the registered CR code if, and only if, it is contrary to, or inconsistent with, the code.
20 Subsection 7(2)
Omit "an approved privacy code", substitute "a registered APP code".
21 Subsection 7B(2) (note)
Omit "or a binding approved privacy code", substitute ", or a registered APP code that binds the organisation,".
22 Subsection 13B(1) (note)
Omit "or a binding approved privacy code", substitute "and a registered APP code that binds them".
23 Subsection 13B(1) ( paragraph ( b) of the note)
Omit "or a corresponding provision in a binding approved privacy code".
24 Subsection 13B(1A) (note)
Omit "a binding approved privacy code", substitute "a registered APP code that binds the body".
25 Subsection 13C(1) (note)
Omit "or a binding approved privacy code", substitute "and a registered APP code that binds them".
26 Subsection 13C(1) (note)
Omit "or a corresponding provision in a binding approved privacy code".
27 Division 5 of Part III
Repeal the Division.
28 Part IIIAA
Repeal the Part.
29 Before Part IV
Insert:
This Part deals with privacy codes.
Division 2 deals with codes of practice about information privacy, called APP codes. APP code developers or the Commissioner may develop APP codes, which:
(a) must set out how one or more of the Australian Privacy Principles are to be applied or complied with; and
(b) may impose additional requirements to those imposed by the Australian Privacy Principles; and
(c) may deal with other specified matters.
If the Commissioner includes an APP code on the Codes Register, an APP entity bound by the code must not breach it. A breach of a registered APP code is an interference with the privacy of an individual.
Division 3 deals with a code of practice about credit reporting, called a CR code. CR code developers or the Commissioner may develop a CR code, which:
(a) must set out how one or more of the provisions of Part IIIA are to be applied or complied with; and
(b) must deal with matters required or permitted by Part IIIA to be provided for by the registered CR code; and
(c) may deal with other specified matters.
If the Commissioner includes a CR code on the Codes Register, an entity bound by the code must not breach it. A breach of the registered CR code is an interference with the privacy of an individual.
Division 4 deals with the Codes Register, guidelines relating to codes and the review of the operation of registered codes.
Division 2 -- Registered APP codes
Subdivision A -- Compliance with registered APP codes etc.
26A APP entities to comply with binding registered APP codes
An APP entity must not do an act, or engage in a practice, that breaches a registered APP code that binds the entity.
26B What is a registered APP code
(1) A registered APP code is an APP code:
(a) that is included on the Codes Register; and
(b) that is in force.
(2) A registered APP code is a legislative instrument.
(3) Despite subsection 12(2) of the Legislative Instruments Act 2003 , a registered APP code may be expressed to take effect before the date it is registered under that Act.
Note: An APP code cannot come into force before it is included on the Codes Register: see paragraph 26C (2)(c).
(1) An APP code is a written code of practice about information privacy.
(2) An APP code must:
(a) set out how one or more of the Australian Privacy Principles are to be applied or complied with; and
(b) specify the APP entities that are bound by the code, or a way of determining the APP entities that are bound by the code; and
(c) set out the period during which the code is in force (which must not start before the day the code is registered under section 26H ).
(3) An APP code may do one or more of the following:
(a) impose additional requirements to those imposed by one or more of the Australian Privacy Principles, so long as the additional requirements are not contrary to, or inconsistent with, those principles;
(b) cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3);
(c) deal with the internal handling of complaints;
(d) provide for the reporting to the Commissioner about complaints;
(e) deal with any other relevant matters.
(4) An APP code may be expressed to apply to any one or more of the following:
(a) all personal information or a specified type of personal information;
(b) a specified activity, or a specified class of activities, of an APP entity;
(c) a specified industry sector or profession, or a specified class of industry sectors or professions;
(d) APP entities that use technology of a specified kind.
(5) An APP code is not a legislative instrument.
26D Extension of Act to exempt acts or practices covered by registered APP codes
If a registered APP code covers an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3), this Act applies in relation to the code as if that act or practice were not exempt.
Subdivision B -- Development and registration of APP codes
26E Development of APP codes by APP code developers
Own initiative
(1) An APP code developer may develop an APP code.
At the Commissioner's request
(2) The Commissioner may, in writing, request an APP code developer to develop an APP code, and apply to the Commissioner for the code to be registered, if the Commissioner is satisfied it is in the public interest for the code to be developed.
(3) The request must:
(a) specify the period within which the request must be complied with; and
(b) set out the effect of section 26A .
(4) The period:
(a) must run for at least 120 days from the date the request is made; and
(b) may be extended by the Commissioner.
(5) The request may:
(a) specify one or more matters that the APP code must deal with; and
(b) specify the APP entities, or a class of APP entities, that should be bound by the code.
(6) Despite paragraph ( 5)(a), the Commissioner must not require an APP code to cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3). However, the APP code that is developed by the APP code developer may cover such an act or practice.
(7) The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.
26F Application for registration of APP codes
(1) If an APP code developer develops an APP code, the developer may apply to the Commissioner for registration of the code.
(2) Before making the application, the APP code developer must:
(a) make a draft of the APP code publicly available; and
(b) invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
(3) The application must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
(4) The APP code developer may vary the APP code at any time before the Commissioner registers the code, but only with the consent of the Commissioner.
26G Development of APP codes by the Commissioner
(1) This section applies if the Commissioner made a request under subsection 26E (2) and either:
(a) the request has not been complied with; or
(b) the request has been complied with but the Commissioner has decided not to register, under section 26H , the APP code that was developed as requested.
(2) The Commissioner may develop an APP code if the Commissioner is satisfied that it is in public interest to develop the code. However, despite subsection 26C (3)(b), the APP code must not cover an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
(3) Before registering the APP code under section 26H , the Commissioner must:
(a) make a draft of the code publicly available; and
(b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
26H Commissioner may register APP codes
(1) If:
(a) an application for registration of an APP code is made under section 26F ; or
(b) the Commissioner develops an APP code under section 26G ;
the Commissioner may register the code by including it on the Codes Register.
(2) In deciding whether to register the APP code, the Commissioner may:
(a) consult any person the Commissioner considers appropriate; and
(b) consider the matters specified in any relevant guidelines made under section 26V .
(3) If the Commissioner decides not to register an APP code developed by an APP code developer, the Commissioner must give written notice of the decision to the developer, including reasons for the decision.
Subdivision C -- Variation and removal of registered APP codes
26J Variation of registered APP codes
(1) The Commissioner may, in writing, approve a variation of a registered APP code:
(a) on his or her own initiative; or
(b) on application by an APP entity that is bound by the code; or
(c) on application by a body or association representing one or more APP entities that are bound by the code.
(2) An application under paragraph ( 1)(b) or (c) must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
(3) If the Commissioner varies a registered APP code on his or her own initiative, then, despite subsection 26C (3)(b), the variation must not deal with an act or practice that is exempt within the meaning of subsection 7B(1), (2) or (3).
(4) Before deciding whether to approve a variation, the Commissioner must:
(a) make a draft of the variation publicly available; and
(b) consult any person the Commissioner considers appropriate about the variation; and
(c) consider the extent to which members of the public have been given an opportunity to comment on the variation.
(5) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V .
(6) If the Commissioner approves a variation of a registered APP code (the original code ), the Commissioner must:
(a) remove the original code from the Codes Register; and
(b) register the APP code, as varied, by including it on the Register.
(7) If the Commissioner approves a variation, the variation comes into effect on the day specified in the approval, which must not be before the day on which the APP code, as varied, is included on the Codes Register.
(8) An approval is not a legislative instrument.
Note: The APP code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26B .
26K Removal of registered APP codes
(1) The Commissioner may remove a registered APP code from the Codes Register:
(a) on his or her own initiative; or
(b) on application by an APP entity that is bound by the code; or
(c) on application by a body or association representing one or more APP entities that are bound by the code.
(2) An application under paragraph ( 1)(b) or (c) must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
(3) Before deciding whether to remove the registered APP code, the Commissioner must:
(a) consult any person the Commissioner considers appropriate about the proposed removal; and
(b) consider the extent to which members of the public have been given an opportunity to comment on the proposed removal.
(4) In deciding whether to remove the registered APP code, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V .
Division 3 -- Registered CR code
Subdivision A -- Compliance with the registered CR code
26L Entities to comply with the registered CR code if bound by the code
If an entity is bound by the registered CR code, the entity must not do an act, or engage in a practice, that breaches the code.
Note: There must always be one, and only one, registered CR code at all times after this Part commences: see subsection 26S (4).
26M What is the registered CR code
(1) The registered CR code is the CR code that is included on the Codes Register.
(2) The registered CR code is a legislative instrument.
(3) Despite subsection 12(2) of the Legislative Instruments Act 2003 , the registered CR code may be expressed to take effect before the date it is registered under that Act.
(1) A CR code is a written code of practice about credit reporting.
(2) A CR code must:
(a) set out how one or more of the provisions of Part IIIA are to be applied or complied with; and
(b) make provision for, or in relation to, matters required or permitted by Part IIIA to be provided for by the registered CR code; and
(c) bind all credit reporting bodies; and
(d) specify the credit providers that are bound by the code, or a way of determining which credit providers are bound; and
(e) specify any other entities subject to Part IIIA that are bound by the code, or a way of determining which of those entities are bound.
(3) A CR code may do one or more of the following:
(a) impose additional requirements to those imposed by Part IIIA, so long as the additional requirements are not contrary to, or inconsistent with, that Part;
(b) deal with the internal handling of complaints;
(c) provide for the reporting to the Commissioner about complaints;
(d) deal with any other relevant matters.
(4) A CR code may be expressed to apply differently in relation to:
(a) classes of entities that are subject to Part IIIA; and
(b) specified classes of credit information, credit reporting information or credit eligibility information; and
(c) specified classes of activities of entities that are subject to Part IIIA.
(5) A CR code is not a legislative instrument.
Subdivision B -- Development and registration of CR code
26P Development of CR code by CR code developers
(1) The Commissioner may, in writing, request a CR code developer to develop a CR code and apply to the Commissioner for the code to be registered.
(2) The request must:
(a) specify the period within which the request must be complied with; and
(b) set out the effect of section 26L .
(3) The period:
(a) must run for at least 120 days from the date the request is made; and
(b) may be extended by the Commissioner.
(4) The request may:
(a) specify one or more matters that the CR code must deal with; and
(b) specify the credit providers, or a class of credit providers, that should be bound by the code; and
(c) specify the other entities, or a class of other entities, subject to Part IIIA that should be bound by the code.
(5) The Commissioner must make a copy of the request publicly available as soon as practicable after the request is made.
26Q Application for registration of CR code
(1) If a CR code developer develops a CR code, the developer may apply to the Commissioner for registration of the code.
(2) Before making the application, the CR code developer must:
(a) make a draft of the CR code publicly available; and
(b) invite the public to make submissions to the developer about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
(3) The application must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
(4) The CR code developer may vary the CR code at any time before the Commissioner registers the code, but only with the consent of the Commissioner.
26R Development of CR code by the Commissioner
(1) The Commissioner may develop a CR code if the Commissioner made a request under section 26P and either:
(a) the request has not been complied with; or
(b) the request has been complied with but the Commissioner has decided not to register, under section 26S , the CR code that was developed as requested.
(2) Before registering the CR code under section 26S , the Commissioner must:
(a) make a draft of the code publicly available; and
(b) invite the public to make submissions to the Commissioner about the draft within a specified period (which must run for at least 28 days); and
(c) give consideration to any submissions made within the specified period.
26S Commissioner may register CR code
(1) If:
(a) an application for registration of a CR code is made under section 26Q ; or
(b) the Commissioner develops a CR code under section 26R ;
the Commissioner may register the code by including it on the Codes Register.
(2) In deciding whether to register the CR code, the Commissioner may:
(a) consult any person the Commissioner considers appropriate; and
(b) consider the matters specified in any guidelines made under section 26V .
(3) If the Commissioner decides not to register a CR code developed by a CR code developer, the Commissioner must give written notice of the decision to the developer, including reasons for the decision.
(4) The Commissioner must ensure that there is one, and only one, registered CR code at all times after this Part commences.
Subdivision C -- Variation of the registered CR code
26T Variation of the registered CR code
(1) The Commissioner may, in writing, approve a variation of the registered CR code:
(a) on his or her own initiative; or
(b) on application by an entity that is bound by the code; or
(c) on application by a body or association representing one or more of the entities that are bound by the code.
(2) An application under paragraph ( 1)(b) or (c) must:
(a) be made in the form and manner specified by the Commissioner; and
(b) be accompanied by such information as is specified by the Commissioner.
(3) Before deciding whether to approve a variation, the Commissioner must:
(a) make a draft of the variation publicly available; and
(b) consult any person the Commissioner considers appropriate about the variation; and
(c) consider the extent to which members of the public have been given an opportunity to comment on the variation.
(4) In deciding whether to approve a variation, the Commissioner may consider the matters specified in any relevant guidelines made under section 26V .
(5) If the Commissioner approves a variation of the registered CR code (the original code ), the Commissioner must:
(a) remove the original code from the Codes Register; and
(b) register the CR code, as varied, by including it on the Register.
(6) If the Commissioner approves a variation, the variation comes into effect on the day specified in the approval, which must not be before the day on which the CR code, as varied, is included on the Codes Register.
(7) An approval is not a legislative instrument.
Note: The CR code, as varied, is a legislative instrument once it is included on the Codes Register: see section 26M .
(1) The Commissioner must keep a register (the Codes Register ) which includes:
(a) the APP codes the Commissioner has decided to register under section 26H ; and
(b) the APP codes the Commissioner must register under section 26J ; and
(c) the CR code the Commissioner has decided to register under section 26S ; and
(d) the CR code the Commissioner must register under section 26T .
(2) Despite subsection ( 1), the Commissioner is not required to include on the Codes Register:
(a) an APP code removed from the Register under section 26J or 26K ; or
(b) the CR code removed from the Register under section 26T .
(3) The Commissioner must make the Codes Register available on the Commissioner's website.
(4) The Commissioner may charge fees for providing copies of, or extracts from, the Codes Register.
26V Guidelines relating to codes
(1) The Commissioner may make written guidelines:
(a) to assist APP code developers to develop APP codes; or
(b) to assist APP entities bound by registered APP codes to apply or comply with the codes; or
(c) to assist CR code developers to develop a CR code; or
(d) to assist entities bound by the registered CR code to apply or comply with the code.
(2) The Commissioner may make written guidelines about matters the Commissioner may consider in deciding whether:
(a) to register an APP code or a CR code; or
(b) to approve a variation of a registered APP code or the registered CR code; or
(c) to remove a registered APP code from the Codes Register.
(3) The Commissioner may publish any such guidelines on the Commissioner's website.
(4) Guidelines are not a legislative instrument.
26W Review of operation of registered codes
(1) The Commissioner may review the operation of a registered APP code.
Note: The review may inform a decision by the Commissioner to approve a variation of a registered APP code or to remove a registered APP code from the Codes Register.
(2) The Commissioner may review the operation of the registered CR code.
Note: The review may inform a decision by the Commissioner to approve a variation of the registered CR code.
30 Subsection 36(1)
Omit "Subject to subsection ( 1A), an", substitute "An".
31 Subsections 36(1A), (1B) and (1C)
Repeal the subsections.
32 Subsections 54(1A), 55A(7) and 55B(2)
Repeal the subsections.
33 Subsection 55B(3)
Omit "or (2)".
34 Subsection 55B(3)
Omit "or adjudicator".
35 Subsection 55B(4)
Omit "or (2)".
36 Subsection 64(1)
Omit "(1)".
37 Subsection 64(2)
Repeal the subsection.
38 Section 95C
Omit "an approved privacy code", substitute "a registered APP code".