Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) The NDLFRS hosting agreement is a written agreement that:
(a) is between the Department (representing the Commonwealth) and each authority that:
(i) is an authority of a State or Territory; and
(ii) meets the requirement in subsection (2); and
(iii) supplies or proposes to supply identification information to the Department for inclusion in a database in the NDLFRS; and
(b) deals with the NDLFRS and the collection, use and disclosure of identification information in a database in the NDLFRS; and
(c) meets the requirements in subsections (3), (4) and (5).
State and Territory parties must be subject to privacy obligations
(2) Each authority of a State or Territory that is party to the agreement must:
(a) be subject to a privacy law that:
(i) is a law of the State or Territory; and
(ii) is prescribed by the rules for the purposes of this subparagraph; or
(b) be one of the following to which the Privacy Act 1988 applies (with or without modifications) as if it were an organisation:
(i) a State or Territory authority (as defined in that Act);
(ii) an instrumentality of a State or Territory; or
(c) agree in the agreement to comply with the Australian Privacy Principles, with any modifications of subclauses 7.8 and 12.2 of those principles (about laws of the Commonwealth) specified in the agreement, as if the party were an APP entity.
Note: The Department, which is the other party to the agreement, is subject to the Privacy Act 1988 .
Requirements on each State or Territory party
(3) The agreement must provide for each party that is an authority of a State or Territory:
(a) to take reasonable steps to inform each individual whose identification information is, or is to be, included in a database in the NDLFRS of that inclusion; and
(b) to provide each individual whose identification information is included in a database in the NDLFRS with means of:
(i) finding out what that information is; and
(ii) having any errors in that information corrected in the database; and
(c) to inform each such individual and the Department of any data breaches that:
(i) involve identification information that relates to the individual and the NDLFRS; and
(ii) are reasonably likely to result in serious harm to the individual; and
(d) to provide means for dealing with complaints by individuals relating to the NDLFRS and identification information that relates to them that is included in a database in the NDLFRS; and
(e) to report annually to the Department on the party's compliance with the agreement.
Requirements on the Department
(4) The agreement must provide for the Department:
(a) to maintain the security of identification information included in a database in the NDLFRS, including by encrypting the information; and
(b) to inform the other parties to the agreement of any data breaches involving that information and the NDLFRS; and
(c) to inform the Information Commissioner of any data breaches that:
(i) involve that information and the NDLFRS; and
(ii) are reasonably likely to result in serious harm to an individual to whom that information relates.
Note: For paragraph (4)(a), see also paragraph 25(a).
Requirement relating to compliance
(5) The agreement must provide for suspension or termination of the ability of a party to the agreement to request identity verification services involving the NDLFRS if the party does not comply with the agreement.
Timing and nature of agreement
(6) To avoid doubt:
(a) an agreement may be the NDLFRS hosting agreement whether it was made before, on or after the commencement of this section; and
(b) paragraph (1)(c) and subsections (3), (4) and (5) do not limit the matters the agreement may deal with.