Western Australian Bills Western Australian Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
Western Australia
Privacy and Responsible Information Sharing
Bill 2024
Contents
Part 1 -- Preliminary
1. Short title 2
2. Commencement 2
3. Objects 2
4. Terms used 3
5. References to information privacy principles 17
6. Public entities 17
7. Judicial bodies 19
8. State services contracts and contracted service
providers 19
9. Principal officers 20
10. Disclosure by public entities and other IPP entities 21
11. De-identification and re-identification of
information 21
12. Data sets, data analytics work, data linkage and
data integration 22
13. Act binds Crown 22
Part 2 -- Privacy
Division 1 -- Key concepts and preliminary
matters
14. IPP entities 23
15. Interferences with privacy 23
16. Automated decision-making processes and related
concepts 24
17. Entities to which privacy obligations do not apply 25
18. Application of privacy obligations to judicial
bodies 25
158--1 page i
Privacy and Responsible Information Sharing Bill 2024
Contents
Division 2 -- Information privacy principles
19. Information privacy principles 25
20. IPP entities must comply with information privacy
principles 26
21. Exception: personal, family or household affairs 26
22. Exception: publicly available information 26
23. Exception: law enforcement functions 27
24. Exception: emergency response functions 27
25. Exception: child protection functions 27
26. Exception: family violence 28
27. Exception: IPP entities to which IPP 6 does not
apply 28
Division 3 -- Privacy codes of practice
28. Privacy code of practice 28
29. IPP entity may prepare and submit privacy code of
practice or amendment 30
30. Commissioner may prepare privacy code of
practice or amendment 30
31. Public consultation on privacy code of practice or
amendment 30
32. Submission and approval of privacy code of
practice or amendment 31
33. Effect of approved privacy code of practice 32
34. Revocation of approved privacy code of practice 34
35. Approved privacy code of practice or amendment
is disallowable subsidiary legislation 35
36. Duration of approved privacy code of practice 35
37. Register of approved privacy codes of practice 36
38. Commissioner may review approved privacy code
of practice 36
Division 4 -- Requests for access to and
correction of personal information
39. Purpose of Division 37
40. Request for access under IPP 6.1 or approved
privacy code of practice 37
41. Request for correction under IPP 6.5 or approved
privacy code of practice 38
42. IPP entity to provide assistance in making request 39
page ii
Privacy and Responsible Information Sharing Bill 2024
Contents
43. Protection from liability for providing access to
information 39
44. Certain applications under Freedom of Information
Act 1992 taken to be requests under IPP 6 or
approved privacy code of practice 40
Division 5 -- Public interest determinations and
temporary public interest determinations
Subdivision 1 -- Public interest determinations
45. Public interest determination 41
46. Application for public interest determination 42
47. Procedure to be followed on application for public
interest determination 42
48. Reporting on and review of determination 44
Subdivision 2 -- Temporary public interest
determinations
49. Temporary public interest determination 45
50. Application for temporary public interest
determination 46
51. Procedure to be followed on application for
temporary public interest determination 47
52. Extension of temporary public interest
determination 48
Subdivision 3 -- General provisions about public
interest determinations and temporary public
interest determinations
53. Effect of determination 48
54. Revocation of determination 49
55. Determination is disallowable subsidiary
legislation and statement of reasons required 50
56. Duration of determination 51
Division 6 -- Notifiable information breaches
Subdivision 1 -- Preliminary
57. Notifiable information breaches 52
58. Affected individuals in relation to notifiable
information breaches 53
59. Whether serious harm is likely to result from
access, disclosure or loss 53
60. Notifiable information breach determinations 54
page iii
Privacy and Responsible Information Sharing Bill 2024
Contents
Subdivision 2 -- Assessment, containment and
mitigation
61. Assessment, containment and mitigation 55
Subdivision 3 -- Notification
62. Notification to Commissioner 56
63. Notification to affected individuals 58
64. Exception: notifiable information breach relating
to more than 1 IPP entity 58
65. Exception: law enforcement agencies 59
66. Exception: inconsistency with secrecy provisions 59
67. Exception: threat to life, health, safety or welfare 59
68. Exception: adverse effect on information security 60
69. Notice to Commissioner if exception relied on 60
70. Commissioner may grant extension or exemption 62
Subdivision 4 -- Directions by Commissioner
71. Direction about suspected notifiable information
breach 63
72. Provisions about directions under s. 71 64
Subdivision 5 -- Policy, register and reporting
73. Public entity must prepare information breach
policy 65
74. Register of notifiable information breaches 65
75. Annual report to include information about
notifiable information breaches 67
Division 7 -- Personal information in public
registers
76. Disclosure of personal information in public
registers 67
77. Removal of personal information affecting
individual's safety or wellbeing 68
78. Interaction with written laws establishing public
registers 68
Division 8 -- Privacy impact assessments
79. Privacy impact assessment relating to high privacy
impact function or activity 69
80. Commissioner may direct privacy impact
assessment 70
81. Guidelines about significant impact on privacy 71
page iv
Privacy and Responsible Information Sharing Bill 2024
Contents
Division 9 -- Privacy complaints
Subdivision 1 -- Making a privacy complaint
82. Individual may complain about interference with
privacy 71
83. Complaint on behalf of 2 or more individuals 72
84. Complaint by or on behalf of child 72
85. Complaint on behalf of individual with disability 72
86. Matter referred by Ombudsman may be treated as
privacy complaint 73
87. Complaint referred by Health and Disability
Complaints Office Director may be treated as
privacy complaint 73
Subdivision 2 -- Procedure after complaint is made
88. Notice of complaint 74
89. Withdrawal of complaint 74
90. Commissioner may decline to deal with complaint 74
91. Commissioner may decline to continue dealing
with complaint 76
92. Commissioner may deal with complaint under
Freedom of Information Act 1992 76
93. Commissioner may refer complaint to other
authority 77
Subdivision 3 -- Parties may resolve complaint
94. Parties may resolve complaint 79
Subdivision 4 -- Conciliation of complaints
95. Commissioner must attempt to resolve complaint
by conciliation 79
96. Procedure for conciliation 80
97. Representation in conciliation process 80
98. Conciliation agreement 81
99. Notice of complaint that cannot be resolved by
conciliation 82
100. Statements made in conciliation protected 82
Subdivision 5 -- Dealing with complaint not resolved
by conciliation
101. Commissioner may deal with complaint not
resolved by conciliation 83
102. General matters about dealing with complaints 83
103. Referral of question of law to Supreme Court 84
page v
Privacy and Responsible Information Sharing Bill 2024
Contents
104. Determination of complaint 85
105. Review of determination 86
Division 10 -- Investigations and enforcement
Subdivision 1 -- Investigations of acts or practices
that may be interferences with privacy
106. Commissioner may investigate act or practice that
may be interference with privacy 86
107. Determination following investigation 87
108. Review of determination 88
109. Reports 88
Subdivision 2 -- Monitoring and assessment of
compliance
110. Commissioner may monitor or conduct assessment
of compliance 89
111. Reports 89
Subdivision 3 -- Notices to produce or attend
112. Purposes for exercise of powers 90
113. Notice to produce or attend 90
114. Contents of notice to produce or attend 91
115. Variation or withdrawal of notice to produce or
attend 92
116. Powers of Commissioner in relation to persons
attending and documents 92
117. Failure to comply with notice to produce or attend 92
Subdivision 4 -- Powers of entry, observation and
inspection for notifiable information breach
compliance purposes
118. Purposes for exercise of powers 93
119. Powers of entry, observation and inspection for
notifiable information breach compliance purposes 94
120. Authorised officers 95
121. Identity cards 95
Subdivision 5 -- Compliance notices
122. Issue of compliance notice 96
123. IPP entity must comply with compliance notice 97
124. Review of decision to issue compliance notice 97
page vi
Privacy and Responsible Information Sharing Bill 2024
Contents
Subdivision 6 -- Enforcement of orders made by
Commissioner
125. Enforcement of orders requiring payment of
compensation 97
126. Enforcement of other orders 98
127. Deferral of enforcement until review proceedings
concluded 98
Division 11 -- Contracted service providers
128. Purpose of Division 99
129. State services contract may provide for application
of privacy obligations 99
130. Application of information privacy principles and
approved privacy codes of practice to contracted
service providers 99
131. Privacy codes of practice or amendments
submitted by contracted service providers 100
132. Requests for access and correction made to
contracted service providers 100
133. Public interest determinations and temporary
public interest determinations applying to
contracted service providers 101
134. Application of notifiable information breach
obligations to contracted service providers 102
135. Directions about suspected notifiable information
breaches given to contracted service providers 104
136. Details of information breaches affecting
contracted service providers to be included in
register and report 106
137. Privacy impact assessments by contracted service
providers 106
138. Directions about privacy impact assessments given
to contracted service providers 106
139. Notices relating to privacy complaints or
investigations about contracted service providers 107
140. Enforcement action may be taken against
outsourcing entity in some circumstances 107
page vii
Privacy and Responsible Information Sharing Bill 2024
Contents
Division 12 -- Administration
Subdivision 1 -- Functions under this Act of
Information Commissioner and Privacy
Deputy Commissioner
141. Functions of Information Commissioner and
Privacy Deputy Commissioner under this Act 109
142. Performance of privacy functions 111
143. Certain functions cannot be delegated 112
144. Information Commissioner and Privacy Deputy
Commissioner must have regard to objects of Act
in performing functions 113
145. Information Commissioner and Privacy Deputy
Commissioner may request IPP entity to provide
assistance 113
Subdivision 2 -- Reporting
146. Matters to be included in annual report to
Parliament 114
147. Special reports to Parliament 115
Subdivision 3 -- Guidelines, documents and notices
148. Privacy guidelines 115
149. Making documents publicly available 116
150. Notices of decisions or determinations 116
Division 13 -- General
151. Privacy officers of public entities 117
152. Nature of privacy rights created by this Act 118
153. Interaction with other laws 119
154. Exercise of powers relating to consent and access
by authorised representative of individual 119
155. Review of privacy provisions of Act 122
Part 3 -- Responsible information
sharing
Division 1 -- Key concepts and preliminary
matters
156. Special information sharing entities and external
entities 123
157. Government information 124
158. Exempt information 124
159. Permitted purposes for sharing of information 128
page viii
Privacy and Responsible Information Sharing Bill 2024
Contents
Division 2 -- Information sharing requests
160. Information sharing request 129
161. Response to information sharing request 130
162. No obligation to disclose requested information 132
Division 3 -- Information sharing directions
163. Responsible Minister for public entity may direct
sharing of information 133
164. Notice of direction must be laid before Houses of
Parliament 135
165. Revocation of direction 135
166. Requirement to comply with direction 136
167. Division has effect subject to laws restricting
Ministerial direction 136
Division 4 -- Information sharing agreements
Subdivision 1 -- Entry into and contents of
information sharing agreement
168. Information sharing agreement 137
169. Entering into information sharing agreement 138
170. Matters to be included in information sharing
agreement 138
171. Other matters to be included in information sharing
agreement 140
172. Information sharing agreement may provide for
limited further disclosure 141
173. Other matters that may be dealt with in information
sharing agreement 141
174. Activities under information sharing agreement
may include data analytics work, data integration
and data linkage 142
Subdivision 2 -- Assessments to be conducted before
entering into information sharing agreement
175. Assessment of responsible sharing principles 142
176. Privacy impact assessment 143
177. Aboriginal information assessment 144
Subdivision 3 -- Other provisions about information
sharing agreements
178. Duration of information sharing agreement 146
179. Variation of information sharing agreement 147
page ix
Privacy and Responsible Information Sharing Bill 2024
Contents
180. Withdrawal from and termination of information
sharing agreement 148
181. Enforcement of information sharing agreement 148
182. Notification of Chief Data Officer 149
183. Register of information sharing agreements 149
Division 5 -- Authorisations to share
information and related matters
184. Authorisation to disclose information under
information sharing agreement 150
185. Authorisation to collect, hold, manage and use
information under information sharing agreement 151
186. Authorisation to further disclose information
disclosed under information sharing agreement in
certain circumstances 152
187. Authorisations override secrecy provisions 152
188. Protection from liability for authorised information
sharing 153
189. Offences for unauthorised further disclosure or use
of information 153
190. Regulations may prescribe safeguards 154
Division 6 -- Information breaches involving
shared information
191. Shared information breaches 155
192. Assessment, containment, mitigation and
notification to provider 155
193. Notification to Chief Data Officer 156
194. Certain shared information breaches to be dealt
with as notifiable information breaches 158
195. Agreements that have ceased to be in force 159
Division 7 -- Information holdings requests
196. Information holdings request 159
197. Response to information holdings request 160
Division 8 -- Administration
Subdivision 1 -- Chief Data Officer
198. Chief Data Officer 161
199. Chief Data Officer is separate public entity for
information sharing purposes 161
200. Functions of Chief Data Officer 162
201. Power to issue guidelines 163
page x
Privacy and Responsible Information Sharing Bill 2024
Contents
202. Consultation on guidelines 164
203. Chief Data Officer must have regard to objects of
Act 164
Subdivision 2 -- Privacy and Responsible
Information Sharing Advisory Committee
204. Privacy and Responsible Information Sharing
Advisory Committee 164
205. Functions of Privacy and Responsible Information
Sharing Advisory Committee 165
206. Regulations about Privacy and Responsible
Information Sharing Advisory Committee 166
Subdivision 3 -- Delegation and secrecy
207. Delegation by Chief Data Officer 167
208. Secrecy and authorised disclosure and use of
information 167
Subdivision 4 -- Making documents publicly
available
209. Making documents publicly available 168
Division 9 -- General
210. Information sharing officers of public entities 169
211. Matters to be included in annual report 170
212. Interaction with other laws 171
213. Application of Freedom of Information Act 1992 to
shared information 171
214. Review of information sharing provisions of Act 172
Part 4 -- Miscellaneous
215. False or misleading information 173
216. Acts and practices of public entities and other IPP
entities 173
217. States of mind of public entities and other IPP
entities 174
218. Protection from personal liability 174
219. Giving documents 175
220. Laying documents before House of Parliament not
sitting 175
221. General provisions about guidelines 176
222. Regulations 176
page xi
Privacy and Responsible Information Sharing Bill 2024
Contents
Part 5 -- Transitional provisions
223. Application of information privacy principles 178
224. Application of approved privacy codes of practice 179
225. Notifiable information breach may involve
personal information collected before
commencement day 179
226. Public register obligations apply to personal
information collected before commencement day 180
227. Privacy impact assessments not required for
functions or activities performed before
commencement day 180
228. State services contracts entered into before
commencement day 181
229. Transitional regulations 181
Part 6 -- Other Acts amended
Division 1 -- Education and Care Services
National Law (WA) Act 2012 amended
230. Act amended 183
231. Section 5 amended 183
Division 2 -- Freedom of Information Act 1992
amended
232. Act amended 183
233. Section 23 amended 184
234. Section 32 amended 184
235. Section 45 amended 184
236. Section 67A inserted 185
67A. Commissioner may deal with complaint
under Privacy and Responsible
Information Sharing Act 2024 185
237. Section 98 replaced 185
98. Application on behalf of child or person
with disability 185
98A. Certain requests under Privacy and
Responsible Information Sharing Act 2024
taken to be applications for access or
amendment 186
238. Glossary clause 1 amended 188
239. Various references to personal information "about"
an individual amended 189
page xii
Privacy and Responsible Information Sharing Bill 2024
Contents
Division 3 -- Government Trading Enterprises
Act 2023 amended
240. Act amended 190
241. Section 86 amended 190
Division 4 -- Health Practitioner Regulation
National Law Application Act 2024
amended
242. Act amended 190
243. Section 22 amended 191
Division 5 -- National Health Funding Pool
Act 2012 amended
244. Act amended 191
245. Section 25 amended 191
Part 7 -- Amendment to this Act
linked to commencement of
Criminal Law (Mental
Impairment) Act 2023
246. Act amended 192
247. Section 4 amended 192
Schedule 1 -- Information privacy
principles
1. Principle 1: Collection 193
2. Principle 2: Use and disclosure 196
3. Principle 3: Information quality 199
4. Principle 4: Information security 200
5. Principle 5: Openness and transparency 200
6. Principle 6: Access and correction 200
7. Principle 7: Unique identifiers 202
8. Principle 8: Anonymity 203
9. Principle 9: Disclosures outside Australia 204
10. Principle 10: Automated decision-making 205
11. Principle 11: De-identified information 206
page xiii
Privacy and Responsible Information Sharing Bill 2024
Contents
Schedule 2 -- Responsible sharing
principles
1. Principle 1: Activities 208
2. Principle 2: Recipients 208
3. Principle 3: Information 209
4. Principle 4: Settings 210
5. Principle 5: Outputs 211
Defined terms
page xiv
Western Australia
LEGISLATIVE ASSEMBLY
Privacy and Responsible Information Sharing
Bill 2024
A Bill for
An Act --
• to provide a framework to protect the privacy of personal
information handled by public entities, Ministers, Parliamentary
Secretaries and contracted service providers to public entities;
and
• to provide a framework to authorise the responsible sharing of
information held by public entities; and
• to establish the office of Chief Data Officer; and
• to amend the Freedom of Information Act 1992; and
• to make consequential amendments to other Acts; and
• for related purposes.
The Parliament of Western Australia enacts as follows:
page 1
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 1
1 Part 1 -- Preliminary
2 1. Short title
3 This is the Privacy and Responsible Information Sharing
4 Act 2024.
5 2. Commencement
6 This Act comes into operation as follows --
7 (a) Part 1 -- on the day on which this Act receives the
8 Royal Assent;
9 (b) Part 7 --
10 (i) if the Criminal Law (Mental Impairment)
11 Act 2023 section 156 comes into operation on or
12 before the day on which Part 1 of this Act comes
13 into operation under paragraph (a) --
14 immediately after Part 1 of this Act comes into
15 operation; or
16 (ii) otherwise -- on the day on which the Criminal
17 Law (Mental Impairment) Act 2023 section 156
18 comes into operation;
19 (c) the rest of the Act -- on a day fixed by proclamation,
20 and different days may be fixed for different provisions.
21 3. Objects
22 The objects of this Act are as follows --
23 (a) to promote responsible and transparent practices for
24 handling personal information by IPP entities;
25 (b) to balance the public interest in protecting the privacy of
26 personal information handled by IPP entities with the
27 public interest in the free flow of information;
28 (c) to provide a means for individuals to complain about
29 alleged interferences with their privacy;
page 2
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 (d) to promote responsible information security practices by
2 IPP entities;
3 (e) to promote the responsible handling of information held
4 by public entities as a public resource that supports
5 government policy, programs and services;
6 (f) to facilitate the responsible collection, use and
7 disclosure for permitted purposes of information held by
8 public entities;
9 (g) to remove barriers that unnecessarily impede the
10 responsible sharing of information held by public
11 entities;
12 (h) to provide protections in connection with the sharing of
13 information under this Act, including by --
14 (i) specifying the purposes for which, and the
15 circumstances in which, information sharing is
16 permitted or required; and
17 (ii) ensuring that information shared under this Act
18 is protected from unauthorised use or disclosure.
19 4. Terms used
20 In this Act --
21 Aboriginal community controlled organisation means an
22 organisation described in clause 44 of the "National Agreement
23 on Closing the Gap" between the Coalition of Aboriginal and
24 Torres Strait Islander Peak Organisations, the Commonwealth,
25 the States, the Australian Capital Territory, the Northern
26 Territory and the Australian Local Government Association
27 dated July 2020;
28 Aboriginal information assessment has the meaning given in
29 section 177(1);
30 Aboriginal information use plan has the meaning given in
31 section 177(4);
32 act includes an omission;
page 3
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 affected individual --
2 (a) in relation to a notifiable information breach, has the
3 meaning given in section 58; or
4 (b) in relation to a determination by the Information
5 Commissioner under section 107, has the meaning given
6 in section 107(1);
7 approved form means a form approved by the person to whom
8 the form is permitted or required to be given under this Act;
9 approved privacy code of practice means a privacy code of
10 practice approved by the Governor under section 32(3);
11 assessed notifiable information breach, in relation to an
12 IPP entity, has the meaning given in section 61(3);
13 assessed shared information breach, in relation to a recipient
14 under an information sharing agreement, has the meaning given
15 in section 192(4);
16 Australian Information Commissioner means the person
17 appointed as Australian Information Commissioner under the
18 Australian Information Commissioner Act 2010
19 (Commonwealth) section 14(1);
20 authorised officer means a person designated as an authorised
21 officer under section 120(1);
22 automated decision-making process has the meaning given in
23 section 16(2);
24 automated system has the meaning given in section 16(1);
25 care leaver means a person who --
26 (a) has reached 18 years of age; and
27 (b) qualifies for assistance under the Children and
28 Community Services Act 2004 section 96 for the
29 purposes of Part 4 Division 6 of that Act;
30 Chief Data Officer means the Chief Data Officer appointed in
31 accordance with section 198;
page 4
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 Chief Data Officer guidelines means guidelines issued under
2 section 201, as in effect from time to time;
3 child means a person who is under 18 years of age;
4 child protection functions means functions that relate to --
5 (a) the protection and care of children, unborn children and
6 care leavers; or
7 (b) promoting the wellbeing of children, unborn children
8 and care leavers, including their --
9 (i) care; and
10 (ii) physical, emotional, psychological and
11 educational development; and
12 (iii) physical, emotional and psychological health;
13 and
14 (iv) safety;
15 collect, in relation to information --
16 (a) means to obtain the information from any source or by
17 any means; and
18 (b) includes to infer the information from, or generate the
19 information by the use or interpretation of, other
20 information;
21 community policing functions, of the Police Force of Western
22 Australia, includes the following --
23 (a) undertaking missing persons investigations;
24 (b) transferring individuals into the care or custody of
25 another entity;
26 (c) supporting victims of crime;
27 (d) locating next of kin;
28 (e) employing diversionary strategies;
29 (f) coordinating operational response and dispatch;
30 (g) other functions prescribed by the regulations;
31 compliance notice has the meaning given in section 122(1);
page 5
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 conciliator means a person nominated as a conciliator under
2 section 96(1);
3 confidential or commercially sensitive information means --
4 (a) information that is required to be kept confidential
5 because of a contractual or equitable obligation; or
6 (b) any other information the disclosure of which would
7 prejudice any person's legitimate business, professional,
8 commercial or financial interests;
9 consent means express consent or implied consent;
10 contracted service provider has the meaning given in
11 section 8(2);
12 data analytics work has the meaning given in section 12(2);
13 data integration has the meaning given in section 12(4);
14 data linkage has the meaning given in section 12(3);
15 data set has the meaning given in section 12(1);
16 de-identified information has the meaning given in
17 section 11(2);
18 de-identify, in relation to personal information, has the meaning
19 given in section 11(1);
20 derived information has the meaning given in
21 section 170(d)(iv);
22 disability has the meaning given in the Disability Services
23 Act 1993 section 3;
24 disclose has a meaning affected by section 10;
25 electronic means includes --
26 (a) an electronic database or document system; and
27 (b) any other means by which a document can be given or
28 accessed electronically;
29 emergency response functions means functions that relate to
30 responding to an emergency, including by combating its effects,
31 providing emergency assistance to persons affected and
32 reducing resulting damage;
page 6
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 exempt information has the meaning given in section 158;
2 external entity has the meaning given in section 156(2);
3 family violence has the meaning given in the Restraining
4 Orders Act 1997 section 5A(1);
5 government information, in relation to a public entity, has the
6 meaning given in section 157;
7 handle, in relation to information, means to collect, hold,
8 manage, use or disclose the information;
9 Health and Disability Services Complaints Office Director
10 means the Director as defined in the Health and Disability
11 Services (Complaints) Act 1995 section 3(1);
12 health information means --
13 (a) personal information that relates to --
14 (i) the health (at any time) of an individual; or
15 (ii) the disability (at any time) of an individual; or
16 (iii) an individual's expressed wishes about the future
17 provision of health services to the individual; or
18 (iv) a health service provided, or to be provided, to
19 an individual;
20 or
21 (b) other personal information collected to provide, or in
22 providing, a health service;
23 health service means any of the following --
24 (a) a health service as defined in the Health Services
25 Act 2016 section 7;
26 (b) the supply or prescription of a medicine by a person
27 registered under the Health Practitioner Regulation
28 National Law (Western Australia);
29 (c) the prescription, supply or administration of a voluntary
30 assisted dying substance under the Voluntary Assisted
31 Dying Act 2019;
page 7
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 (d) a service or activity, provided in conjunction with a
2 service or activity referred to in paragraph (a), (b) or (c),
3 of a class prescribed by the regulations;
4 high privacy impact function or activity has the meaning given
5 in section 79(1);
6 hold, in relation to information, means to have possession or
7 control of the information, whether alone or jointly with others;
8 holding entity, in relation to an information sharing request, has
9 the meaning given in section 160(3)(b);
10 information breach means --
11 (a) unauthorised access to, or unauthorised disclosure of,
12 information; or
13 (b) loss of information;
14 Information Commissioner means the person appointed as
15 Information Commissioner under the Information
16 Commissioner Act 2024 section 5(2);
17 information holdings request has the meaning given in
18 section 196(2);
19 information privacy principle (IPP) means an information
20 privacy principle set out in Schedule 1;
21 information sharing agreement has the meaning given in
22 section 168(1);
23 information sharing CEO means the chief executive officer of
24 the information sharing Department;
25 information sharing Department means the department of the
26 Public Service principally assisting in the administration of
27 Part 3;
28 information sharing direction has the meaning given in
29 section 163(1);
30 Information Sharing Minister means the Minister to whom the
31 administration of Part 3 is from time to time committed by the
32 Governor;
page 8
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 information sharing request has the meaning given in
2 section 160(3)(a);
3 interference with the privacy, of an individual, has the meaning
4 given in section 15;
5 IPP entity has the meaning given in section 14;
6 judicial body has the meaning given in section 7;
7 law enforcement agency means any of the following bodies or
8 persons, including staff under the control of the body or
9 person --
10 (a) the Police Force of Western Australia; or
11 (b) the Corruption and Crime Commission established
12 under the Corruption, Crime and Misconduct Act 2003
13 section 8; or
14 (c) the Parliamentary Inspector of the Corruption and Crime
15 Commission appointed under the Corruption, Crime and
16 Misconduct Act 2003 section 189; or
17 (d) a commission established under a written law or a law of
18 the Commonwealth, another State or a Territory that has
19 the function of investigating criminal activity or a class
20 of criminal activity; or
21 (e) the Mentally Impaired Accused Review Board
22 established under the Criminal Law (Mentally Impaired
23 Accused) Act 1996 section 41; or
24 (f) the Prisoners Review Board established under the
25 Sentence Administration Act 2003 section 102; or
26 (g) the Supervised Release Review Board established under
27 the Young Offenders Act 1994 section 151; or
28 (h) the department of the Public Service principally
29 assisting in the administration of the Sentence
30 Administration Act 2003 Part 8; or
31 (i) the department of the Public Service principally
32 assisting in the administration of the Police Act 1892; or
page 9
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 (j) the Director of Public Prosecutions appointed under the
2 Director of Public Prosecutions Act 1991 section 5; or
3 (k) the Commissioner of State Revenue appointed in
4 accordance with the Taxation Administration Act 2003
5 section 6; or
6 (l) the sheriff referred to in the Supreme Court Act 1935
7 section 156; or
8 (m) the Australian Crime Commission established by the
9 Australian Crime Commission Act 2002
10 (Commonwealth) section 7; or
11 (n) the Australian Federal Police; or
12 (o) the police force of another State or a Territory; or
13 (p) a public entity not covered by another paragraph of this
14 definition that is responsible for the performance of
15 functions related to --
16 (i) the prevention, detection, investigation,
17 prosecution or punishment of criminal offences
18 or contraventions of a law that are subject to a
19 penalty or sanction; or
20 (ii) the management of property seized or restrained
21 under a law relating to the confiscation of
22 proceeds of crime; or
23 (iii) the enforcement of a law, or of an order made
24 under a law, relating to the confiscation of
25 proceeds of crime; or
26 (iv) the execution or implementation of orders made
27 by a court or tribunal; or
28 (v) the protection of public revenue;
29 or
30 (q) a body, or the holder of an office, prescribed by the
31 regulations;
page 10
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 law enforcement functions, of a law enforcement agency --
2 (a) means functions of the law enforcement agency that
3 relate to --
4 (i) the prevention, detection, investigation,
5 prosecution or punishment of criminal offences
6 or contraventions of a law that are subject to a
7 penalty or sanction; or
8 (ii) the management of property seized or restrained
9 under a law relating to the confiscation of
10 proceeds of crime; or
11 (iii) the enforcement of a law, or of an order made
12 under a law, relating to the confiscation of
13 proceeds of crime; or
14 (iv) the preparation for or conduct of proceedings in a
15 court or tribunal; or
16 (v) the execution or implementation of orders made
17 by a court or tribunal; or
18 (vi) the protection of public revenue;
19 and
20 (b) includes, in the case of the Police Force of Western
21 Australia, community policing functions;
22 materially assisted, in relation to the making of a decision and
23 an automated system, has the meaning given in section 16(3);
24 member of Commissioner staff means a member of staff as
25 defined in the Information Commissioner Act 2024 section 3;
26 notice to produce or attend has the meaning given in
27 section 113(1);
28 notifiable information breach has the meaning given in
29 section 57;
30 officer, of a public entity or other IPP entity, includes --
31 (a) the principal officer of the entity; and
page 11
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 (b) a person employed in, by, or for the purposes of, the
2 entity; and
3 (c) if the entity is a body (whether incorporated or not)
4 constituted by 2 or more persons -- any of those
5 persons;
6 outsourcing entity has the meaning given in section 8(1);
7 Parliamentary Commissioner for Administrative
8 Investigations means the Commissioner as defined in the
9 Parliamentary Commissioner Act 1971 section 4;
10 Parliamentary Secretary means --
11 (a) a Parliamentary Secretary appointed under the
12 Constitution Acts Amendment Act 1899 section 44A(1);
13 or
14 (b) the Parliamentary Secretary of the Cabinet;
15 permitted purpose has the meaning given in section 159(1);
16 personal information --
17 (a) means information or an opinion, whether true or not,
18 and whether recorded in a material form or not, that
19 relates to an individual, whether living or dead, whose
20 identity is apparent or can reasonably be ascertained
21 from the information or opinion; and
22 (b) includes information of the following kinds to which
23 paragraph (a) applies --
24 (i) a name, date of birth or address;
25 (ii) a unique identifier, online identifier or
26 pseudonym;
27 (iii) contact information;
28 (iv) information that relates to an individual's
29 location;
30 (v) technical or behavioural information in relation
31 to an individual's activities, preferences or
32 identity;
page 12
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 (vi) inferred information that relates to an individual,
2 including predictions in relation to an
3 individual's behaviour or preferences and
4 profiles generated from aggregated information;
5 (vii) information that relates to 1 or more features
6 specific to the physical, physiological, genetic,
7 mental, behavioural, economic, cultural or social
8 identity of an individual;
9 Police Force of Western Australia means the Police Force of
10 Western Australia provided for by the Police Act 1892;
11 principal officer, in relation to a public entity or other IPP
12 entity, has the meaning given in section 9;
13 privacy code of practice has the meaning given in section 28(1);
14 privacy complaint means a complaint under section 82(1);
15 Privacy Deputy Commissioner means the person appointed as
16 Privacy Deputy Commissioner under the Information
17 Commissioner Act 2024 section 13(2);
18 privacy functions has the meaning given in section 142(1);
19 privacy guidelines means guidelines issued under section 148,
20 as in effect from time to time;
21 privacy impact assessment means --
22 (a) an assessment of a function or activity of an IPP entity
23 conducted under section 79 or in compliance with a
24 direction under section 80; or
25 (b) an assessment of a relevant activity to be carried out
26 under a proposed information sharing agreement
27 conducted under section 176;
28 Privacy Minister means the Minister to whom the
29 administration of Part 2 is from time to time committed by the
30 Governor;
31 proposed provider, in relation to a proposed information sharing
32 agreement, means a public entity that would be a provider under
33 the agreement;
page 13
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 proposed recipient, in relation to a proposed information
2 sharing agreement, means a public entity or external entity that
3 would be a recipient under the agreement;
4 provider, in relation to an information sharing agreement, has
5 the meaning given in section 168(2);
6 public entity has the meaning given in section 6;
7 public interest determination has the meaning given in
8 section 45(1);
9 public register means a register or other document that --
10 (a) is held by a public entity; and
11 (b) contains information that a person was required or
12 permitted to give to that public entity under a written
13 law; and
14 (c) is published, or available for inspection by members of
15 the public (whether for a fee or charge or not), under a
16 written law (other than as a result of a request for access
17 under this Act or an application for access under the
18 Freedom of Information Act 1992 Part 2);
19 recipient, in relation to an information sharing agreement, has
20 the meaning given in section 168(3);
21 re-identify, in relation to de-identified information, has the
22 meaning given in section 11(3);
23 relevant activity, in relation to an information sharing
24 agreement, has the meaning given in section 168(1)(c);
25 requesting entity, in relation to an information sharing request,
26 has the meaning given in section 160(3)(c);
27 respondent, in relation to a privacy complaint, has the meaning
28 given in section 82(2)(b);
29 responsible Minister means --
30 (a) in relation to a public entity that is a department as
31 defined in the Public Sector Management Act 1994
32 section 3(1) -- the Minister responsible for the
33 administration of the department; or
page 14
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 4
1 (b) in relation to a public entity to which paragraph (a) does
2 not apply --
3 (i) for a public entity established or appointed under
4 an enactment -- the Minister to whom the
5 administration of the enactment is from time to
6 time committed by the Governor; or
7 (ii) for a public entity that is not established or
8 appointed under an enactment -- the Minister to
9 whom the administration of the public entity is
10 from time to time committed by the Governor;
11 or
12 (c) in relation to a secrecy provision -- the Minister to
13 whom the administration of the secrecy provision is
14 from time to time committed by the Governor;
15 responsible sharing principle means a responsible sharing
16 principle set out in Schedule 2;
17 secrecy provision means a provision of a written law that
18 prohibits or regulates the handling of information;
19 senior executive officer has the meaning given in the Public
20 Sector Management Act 1994 section 3(1);
21 senior officer, of a public entity or other IPP entity --
22 (a) means an officer of the entity who has managerial
23 responsibility; and
24 (b) includes the principal officer of the entity;
25 sensitive Aboriginal family history information means
26 information, including family history information, that --
27 (a) relates to Aboriginal people and their ancestors; and
28 (b) was collected in the period from 1898 until 1972 for the
29 purposes of implementing laws, and government
30 policies and practices, applying specifically to
31 Aboriginal people;
page 15
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 4
1 sensitive Aboriginal traditional information means information
2 that, according to Aboriginal tradition, should not be disclosed
3 to individuals who are not the knowledge holders of that
4 information;
5 sensitive personal information means personal information --
6 (a) that relates to an individual's --
7 (i) racial or ethnic origin; or
8 (ii) gender identity, in a case where the individual's
9 gender identity does not correspond with their
10 designated sex at birth; or
11 (iii) sexual orientation or practices; or
12 (iv) political opinions; or
13 (v) membership of a political association; or
14 (vi) religious beliefs or affiliations; or
15 (vii) philosophical beliefs; or
16 (viii) membership of a professional or trade
17 association; or
18 (ix) membership of a trade union; or
19 (x) criminal record;
20 or
21 (b) that is health information; or
22 (c) that is genetic or genomic information (other than health
23 information); or
24 (d) that is biometric information; or
25 (e) from which information of a kind referred to in any of
26 paragraphs (a) to (d) can reasonably be inferred;
27 shared information, in relation to a shared information breach,
28 has the meaning given in section 191(a);
29 shared information breach has the meaning given in
30 section 191;
31 significant decision has the meaning given in section 16(4);
page 16
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 5
1 special information sharing entity has the meaning given in
2 section 156(1);
3 State services contract has the meaning given in section 8(1);
4 temporary public interest determination has the meaning given
5 in section 49(1);
6 unique identifier --
7 (a) means a number or other identifier assigned by an entity
8 to an individual to uniquely identify that individual for
9 the purposes of the operations of the entity; but
10 (b) does not include an identifier that consists only of the
11 individual's name;
12 variation agreement has the meaning given in section 179(1).
13 5. References to information privacy principles
14 A reference in this Act to an IPP followed by a designation is a
15 reference to the provision with that designation in Schedule 1.
16 6. Public entities
17 (1) A public entity is --
18 (a) a department of the Public Service; or
19 (b) an entity specified in the Public Sector Management
20 Act 1994 Schedule 2 column 2; or
21 (c) the Police Force of Western Australia; or
22 (d) a local government, regional local government or
23 regional subsidiary; or
24 (e) a body, or the holder of an office, that is established for
25 a public purpose under a written law; or
26 (f) a body, or the holder of an office, that is established by
27 the Governor or a Minister; or
28 (g) a judicial body; or
page 17
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 6
1 (h) any other body, or the holder of any other office, that is
2 prescribed by the regulations to be a public entity,
3 being --
4 (i) a body or office that is established under a
5 written law; or
6 (ii) a corporation or association over which control
7 can be exercised by the State, a Minister, a body
8 referred to in paragraph (a), (b), (e) or (f) or
9 subparagraph (i), or the holder of an office
10 referred to in paragraph (f) or subparagraph (i).
11 (2) Despite subsection (1), each of the following is not a public
12 entity --
13 (a) the Governor or the Governor's establishment;
14 (b) the Legislative Council or a member or committee of the
15 Legislative Council;
16 (c) the Legislative Assembly or a member or committee of
17 the Legislative Assembly;
18 (d) a joint committee or standing committee of the
19 Legislative Council and the Legislative Assembly;
20 (e) a Royal Commission or member of a Royal
21 Commission;
22 (f) a person holding an office established under a written
23 law for the purposes of a body referred to in any of
24 paragraphs (a) to (e).
25 (3) Except to the extent provided by section 199 and regulations
26 made under subsection (4), a person is not a separate public
27 entity for the purposes of this Act by reason of --
28 (a) holding office as a member or other officer of a public
29 entity; or
30 (b) holding an office established for the purposes of a public
31 entity.
page 18
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 7
1 (4) The regulations may provide that, for the purposes of this Act or
2 specified provisions of this Act --
3 (a) a specified body, or the holder of a specified office, is
4 not a separate public entity but is part of a specified
5 public entity; or
6 (b) a specified body, or the holder of a specified office, is a
7 separate public entity and is not part of another public
8 entity.
9 7. Judicial bodies
10 (1) A judicial body is a court or tribunal established under a written
11 law.
12 (2) A registry or other office of a judicial body, and the staff of
13 such a registry or other office, are part of the judicial body.
14 (3) A person holding judicial or quasi-judicial office is not
15 themselves, and is not part of, a judicial body or other public
16 entity.
17 8. State services contracts and contracted service providers
18 (1) A State services contract is a contract between a public entity
19 (the outsourcing entity) and another person (other than a public
20 entity) under which services are provided to the outsourcing
21 entity or to other persons on behalf of the outsourcing entity.
22 (2) A contracted service provider is --
23 (a) a party to a State services contract who provides
24 services to or on behalf of an outsourcing entity under
25 the contract; or
26 (b) a person who is a subcontractor (whether direct or
27 indirect) of a person referred to in paragraph (a) for the
28 purposes of the State services contract.
29 Note for this subsection:
30 Part 2 Division 11 provides for how Part 2 and the information privacy
31 principles apply in relation to contracted service providers.
page 19
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 9
1 9. Principal officers
2 (1) The principal officer of a Minister or Parliamentary Secretary is
3 the Minister or Parliamentary Secretary.
4 (2) The principal officer of a public entity is --
5 (a) in relation to a department of the Public Service or an
6 entity specified in the Public Sector Management
7 Act 1994 Schedule 2 column 2 -- the chief executive
8 officer or chief employee of the department or entity; or
9 (b) in relation to the Police Force of Western Australia --
10 the Commissioner of Police; or
11 (c) in relation to a local government -- the chief executive
12 officer of the local government; or
13 (d) in relation to a regional local government -- the chief
14 executive officer of the regional local government; or
15 (e) in relation to a regional subsidiary -- the person who
16 manages the affairs of the regional subsidiary; or
17 (f) in relation to any other public entity --
18 (i) if the regulations prescribe a person to be the
19 principal officer of the public entity -- that
20 person; or
21 (ii) otherwise -- the person determined under
22 subsection (4).
23 (3) The principal officer of a contracted service provider is --
24 (a) if the relevant State services contract designates a person
25 with managerial responsibility in relation to the
26 contracted service provider as the principal officer of the
27 contracted service provider for the purposes of this
28 Act -- that person; or
29 (b) otherwise -- the person determined under
30 subsection (4).
page 20
Privacy and Responsible Information Sharing Bill 2024
Preliminary Part 1
s. 10
1 (4) For the purposes of subsection (2)(f)(ii) or (3)(b), the person
2 is --
3 (a) if the public entity or contracted service provider
4 consists of 1 person (other than a body corporate) --
5 that person; or
6 (b) if the public entity or contracted service provider is a
7 body (whether incorporated or not) constituted by 2 or
8 more persons -- the person entitled to preside at any
9 meeting of the body at which the person is present; or
10 (c) otherwise -- the person responsible for managing the
11 affairs of the public entity or contracted service
12 provider.
13 10. Disclosure by public entities and other IPP entities
14 A reference in this Act to a public entity or other IPP entity
15 disclosing information --
16 (a) includes a reference to the entity making the information
17 publicly available; and
18 (b) does not include a reference to the entity disclosing the
19 information to the entity itself or to an officer of the
20 entity.
21 11. De-identification and re-identification of information
22 (1) To de-identify personal information means to modify, or apply a
23 process to, the information, with the result that the identity of an
24 individual is not apparent, and cannot reasonably be ascertained,
25 from the information.
26 (2) Information is de-identified information at a particular time if,
27 at that time --
28 (a) the information has been de-identified; and
29 (b) the identity of an individual is not apparent, and cannot
30 reasonably be ascertained, from the information.
page 21
Privacy and Responsible Information Sharing Bill 2024
Part 1 Preliminary
s. 12
1 (3) To re-identify de-identified information means to modify, or
2 apply a process to, the information, with the result that the
3 information again becomes personal information.
4 12. Data sets, data analytics work, data linkage and data
5 integration
6 (1) A data set is an organised collection of information in a form
7 that is capable of being analysed or processed (whether by an
8 individual or an automated system).
9 (2) Data analytics work --
10 (a) is the examination and analysis of information for the
11 purpose of drawing conclusions as a result of that
12 examination and analysis; but
13 (b) does not include data linkage or data integration.
14 (3) Data linkage is a process for --
15 (a) detecting instances where separate records (whether
16 within a single data set or different data sets) appear to
17 relate to the same individual, family, place, event or
18 matter; and
19 (b) assigning an identifier (a data linkage key) to enable
20 related records to be linked.
21 (4) Data integration is the combination or collation of information
22 in 2 or more data sets, whether using data linkage keys or by
23 another process.
24 13. Act binds Crown
25 This Act binds the Crown in right of Western Australia and, so
26 far as the legislative power of the Parliament permits, the Crown
27 in all its other capacities.
page 22
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Key concepts and preliminary matters Division 1
s. 14
1 Part 2 -- Privacy
2 Division 1 -- Key concepts and preliminary matters
3 14. IPP entities
4 (1) An IPP entity is --
5 (a) a Minister; or
6 (b) a Parliamentary Secretary; or
7 (c) a public entity; or
8 (d) a contracted service provider.
9 (2) Subsection (1)(a) or (b) applies to a Minister or Parliamentary
10 Secretary only in their capacity as a member of the Executive
11 Government of the State in relation to a matter that is within
12 their responsibilities as a Minister or Parliamentary Secretary
13 and does not apply to that person in their capacity as a member
14 of the Legislative Council or Legislative Assembly.
15 15. Interferences with privacy
16 Each of the following is an interference with the privacy of an
17 individual --
18 (a) an act done, or practice engaged in, by an IPP entity in
19 contravention of section 20(1) or 33(1)(a) in relation to
20 personal information or de-identified information that
21 relates to the individual;
22 (b) a failure by an IPP entity to comply with section 61 in
23 relation to a suspected notifiable information breach
24 involving personal information that relates to the
25 individual;
26 (c) a failure by an IPP entity to comply with section 62
27 or 63 in relation to an assessed notifiable information
28 breach involving personal information that relates to the
29 individual;
page 23
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 1 Key concepts and preliminary matters
s. 16
1 (d) a failure by an IPP entity to comply with section 72(1)
2 in relation to a direction given in relation to a suspected
3 notifiable information breach involving personal
4 information that relates to the individual;
5 (e) a failure by a public entity to comply with section 76
6 or 77(3) in relation to personal information that relates
7 to the individual;
8 (f) a failure by an IPP entity to comply with section 79
9 or 80(4) in relation to a function or activity involving the
10 handling of personal information that relates to the
11 individual.
12 16. Automated decision-making processes and related concepts
13 (1) An automated system is an automated electronic system,
14 including a computer information-processing system or artificial
15 intelligence system.
16 (2) An automated decision-making process is a process under
17 which --
18 (a) a decision is made by an automated system without the
19 involvement of any individual; or
20 (b) the making of a decision is materially assisted by an
21 automated system.
22 (3) The making of a decision is materially assisted by an automated
23 system if --
24 (a) the decision is made by a person in reliance on a
25 preliminary decision-making step (including a
26 recommendation, assessment, conclusion or inference)
27 made by an automated system; and
28 (b) that preliminary decision-making step has a material
29 bearing on the decision that is made.
30 (4) A significant decision is a decision that --
31 (a) affects an individual's rights, entitlements, interests or
32 liabilities; or
page 24
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Information privacy principles Division 2
s. 17
1 (b) otherwise has a significant effect on an individual's life
2 circumstances, opportunities, behaviour or wellbeing.
3 (5) Privacy guidelines may set out matters to be taken into account
4 in determining whether --
5 (a) the making of a decision is materially assisted by an
6 automated system; or
7 (b) a decision is a significant decision.
8 (6) An IPP entity must have regard to guidelines referred to in
9 subsection (5) in determining whether IPP 10 applies in relation
10 to a decision-making process of the IPP entity.
11 17. Entities to which privacy obligations do not apply
12 The obligations imposed by this Part and the information
13 privacy principles do not apply to --
14 (a) the Corruption and Crime Commission established
15 under the Corruption, Crime and Misconduct Act 2003
16 section 8; or
17 (b) the Parliamentary Inspector of the Corruption and Crime
18 Commission appointed under the Corruption, Crime and
19 Misconduct Act 2003 section 189; or
20 (c) the Information Commissioner.
21 18. Application of privacy obligations to judicial bodies
22 The obligations imposed by this Part and the information
23 privacy principles apply to an IPP entity that is a judicial body
24 only in relation to the handling of information, or information
25 that is held, in relation to matters of an administrative nature.
26 Division 2 -- Information privacy principles
27 19. Information privacy principles
28 The information privacy principles are set out in Schedule 1.
page 25
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 2 Information privacy principles
s. 20
1 20. IPP entities must comply with information privacy
2 principles
3 (1) An IPP entity must not do an act, or engage in a practice, that is
4 contrary to, or inconsistent with, an information privacy
5 principle.
6 (2) Subsection (1) applies subject to --
7 (a) sections 21 to 27; and
8 (b) if an approved privacy code of practice is in force in
9 relation to the IPP entity -- section 33(1)(b); and
10 (c) if a public interest determination or temporary public
11 interest determination is in force in relation to the
12 IPP entity -- section 53; and
13 (d) if the IPP entity is a contracted service provider --
14 section 130.
15 21. Exception: personal, family or household affairs
16 The information privacy principles do not apply in relation to
17 the handling of information by an individual, or to information
18 held by an individual, only for the purposes of, or in connection
19 with, the individual's personal, family or household affairs.
20 22. Exception: publicly available information
21 (1) The information privacy principles do not apply to the handling
22 of information contained in a document that is --
23 (a) generally available to members of the public (whether
24 for a fee or charge or not); or
25 (b) published or available for inspection by members of the
26 public (whether for a fee or charge or not) under a
27 written law, other than as a result of a request for access
28 under this Act or an application for access under the
29 Freedom of Information Act 1992 Part 2; or
30 (c) a State archive to which a person has a right to be given
31 access under the State Records Act 2000 Part 6; or
page 26
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Information privacy principles Division 2
s. 23
1 (d) publicly available library material held by an IPP entity
2 for reference purposes; or
3 (e) made or acquired by an art gallery, museum or library
4 and preserved for public reference or exhibition
5 purposes.
6 (2) The exception in subsection (1) does not apply in relation to the
7 following information privacy principles --
8 (a) IPP 6.5 and IPP 6.6;
9 (b) IPP 6.7 and IPP 6.8, to the extent that those principles
10 relate to correction of personal information.
11 23. Exception: law enforcement functions
12 An IPP entity that is a law enforcement agency is not required
13 to comply with IPP 1.2, IPP 1.4, IPP 1.7, IPP 1.8, IPP 1.9,
14 IPP 1.10, IPP 2, IPP 7, IPP 9 or IPP 11.2 if it believes on
15 reasonable grounds that non-compliance is necessary for the
16 purposes of its, or any other law enforcement agency's, law
17 enforcement functions.
18 24. Exception: emergency response functions
19 An IPP entity is not required to comply with IPP 1.2, IPP 1.4,
20 IPP 1.7, IPP 1.8, IPP 1.9, IPP 1.10, IPP 2, IPP 7, IPP 9 or
21 IPP 11.2 if it believes on reasonable grounds that
22 non-compliance is necessary for the purposes of its, or any other
23 entity's, emergency response functions.
24 25. Exception: child protection functions
25 An IPP entity is not required to comply with IPP 1.2, IPP 1.8 or
26 IPP 1.10 if it believes on reasonable grounds that
27 non-compliance is necessary for the purposes of its, or any other
28 entity's, child protection functions.
page 27
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 3 Privacy codes of practice
s. 26
1 26. Exception: family violence
2 An IPP entity is not required to comply with IPP 1.2, IPP 1.8 or
3 IPP 1.10 in relation to the collection of personal information
4 if --
5 (a) the information relates to family violence or alleged
6 family violence; and
7 (b) the individual to whom the collected information relates
8 is the perpetrator, or alleged perpetrator, of the family
9 violence.
10 27. Exception: IPP entities to which IPP 6 does not apply
11 IPP 6 does not apply to --
12 (a) an IPP entity that is an agency as defined in the
13 Freedom of Information Act 1992 Glossary clause 1
14 (whether or not the IPP entity is an exempt agency as
15 defined in that clause); or
16 (b) a Parliamentary Secretary.
17 Notes for this section:
18 1. The Freedom of Information Act 1992 provides for --
19 (a) access to personal information contained in documents of an
20 agency as defined in clause 1 of the Glossary of that Act (other
21 than an exempt agency as defined in that clause); and
22 (b) amendment of personal information contained in documents of
23 an agency as defined in that clause.
24 2. Certain contractors and subcontractors in relation to contracts for
25 security, custodial and prison services are agencies as defined in the
26 Freedom of Information Act 1992 Glossary clause 1.
27 Division 3 -- Privacy codes of practice
28 28. Privacy code of practice
29 (1) A privacy code of practice is a code of practice that does either
30 or both of the following --
31 (a) provides for modifications to the application of 1 or
32 more of the information privacy principles by
page 28
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy codes of practice Division 3
s. 28
1 prescribing standards, whether or not in substitution for
2 any information privacy principle, that are at least as
3 stringent as the standards prescribed by the information
4 privacy principles;
5 (b) provides for how 1 or more of the information privacy
6 principles are to be applied or complied with.
7 (2) A privacy code of practice may also provide for any of the
8 following --
9 (a) the imposition of requirements relating to the handling
10 of personal information or de-identified information that
11 are in addition to the information privacy principles, so
12 long as those requirements are not inconsistent with the
13 information privacy principles;
14 (b) without limiting paragraph (a), the imposition of
15 requirements in relation to the use of personal
16 information for data analytics work, data integration or
17 data linkage;
18 (c) procedures to be followed by the IPP entity in dealing
19 with complaints to the IPP entity alleging contraventions
20 of the code;
21 (d) the review of the code at specified times;
22 (e) the expiry of the code at the end of a specified period.
23 (3) A privacy code of practice must specify --
24 (a) the IPP entities, or classes of IPP entity, to which it
25 applies; or
26 (b) a means for determining the IPP entities, or classes of
27 IPP entity, to which it applies.
28 (4) A privacy code of practice may apply in relation to either or
29 both of the following --
30 (a) any specified information or class of information;
31 (b) any specified activity or class of activity.
page 29
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 3 Privacy codes of practice
s. 29
1 29. IPP entity may prepare and submit privacy code of practice
2 or amendment
3 (1) An IPP entity may, on its own initiative or on request by the
4 Information Commissioner, prepare and submit to the
5 Commissioner --
6 (a) a privacy code of practice; or
7 (b) an amendment to an approved privacy code of practice.
8 (2) In preparing the privacy code of practice or amendment, the IPP
9 entity may undertake any consultation that the IPP entity
10 considers appropriate.
11 30. Commissioner may prepare privacy code of practice or
12 amendment
13 (1) If satisfied that it is in the public interest to do so, the
14 Information Commissioner may, on the Commissioner's own
15 initiative, prepare --
16 (a) a privacy code of practice; or
17 (b) an amendment to an approved privacy code of practice.
18 (2) In preparing the privacy code of practice or amendment, the
19 Information Commissioner may undertake any consultation that
20 the Commissioner considers appropriate.
21 31. Public consultation on privacy code of practice or
22 amendment
23 (1) Before submitting a privacy code of practice or amendment
24 submitted under section 29(1) or prepared under section 30(1) to
25 the Governor under section 32(1), the Information
26 Commissioner must --
27 (a) make publicly available for a period of at least
28 28 days --
29 (i) the privacy code of practice or amendment; and
page 30
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy codes of practice Division 3
s. 32
1 (ii) a written notice inviting submissions on the
2 privacy code of practice or amendment;
3 and
4 (b) have regard to any submissions made in relation to the
5 privacy code of practice or amendment in accordance
6 with the notice; and
7 (c) make the modifications, if any, the Commissioner
8 considers appropriate to the privacy code of practice or
9 amendment.
10 (2) The notice referred to in subsection (1)(a)(ii) must --
11 (a) invite persons whose interests may be affected by the
12 privacy code of practice or amendment to make
13 submissions; and
14 (b) specify the manner in which those submissions must be
15 made; and
16 (c) specify the period within which those submissions must
17 be made, which must be a period of at least 28 days
18 beginning on the day on which the documents referred
19 to in subsection (1)(a) are first made publicly available.
20 32. Submission and approval of privacy code of practice or
21 amendment
22 (1) After complying with the requirements of section 31 in relation
23 to a privacy code of practice or amendment, the Information
24 Commissioner may submit to the Governor --
25 (a) the privacy code of practice or amendment; and
26 (b) a recommendation that the Governor approve the
27 privacy code of practice or amendment.
28 (2) The Information Commissioner must not submit a privacy code
29 of practice or amendment under subsection (1) unless the
30 Commissioner is satisfied of the following in relation to the
31 privacy code of practice or the approved privacy code of
page 31
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 3 Privacy codes of practice
s. 33
1 practice as it will be amended by the amendment (as the case
2 requires) --
3 (a) that it is consistent with the objects of this Act set out in
4 section 3(a) to (d);
5 (b) if it prescribes standards as referred to in
6 section 28(1)(a) -- that those standards are at least as
7 stringent as the standards prescribed by the information
8 privacy principles.
9 (3) The Governor may approve a privacy code of practice, or an
10 amendment to an approved privacy code of practice, submitted
11 and recommended under subsection (1).
12 33. Effect of approved privacy code of practice
13 (1) If an approved privacy code of practice is in force that applies to
14 an IPP entity --
15 (a) the IPP entity must not do an act, or engage in a
16 practice, that is contrary to or inconsistent with the
17 approved privacy code of practice; and
18 (b) any act done or practice engaged in by the IPP entity in
19 compliance with the approved privacy code of practice
20 is taken to be done or engaged in in compliance with the
21 information privacy principles.
22 (2) Subsection (1)(a) applies subject to --
23 (a) subsections (3) to (6); and
24 (b) if a public interest determination or temporary public
25 interest determination is in force in relation to the
26 IPP entity -- section 53; and
27 (c) if the IPP entity is a contracted service provider --
28 section 130.
29 (3) An approved privacy code of practice does not apply in relation
30 to any handling of information to which the information privacy
31 principles do not apply under sections 21 and 22.
page 32
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy codes of practice Division 3
s. 33
1 (4) An IPP entity is not required to comply with an approved
2 privacy code of practice to the extent that --
3 (a) the code provides for --
4 (i) modifications to the application of IPP 1.2,
5 IPP 1.4, IPP 1.7, IPP 1.8, IPP 1.9, IPP 1.10,
6 IPP 2, IPP 7, IPP 9 or IPP 11.2; or
7 (ii) how IPP 1.2, IPP 1.4, IPP 1.7, IPP 1.8, IPP 1.9,
8 IPP 1.10, IPP 2, IPP 7, IPP 9 or IPP 11.2 is to be
9 applied or complied with;
10 and
11 (b) either --
12 (i) the IPP entity is a law enforcement agency and
13 believes on reasonable grounds that
14 non-compliance is necessary for the purposes of
15 its, or any other law enforcement agency's, law
16 enforcement functions; or
17 (ii) the IPP entity believes on reasonable grounds
18 that non-compliance is necessary for the
19 purposes of its, or any other entity's, emergency
20 response functions.
21 (5) An IPP entity is not required to comply with an approved
22 privacy code of practice to the extent that --
23 (a) the code provides for --
24 (i) modifications to the application of IPP 1.2,
25 IPP 1.8 or IPP 1.10; or
26 (ii) how IPP 1.2, IPP 1.8 or IPP 1.10 is to be applied
27 or complied with;
28 and
29 (b) either --
30 (i) the IPP entity believes on reasonable grounds
31 that non-compliance is necessary for the
page 33
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 3 Privacy codes of practice
s. 34
1 purposes of its, or any other entity's, child
2 protection functions; or
3 (ii) the non-compliance relates to the collection of
4 personal information that relates to family
5 violence or alleged family violence and the
6 individual to whom the collected information
7 relates is the perpetrator, or alleged perpetrator,
8 of the family violence.
9 (6) An IPP entity to which IPP 6 does not apply because of
10 section 27 is not required to comply with an approved privacy
11 code of practice to the extent that it provides for modifications
12 to IPP 6 or for how IPP 6 is to be applied or complied with.
13 34. Revocation of approved privacy code of practice
14 (1) The Governor may, on the recommendation of the Information
15 Commissioner, revoke an approved privacy code of practice by
16 written instrument.
17 (2) Before making a recommendation to the Governor to revoke an
18 approved privacy code of practice, the Information
19 Commissioner must --
20 (a) make a written notice inviting submissions on the
21 proposed revocation publicly available for a period of at
22 least 28 days; and
23 (b) have regard to any submissions made in accordance with
24 the notice.
25 (3) The notice referred to in subsection (2)(a) must --
26 (a) invite persons whose interests may be affected by the
27 revocation of the approved privacy code of practice to
28 make submissions; and
29 (b) specify the manner in which those submissions must be
30 made; and
page 34
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy codes of practice Division 3
s. 35
1 (c) specify the period within which those submissions must
2 be made, which must be a period of at least 28 days
3 beginning on the day on which the notice is first made
4 publicly available.
5 35. Approved privacy code of practice or amendment is
6 disallowable subsidiary legislation
7 (1) An approved privacy code of practice, or an approved
8 amendment to an approved privacy code of practice, is
9 subsidiary legislation for the purposes of the Interpretation
10 Act 1984.
11 (2) The Interpretation Act 1984 section 42 applies to an approved
12 privacy code of practice, or an approved amendment to an
13 approved privacy code of practice, as if it were regulations.
14 (3) An instrument revoking an approved privacy code of practice is
15 subsidiary legislation for the purposes of the Interpretation
16 Act 1984, but subsection (2) does not apply to the instrument.
17 36. Duration of approved privacy code of practice
18 (1) An approved privacy code of practice comes into operation in
19 accordance with the Interpretation Act 1984 section 41(1)(b).
20 (2) Subject to the Interpretation Act 1984 section 42, an approved
21 privacy code of practice remains in force until either of the
22 following occurs --
23 (a) the period (if any) specified in the approved privacy
24 code of practice under section 28(2)(e) ends;
25 (b) the approved privacy code of practice is revoked under
26 section 34(1).
page 35
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 3 Privacy codes of practice
s. 37
1 37. Register of approved privacy codes of practice
2 (1) The Information Commissioner must establish and maintain a
3 register of approved privacy codes of practice.
4 (2) The register must include --
5 (a) a copy of each approved privacy code of practice that is
6 in force; and
7 (b) the following information in relation to each approved
8 privacy code of practice that is in force --
9 (i) the IPP entities, or classes of IPP entity, to which
10 the code applies;
11 (ii) the day on which the code came into force;
12 (iii) if applicable -- the day on which the code will
13 expire;
14 (iv) any other information the Information
15 Commissioner considers appropriate.
16 (3) The Information Commissioner must make the register publicly
17 available.
18 (4) Without limiting subsection (3), the Information Commissioner
19 must make the register available for public inspection during
20 business hours.
21 38. Commissioner may review approved privacy code of
22 practice
23 The Information Commissioner may review an approved
24 privacy code of practice at any time.
page 36
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Requests for access to and correction of personal information Division 4
s. 39
1 Division 4 -- Requests for access to and correction of personal
2 information
3 39. Purpose of Division
4 This Division makes provision in relation to requests for access
5 to, and correction of, personal information held by IPP entities
6 to which IPP 6 applies.
7 Notes for this section:
8 1. Under section 27, IPP 6 does not apply to an IPP entity that is an
9 agency as defined in the Freedom of Information Act 1992 Glossary
10 clause 1 or a Parliamentary Secretary.
11 2. The Freedom of Information Act 1992 provides for --
12 (a) access to personal information contained in documents of an
13 agency as defined in clause 1 of the Glossary of that Act (other
14 than an exempt agency as defined in that clause); and
15 (b) amendment of personal information contained in documents of
16 an agency as defined in that clause.
17 40. Request for access under IPP 6.1 or approved privacy code
18 of practice
19 (1) An individual who wishes to access personal information that
20 relates to the individual held by an IPP entity to which IPP 6
21 applies may request access to the information under IPP 6.1 or
22 an applicable approved privacy code of practice.
23 (2) A request for access to personal information under IPP 6.1 or an
24 applicable approved privacy code of practice must --
25 (a) be given to the IPP entity in writing; and
26 (b) give enough information to enable the personal
27 information to which access is requested to be
28 ascertained; and
29 (c) give an address in Australia to which notices under this
30 Act can be sent; and
31 (d) give any other information or details prescribed by the
32 regulations; and
page 37
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 4 Requests for access to and correction of personal information
s. 41
1 (e) be accompanied by any fee for making the request
2 prescribed by the regulations.
3 41. Request for correction under IPP 6.5 or approved privacy
4 code of practice
5 (1) If an individual believes that personal information that relates to
6 the individual held by an IPP entity to which IPP 6 applies is not
7 accurate, complete and up-to-date, the individual may request
8 the correction of the information under IPP 6.5 or an applicable
9 approved privacy code of practice.
10 (2) A request for correction under IPP 6.5 or an applicable
11 approved privacy code of practice must --
12 (a) be given to the IPP entity in writing; and
13 (b) give enough information to enable the personal
14 information the subject of the request to be ascertained;
15 and
16 (c) give details of the matters in relation to which the
17 individual believes that the personal information is not
18 accurate, complete and up-to-date; and
19 (d) give the individual's reasons for holding that belief; and
20 (e) give details of the correction that the individual wishes
21 to have made; and
22 (f) give an address in Australia to which notices under this
23 Act can be sent; and
24 (g) give any other information or details prescribed by the
25 regulations.
26 (3) For the purposes of subsection (2)(e), the application must state
27 whether the individual wishes the correction to be made --
28 (a) by altering information; or
29 (b) by striking out or deleting information; or
30 (c) by inserting information; or
page 38
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Requests for access to and correction of personal information Division 4
s. 42
1 (d) by inserting a note in relation to information; or
2 (e) in 2 or more of those ways.
3 42. IPP entity to provide assistance in making request
4 (1) If the circumstances of an individual require it, an IPP entity
5 must take reasonable steps to help the individual to make to the
6 appropriate IPP entity in accordance with this Act --
7 (a) a request for access under IPP 6.1 or an applicable
8 approved privacy code of practice; or
9 (b) a request for correction under IPP 6.5 or an applicable
10 approved privacy code of practice.
11 (2) In particular, if a request for access does not comply with the
12 requirements of section 40(2), or a request for correction does
13 not comply with the requirements of section 41(2), the IPP
14 entity must take reasonable steps to help the individual to
15 change the request so that it complies with those requirements.
16 43. Protection from liability for providing access to information
17 If an IPP entity provides an individual with access to
18 information on request by the individual believing in good faith
19 that the provision of access to the information is in compliance
20 with IPP 6 or an applicable approved privacy code of
21 practice --
22 (a) no civil or criminal liability is incurred in respect of the
23 provision of access to the information; and
24 (b) the provision of access to the information is not to be
25 regarded as a breach of any duty of confidentiality or
26 secrecy imposed by law; and
27 (c) the provision of access to the information is not to be
28 regarded as a breach of professional ethics or standards
29 or as unprofessional conduct.
page 39
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 4 Requests for access to and correction of personal information
s. 44
1 44. Certain applications under Freedom of Information Act 1992
2 taken to be requests under IPP 6 or approved privacy code
3 of practice
4 (1) If an application made by an individual to an IPP entity to
5 which IPP 6 applies purports to be an application under the
6 Freedom of Information Act 1992 for access to a document
7 containing personal information that relates to the individual,
8 and the application meets the requirements of section 12 of that
9 Act --
10 (a) the application is taken to be a request for access to
11 personal information that relates to the individual under
12 IPP 6.1 or an applicable approved privacy code of
13 practice (as the case requires) that meets the
14 requirements of section 40; and
15 (b) the IPP entity must deal with the application accordingly
16 under this Act.
17 (2) If an application made by an individual to an IPP entity to
18 which IPP 6 applies purports to be an application under the
19 Freedom of Information Act 1992 for amendment of personal
20 information that relates to the individual contained in a
21 document, and the application meets the requirements of
22 section 46 of that Act --
23 (a) the application is taken to be a request for correction of
24 personal information that relates to the individual under
25 IPP 6.5 or an applicable approved privacy code of
26 practice (as the case requires) that meets the
27 requirements of section 41; and
28 (b) the IPP entity must deal with the application accordingly
29 under this Act.
30 (3) If an application made by an individual to an IPP entity to
31 which IPP 6 applies purports to be an application under the
32 Freedom of Information Act 1992 of a kind referred to in
33 subsection (1) or (2), but does not meet the requirements of
34 section 12 or 46 of that Act (as the case requires), the IPP entity
page 40
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Public interest determinations and temporary public interest Division 5
determinations
s. 45
1 must comply with its obligations under section 42 to help the
2 individual to make a request for access or correction under
3 IPP 6.1 or IPP 6.5 or an applicable approved privacy code of
4 practice.
5 Division 5 -- Public interest determinations and temporary
6 public interest determinations
7 Subdivision 1 -- Public interest determinations
8 45. Public interest determination
9 (1) The Information Commissioner may, on application by an IPP
10 entity under section 46 and in accordance with the procedure set
11 out in section 47, make a determination (a public interest
12 determination) that the Commissioner is satisfied --
13 (a) that a specified act or practice that an IPP entity
14 proposes to do or engage in is inconsistent with either or
15 both of the following --
16 (i) a specified information privacy principle;
17 (ii) a specified approved privacy code of practice in
18 force in relation to the IPP entity;
19 but
20 (b) that --
21 (i) the public interest in the IPP entity doing the act
22 or engaging in the practice substantially
23 outweighs the public interest in the IPP entity
24 complying with the information privacy
25 principle, or approved privacy code of practice,
26 or both; and
27 (ii) the IPP entity should therefore not be required to
28 comply with the information privacy principle,
29 or approved privacy code of practice, or both,
30 either wholly or to the extent specified in the
31 determination.
page 41
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 5 Public interest determinations and temporary public interest
determinations
s. 46
1 (2) A public interest determination cannot be made in relation to --
2 (a) IPP 4 or IPP 6; or
3 (b) an approved privacy code of practice, to the extent that
4 it provides for modifications to IPP 4 or IPP 6 or for
5 how IPP 4 or IPP 6 is to be applied or complied with.
6 (3) A public interest determination may, but is not required to,
7 provide for the determination to expire at the end of a specified
8 period.
9 46. Application for public interest determination
10 (1) An IPP entity may apply to the Information Commissioner for a
11 public interest determination to be made in relation to an act or
12 practice that the IPP entity proposes to do or engage in.
13 (2) The application must be in the approved form and must
14 specify --
15 (a) the act or practice to which the determination would
16 apply; and
17 (b) the information privacy principle, or approved privacy
18 code of practice, or both, to which the determination
19 would apply; and
20 (c) the reasons for seeking the determination.
21 47. Procedure to be followed on application for public interest
22 determination
23 (1) If an IPP entity makes an application for a public interest
24 determination under section 46, the Information Commissioner
25 must --
26 (a) make publicly available for a period of at least 28 days a
27 written notice that --
28 (i) states that the application has been received; and
page 42
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Public interest determinations and temporary public interest Division 5
determinations
s. 47
1 (ii) specifies the IPP entity, the act or practice, and
2 the information privacy principle or approved
3 privacy code of practice, or both, to which the
4 application relates; and
5 (iii) invites persons whose interests may be affected
6 by the public interest determination to make
7 submissions in relation to the application; and
8 (iv) specifies the manner in which those submissions
9 must be made; and
10 (v) specifies the period within which those
11 submissions must be made, which must be a
12 period of at least 28 days beginning on the day
13 on which the notice is first made publicly
14 available;
15 and
16 (b) have regard to any submissions made in relation to the
17 application in accordance with the notice.
18 (2) After complying with subsection (1), the Information
19 Commissioner must prepare 1 of the following (the draft
20 determination) --
21 (a) a draft of the public interest determination the
22 Commissioner proposes to make on the application;
23 (b) a draft determination dismissing the application.
24 (3) In preparing the draft determination, the Information
25 Commissioner may undertake any consultation that the
26 Commissioner considers appropriate.
27 (4) The Information Commissioner must --
28 (a) give a copy of the draft determination to the IPP entity
29 and each person who made a submission referred to in
30 subsection (1)(b); and
page 43
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 5 Public interest determinations and temporary public interest
determinations
s. 48
1 (b) give the IPP entity and each other person given a copy
2 of the draft determination an opportunity to make
3 submissions in relation to the draft determination,
4 either --
5 (i) by attending a conference about the draft
6 determination at a time, and at a place or by a
7 means of audiovisual communication, specified
8 by the Commissioner; or
9 (ii) by making written submissions in the manner,
10 and within the period, specified by the
11 Commissioner;
12 and
13 (c) have regard to any submissions made in relation to the
14 draft determination as referred to in paragraph (b).
15 (5) After complying with subsection (4), the Information
16 Commissioner may --
17 (a) under section 45 make a public interest determination
18 that the Commissioner considers is appropriate in
19 response to the application; or
20 (b) make a determination dismissing the application.
21 (6) If the Information Commissioner makes a public interest
22 determination, or a determination dismissing an application for
23 a public interest determination, the Commissioner --
24 (a) must give notice of the determination to the IPP entity;
25 and
26 (b) may give notice of the determination to persons who
27 made submissions referred to in subsection (1)(b).
28 48. Reporting on and review of determination
29 (1) If a public interest determination does not provide for the
30 determination to expire within 12 months after the day on which
page 44
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Public interest determinations and temporary public interest Division 5
determinations
s. 49
1 it comes into force, the IPP entity must give the Information
2 Commissioner a report on the public interest determination --
3 (a) as soon as practicable after the end of each of the
4 following periods --
5 (i) the period of 12 months beginning on the day on
6 which the determination comes into force;
7 (ii) each subsequent period of 12 months for which
8 the determination is in force;
9 and
10 (b) at any other time requested by the Commissioner.
11 (2) A report under subsection (1) must include the information
12 required by the Information Commissioner.
13 (3) Within 60 days after the day on which a report under
14 subsection (1) is given to the Information Commissioner, the
15 Commissioner must review the public interest determination
16 and consider whether it should be revoked under section 54(2).
17 Subdivision 2 -- Temporary public interest determinations
18 49. Temporary public interest determination
19 (1) The Information Commissioner may, on application by an IPP
20 entity under section 50 and in accordance with the procedure set
21 out in section 51, make a determination (a temporary public
22 interest determination) that the Commissioner is satisfied --
23 (a) that a specified act or practice that an IPP entity
24 proposes to do or engage in is inconsistent with either or
25 both of the following --
26 (i) a specified information privacy principle;
27 (ii) a specified approved privacy code of practice in
28 force in relation to the IPP entity;
29 but
page 45
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 5 Public interest determinations and temporary public interest
determinations
s. 50
1 (b) that --
2 (i) the public interest in the IPP entity doing the act
3 or engaging in the practice substantially
4 outweighs the public interest in the IPP entity
5 complying with the information privacy
6 principle, or approved privacy code of practice,
7 or both; and
8 (ii) the IPP entity should therefore not be required to
9 comply with the information privacy principle,
10 or approved privacy code of practice, or both,
11 either wholly or to the extent specified in the
12 determination.
13 (2) A temporary public interest determination cannot be made in
14 relation to --
15 (a) IPP 4 or IPP 6; or
16 (b) an approved privacy code of practice, to the extent that
17 it provides for modifications to IPP 4 or IPP 6 or for
18 how IPP 4 or IPP 6 is to be applied or complied with.
19 (3) The Information Commissioner must not make a temporary
20 public interest determination in relation to an act or practice of
21 an IPP entity unless the Commissioner is satisfied that the
22 application for the determination raises issues that require an
23 urgent decision.
24 (4) A temporary public interest determination must provide for the
25 determination to expire at the end of a specified period of no
26 more than 6 months.
27 50. Application for temporary public interest determination
28 (1) An IPP entity may apply to the Information Commissioner for a
29 temporary public interest determination to be made urgently in
30 relation to an act or practice that the IPP entity proposes to do or
31 engage in.
page 46
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Public interest determinations and temporary public interest Division 5
determinations
s. 51
1 (2) The application must be in the approved form and must
2 specify --
3 (a) the act or practice to which the determination would
4 apply; and
5 (b) the information privacy principle, or approved privacy
6 code of practice, or both, to which the determination
7 would apply; and
8 (c) the reasons for seeking the determination; and
9 (d) the reasons for the urgency.
10 51. Procedure to be followed on application for temporary
11 public interest determination
12 (1) If an IPP entity makes an application for a temporary public
13 interest determination under section 50, the Information
14 Commissioner must make publicly available a written notice
15 that --
16 (a) states that the application has been received; and
17 (b) specifies the IPP entity, the act or practice, and the
18 information privacy principle or approved privacy code
19 of practice, or both, to which the application relates.
20 (2) After complying with subsection (1), the Information
21 Commissioner may --
22 (a) under section 49 make a temporary public interest
23 determination that the Commissioner considers is
24 appropriate in response to the application; or
25 (b) make a determination dismissing the application.
26 (3) If the Information Commissioner makes a temporary public
27 interest determination, or a determination dismissing an
28 application for a temporary public interest determination, the
29 Commissioner must give notice of the determination to the IPP
30 entity.
page 47
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 5 Public interest determinations and temporary public interest
determinations
s. 52
1 52. Extension of temporary public interest determination
2 (1) An IPP entity in relation to which a temporary public interest
3 determination is in force may apply to the Information
4 Commissioner in the approved form for an extension of the
5 temporary public interest determination.
6 (2) If an IPP entity makes an application under subsection (1), the
7 Information Commissioner must make publicly available a
8 written notice that states that an application for an extension of
9 the temporary public interest determination has been received.
10 (3) After complying with subsection (2), the Information
11 Commissioner may, by written instrument, extend the
12 temporary public interest determination by no more than
13 6 months.
14 (4) No more than 1 extension can be granted in relation to a
15 temporary public interest determination under subsection (3).
16 (5) The Information Commissioner must give written notice of a
17 decision to extend, or refuse to extend, a temporary public
18 interest determination to the IPP entity.
19 Subdivision 3 -- General provisions about public interest
20 determinations and temporary public interest determinations
21 53. Effect of determination
22 (1) This section applies if a public interest determination or
23 temporary public interest determination is in force in relation to
24 an act or practice of an IPP entity and an information privacy
25 principle or approved privacy code of practice.
26 (2) In doing the act or engaging in the practice, the IPP entity is not
27 required to comply with the information privacy principle or
28 approved privacy code of practice to the extent specified in the
29 determination.
page 48
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Public interest determinations and temporary public interest Division 5
determinations
s. 54
1 54. Revocation of determination
2 (1) The Information Commissioner may, by written instrument,
3 revoke a public interest determination or temporary public
4 interest determination on application by the IPP entity to which
5 the determination applies.
6 (2) The Information Commissioner must, by written instrument,
7 revoke a public interest determination or temporary public
8 interest determination made in relation to an IPP entity if the
9 Commissioner is satisfied that --
10 (a) the public interest in the IPP entity doing the act or
11 engaging in the practice no longer substantially
12 outweighs the public interest in the IPP entity complying
13 with the relevant information privacy principle, or
14 approved privacy code of practice, or both; or
15 (b) the IPP entity's reasons for seeking the determination set
16 out in the application for the determination under
17 section 46 or 50 are no longer applicable.
18 (3) Before revoking a public interest determination or temporary
19 public interest determination under subsection (2), the
20 Information Commissioner must --
21 (a) give the IPP entity a written notice that --
22 (i) states that the Commissioner intends to revoke
23 the determination; and
24 (ii) states the reasons for the proposed revocation;
25 and
26 (iii) invites the IPP entity to make submissions in
27 relation to the proposed revocation; and
28 (iv) specifies the manner in which those submissions
29 must be made; and
30 (v) specifies the period within which those
31 submissions must be made;
32 and
page 49
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 5 Public interest determinations and temporary public interest
determinations
s. 55
1 (b) have regard to any submissions made by the IPP entity
2 in accordance with the notice.
3 55. Determination is disallowable subsidiary legislation and
4 statement of reasons required
5 (1) The following are subsidiary legislation for the purposes of the
6 Interpretation Act 1984 --
7 (a) a public interest determination;
8 (b) a temporary public interest determination;
9 (c) an instrument (an instrument of extension) extending a
10 temporary public interest determination under
11 section 52(3);
12 (d) an instrument revoking a public interest determination
13 or temporary public interest determination under
14 section 54(1) or (2).
15 (2) When a public interest determination, temporary public interest
16 determination or instrument of extension is published in
17 accordance with the Interpretation Act 1984 section 41(1)(a), a
18 statement of reasons for making the determination or instrument
19 must also be published in accordance with that section.
20 (3) The Interpretation Act 1984 section 42 applies to a public
21 interest determination as if the determination were regulations.
22 (4) The Interpretation Act 1984 section 42 applies to a temporary
23 public interest determination or instrument of extension as if --
24 (a) the determination or instrument were regulations; and
25 (b) the reference in subsection (2) of that section to
26 14 sitting days were a reference to 7 sitting days; and
27 (c) the reference in subsection (3) of that section to 14 days
28 were a reference to 7 days.
29 (5) When a public interest determination, temporary public interest
30 determination or instrument of extension is laid before a House
31 of Parliament under the Interpretation Act 1984 section 42(1), a
page 50
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Public interest determinations and temporary public interest Division 5
determinations
s. 56
1 statement of reasons for making the determination or instrument
2 must also be laid before the House.
3 (6) Subsections (2) to (5) do not apply to an instrument revoking a
4 public interest determination or temporary public interest
5 determination under section 54(1) or (2).
6 56. Duration of determination
7 (1) A public interest determination or temporary public interest
8 determination comes into force in accordance with the
9 Interpretation Act 1984 section 41(1)(b).
10 (2) Subject to the Interpretation Act 1984 section 42, a public
11 interest determination remains in force until either of the
12 following occurs --
13 (a) the period (if any) specified in the determination under
14 section 45(3) ends;
15 (b) the determination is revoked under section 54(1) or (2).
16 (3) Subject to the Interpretation Act 1984 section 42, a temporary
17 public interest determination remains in force until any of the
18 following occurs --
19 (a) the period specified in the determination under
20 section 49(4) or, if the determination has been extended
21 under section 52(3), the period of the extension, ends;
22 (b) the determination is revoked under section 54(1) or (2);
23 (c) a public interest determination in substantially the same
24 terms as the temporary public interest determination --
25 (i) comes into force; or
26 (ii) ceases to have effect under the Interpretation
27 Act 1984 section 42(2).
page 51
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 57
1 Division 6 -- Notifiable information breaches
2 Subdivision 1 -- Preliminary
3 57. Notifiable information breaches
4 (1) A notifiable information breach occurs if --
5 (a) there is unauthorised access to, or unauthorised
6 disclosure of, personal information held by an
7 IPP entity; and
8 (b) a reasonable person would conclude that the access or
9 disclosure is likely to result in serious harm to any
10 individual to whom the information relates.
11 (2) A notifiable information breach also occurs if personal
12 information held by an IPP entity is lost in circumstances in
13 which --
14 (a) unauthorised access to, or unauthorised disclosure of,
15 the information is likely to occur; and
16 (b) if the access or disclosure of the information were to
17 occur, a reasonable person would conclude that it would
18 be likely to result in serious harm to any individual to
19 whom the information relates.
20 (3) A notifiable information breach also occurs if --
21 (a) either --
22 (i) there is unauthorised access to, or unauthorised
23 disclosure of, personal information held by an
24 IPP entity; or
25 (ii) personal information held by an IPP entity is
26 lost;
27 and
28 (b) the access, disclosure or loss occurs in circumstances set
29 out in a notifiable information breach determination
30 under section 60.
page 52
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 58
1 58. Affected individuals in relation to notifiable information
2 breaches
3 If personal information that relates to an individual is accessed,
4 disclosed or lost in a notifiable information breach, the
5 individual is an affected individual in relation to the breach.
6 59. Whether serious harm is likely to result from access,
7 disclosure or loss
8 For the purposes of determining under section 57(1) or (2)
9 whether a reasonable person would conclude that unauthorised
10 access to, or unauthorised disclosure of, personal information is
11 or would be likely to result in serious harm to any individual to
12 whom the information relates, the following matters must be
13 taken into account --
14 (a) the nature of the information;
15 (b) the sensitivity of the information;
16 (c) whether the information is or was protected by security
17 measures;
18 (d) the persons, or the kinds of persons, who have obtained,
19 or could obtain, the information;
20 (e) the likelihood that the persons referred to in
21 paragraph (d) --
22 (i) have or had the intention of causing harm; or
23 (ii) could or did circumvent security measures
24 protecting the information;
25 (f) the nature of the harm that has resulted or could result
26 from the access, disclosure or loss;
27 (g) any matters set out in privacy guidelines;
28 (h) any other relevant matters.
page 53
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 60
1 60. Notifiable information breach determinations
2 (1) The Information Commissioner may, for the purposes of
3 section 57(3)(b), make a determination (a notifiable
4 information breach determination) setting out circumstances in
5 which unauthorised access to, unauthorised disclosure of, or
6 loss of, personal information held by an IPP entity constitutes a
7 notifiable information breach for the purposes of this Act.
8 (2) Before making a notifiable information breach determination,
9 the Information Commissioner must --
10 (a) make publicly available for a period of at least
11 28 days --
12 (i) a draft of the notifiable information breach
13 determination; and
14 (ii) a written notice inviting submissions on the draft
15 determination;
16 and
17 (b) have regard to any submissions made in relation to the
18 draft determination in accordance with the notice; and
19 (c) make the modifications, if any, it considers appropriate
20 to the draft determination.
21 (3) The notice referred to in subsection (2)(a)(ii) must --
22 (a) invite persons whose interests may be affected by the
23 notifiable information breach determination to make
24 submissions; and
25 (b) specify the manner in which those submissions must be
26 made; and
27 (c) specify the period within which those submissions must
28 be made, which must be a period of at least 28 days
29 beginning on the day on which the documents referred
30 to in subsection (2)(a) are first made publicly available.
page 54
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 61
1 (4) A notifiable information breach determination is subsidiary
2 legislation for the purposes of the Interpretation Act 1984.
3 (5) The Interpretation Act 1984 section 42 applies to a notifiable
4 information breach determination as if it were regulations.
5 Subdivision 2 -- Assessment, containment and mitigation
6 61. Assessment, containment and mitigation
7 (1) This section applies if an IPP entity reasonably suspects that a
8 notifiable information breach has occurred in relation to
9 personal information held by the IPP entity.
10 (2) The IPP entity must --
11 (a) immediately take all reasonable steps to contain the
12 suspected notifiable information breach; and
13 (b) as soon as reasonably practicable, but in any case within
14 30 days after the day on which the reasonable suspicion
15 is formed --
16 (i) conduct an assessment for the purposes of
17 determining whether a notifiable information
18 breach has occurred or there are reasonable
19 grounds to believe that a notifiable information
20 breach has occurred; and
21 (ii) prepare a written report on the assessment;
22 and
23 (c) take all reasonable steps to mitigate any harm caused by
24 the suspected notifiable information breach.
25 (3) If the assessment determines that a notifiable information
26 breach has occurred, or that there are reasonable grounds to
27 believe that a notifiable information breach has occurred, the
28 notifiable information breach is an assessed notifiable
29 information breach of the IPP entity.
page 55
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 62
1 (4) In conducting and preparing the report on the assessment, the
2 IPP entity must have regard to any privacy guidelines about
3 assessments of suspected notifiable information breaches.
4 (5) This section has effect subject to --
5 (a) any extension of time granted under section 70(1)(a);
6 and
7 (b) section 134.
8 Subdivision 3 -- Notification
9 62. Notification to Commissioner
10 (1) An IPP entity must give written notice of an assessed notifiable
11 information breach of the IPP entity to the Information
12 Commissioner.
13 (2) The notice must be given as soon as practicable after the
14 IPP entity determines that the assessed notifiable information
15 breach has occurred or that there are reasonable grounds to
16 believe that it has occurred.
17 (3) The notice must be in the approved form and must include the
18 following information --
19 (a) the name and contact details of the IPP entity;
20 (b) the date on which the notifiable information breach
21 occurred;
22 (c) a description of the notifiable information breach;
23 (d) how the notifiable information breach occurred;
24 (e) whether the notifiable information breach is of a kind
25 referred to in section 57(1), (2) or (3);
26 (f) the kind of personal information involved in the
27 notifiable information breach;
28 (g) the period of time for which the unauthorised access to,
29 or unauthorised disclosure of, personal information
30 occurred (if applicable);
page 56
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 62
1 (h) a description of the steps taken, or that will be taken, by
2 the IPP entity to contain, and mitigate the harm caused
3 by, the notifiable information breach;
4 (i) the steps that it is recommended that affected individuals
5 take in response to the notifiable information breach;
6 (j) if personal information held jointly by 2 or more IPP
7 entities is involved in the notifiable information
8 breach -- the name and contact details of each other IPP
9 entity;
10 (k) the number, or an estimate of the number, of individuals
11 who are, or are likely to become, affected individuals in
12 relation to the notifiable information breach;
13 (l) the number, or an estimate of the number, of individuals
14 that the IPP entity has notified or attempted to notify of
15 the notifiable information breach in accordance with
16 section 63;
17 (m) an estimate of the cost to the IPP entity of the notifiable
18 information breach;
19 (n) any other information required by the approved form.
20 (4) If an IPP entity has given a notice under subsection (1) in
21 relation to an assessed notifiable information breach and the
22 IPP entity subsequently becomes aware of any information that
23 materially affects a matter referred to in subsection (3), the
24 IPP entity must give written notice of that information to the
25 Information Commissioner in the approved form.
26 (5) This section has effect subject to --
27 (a) sections 66 and 69; and
28 (b) any exemption granted under section 70(1)(b); and
29 (c) section 134.
page 57
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 63
1 63. Notification to affected individuals
2 (1) An IPP entity must take all reasonable steps to give written
3 notice of an assessed notifiable information breach of the
4 IPP entity to each affected individual.
5 (2) A notice under subsection (1) must be given as soon as
6 practicable after the IPP entity determines that the assessed
7 notifiable information breach has occurred or that there are
8 reasonable grounds to believe that it has occurred.
9 (3) If it is not reasonably practicable for the IPP entity to give
10 notice of an assessed notifiable information breach to every
11 affected individual, the IPP entity must instead make written
12 notice of the assessed notifiable information breach publicly
13 available for a period of at least 12 months.
14 (4) A notice under subsection (1) or (3) must include --
15 (a) the information referred to in section 62(3)(a) to (j); and
16 (b) information about how a privacy complaint can be made
17 under Division 9.
18 (5) This section has effect subject to --
19 (a) sections 64 to 69; and
20 (b) any exemption granted under section 70(1)(b); and
21 (c) section 134.
22 64. Exception: notifiable information breach relating to more
23 than 1 IPP entity
24 An IPP entity (the relevant IPP entity) is not required to comply
25 with section 63 in relation to an assessed notifiable information
26 breach if --
27 (a) the notifiable information breach involves personal
28 information held jointly by the relevant IPP entity and 1
29 or more other IPP entities; and
page 58
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 65
1 (b) the relevant IPP entity and each of the other IPP entities
2 have complied with sections 61 and 62 in relation to the
3 notifiable information breach; and
4 (c) an IPP entity other than the relevant IPP entity has
5 undertaken to notify affected individuals of the
6 notifiable information breach in accordance with
7 section 63.
8 65. Exception: law enforcement agencies
9 An IPP entity is not required to comply with section 63 in
10 relation to an assessed notifiable information breach to the
11 extent that --
12 (a) the IPP entity is a law enforcement agency; and
13 (b) the IPP entity believes on reasonable grounds that
14 non-compliance with section 63 is necessary for the
15 purposes of its, or any other law enforcement agency's,
16 law enforcement functions.
17 66. Exception: inconsistency with secrecy provisions
18 If compliance by an IPP entity with section 62 or 63 in relation
19 to an assessed notifiable information breach would be
20 inconsistent with an applicable secrecy provision (other than a
21 provision of this Act), the IPP entity is not required to comply
22 with that section to the extent of the inconsistency.
23 67. Exception: threat to life, health, safety or welfare
24 (1) An IPP entity is not required to comply with section 63 in
25 relation to an assessed notifiable information breach to the
26 extent that the IPP entity believes on reasonable grounds that
27 compliance with that section would result in --
28 (a) a serious threat to the life, health, safety or welfare of
29 any individual; or
30 (b) a threat to the life, health, safety or welfare of any
31 individual due to family violence.
page 59
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 68
1 (2) Privacy guidelines may set out circumstances in which
2 compliance with section 63 by an IPP entity would, or would
3 not, be considered to result in a threat of a kind referred to in
4 subsection (1)(a) or (b).
5 (3) In determining whether it can rely on the exception in
6 subsection (1), an IPP entity must have regard to any guidelines
7 referred to in subsection (2).
8 68. Exception: adverse effect on information security
9 (1) An IPP entity is not required to comply with section 63 in
10 relation to an assessed notifiable information breach if the IPP
11 entity believes on reasonable grounds that compliance with that
12 section would --
13 (a) have a material adverse effect on the security of personal
14 information held by the IPP entity; or
15 (b) be likely to lead to the occurrence of further information
16 breaches in relation to personal information held by the
17 IPP entity.
18 (2) Privacy guidelines may set out circumstances in which
19 compliance with section 63 by an IPP entity would, or would
20 not, be considered for the purposes of subsection (1) --
21 (a) to have a material adverse effect on the security of
22 personal information held by the IPP entity; or
23 (b) to be likely to lead to the occurrence of further
24 information breaches in relation to personal information
25 held by the IPP entity.
26 (3) In determining whether it can rely on an exception under
27 subsection (1), an IPP entity must have regard to any guidelines
28 referred to in subsection (2).
29 69. Notice to Commissioner if exception relied on
30 (1) This section applies if an IPP entity proposes not to comply with
31 section 63, to any extent, in relation to an assessed notifiable
page 60
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 69
1 information breach in reliance on an exception (the relevant
2 exception) under section 64, 65, 66, 67(1) or 68(1).
3 (2) A notice (the Commissioner notice) given to the Information
4 Commissioner under section 62 in relation to the assessed
5 notifiable information breach must include the following
6 information (in addition to the information referred to in
7 section 62(3)) --
8 (a) that the IPP entity is relying on the relevant exception;
9 (b) the extent to which the IPP entity proposes not to
10 comply with section 63 in reliance on the relevant
11 exception;
12 (c) if the relevant exception is under section 67(1)
13 or 68(1) -- whether the IPP entity proposes to rely on
14 the relevant exception --
15 (i) permanently; or
16 (ii) for a specified period; or
17 (iii) until the occurrence of a specified event;
18 (d) the reasons why the IPP entity considers that it can rely
19 on the relevant exception in the manner stated.
20 (3) If the IPP entity proposes not to notify any affected individuals
21 of the assessed notifiable information breach in reliance on the
22 relevant exception, the Commissioner notice is not required to
23 include the information referred to in section 62(3)(i).
24 (4) If the Commissioner notice states that the IPP entity proposes to
25 rely on the relevant exception for a specified period or until the
26 occurrence of a specified event, the IPP entity cannot rely on the
27 relevant exception after the end of that period or the occurrence
28 of that event (as the case requires) unless the IPP entity gives
29 the Information Commissioner a further written notice stating
30 the information referred to in subsection (2)(a) to (d).
page 61
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 70
1 (5) An IPP entity that relies on the exception in section 68 must --
2 (a) review whether the exception is still applicable at least
3 monthly during the period in which the entity relies on
4 the exception; and
5 (b) give the Information Commissioner written notice of the
6 outcome of each review.
7 70. Commissioner may grant extension or exemption
8 (1) The Information Commissioner may, by written notice given to
9 an IPP entity, grant the IPP entity --
10 (a) an extension of the time within which the IPP entity
11 must comply with section 61(2)(b) in relation to a
12 suspected notifiable information breach; or
13 (b) an exemption from the requirement to comply with
14 either or both of sections 62 and 63 in relation to an
15 assessed notifiable information breach, either wholly or
16 to the extent specified in the notice.
17 (2) The Information Commissioner may grant an extension or
18 exemption under subsection (1) on application by the IPP entity
19 or on the Commissioner's own initiative.
20 (3) The Information Commissioner must not grant an extension or
21 exemption under subsection (1) unless satisfied that it is
22 reasonable in the circumstances, having regard to the
23 following --
24 (a) the public interest;
25 (b) any relevant advice given to the Commissioner by a law
26 enforcement agency;
27 (c) any other matters the Information Commissioner
28 considers relevant.
29 (4) An application under subsection (2) must be in the approved
30 form.
page 62
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 71
1 (5) An IPP entity may apply to the State Administrative Tribunal
2 for a review of a decision to refuse an application for an
3 extension or exemption under this section.
4 Subdivision 4 -- Directions by Commissioner
5 71. Direction about suspected notifiable information breach
6 (1) This section applies if the Information Commissioner
7 reasonably suspects that a notifiable information breach has
8 occurred in relation to personal information held by an IPP
9 entity (other than a contracted service provider).
10 Note for this subsection:
11 Section 135 provides for directions to contracted service providers
12 about suspected notifiable information breaches.
13 (2) The Information Commissioner may give the IPP entity a
14 written direction requiring the IPP entity to --
15 (a) comply with section 61 in relation to the suspected
16 notifiable information breach as if the reasonable
17 suspicion referred to in section 61(1) were formed by
18 the IPP entity on the day on which the direction is given;
19 and
20 (b) after conducting the assessment -- do whichever of the
21 following is applicable --
22 (i) if the assessment determines that a notifiable
23 information breach has occurred or there are
24 reasonable grounds to believe that a notifiable
25 information breach has occurred -- comply with
26 Subdivision 3 in relation to the assessed
27 notifiable information breach;
28 (ii) if the assessment determines that an information
29 breach involving personal information held by
30 the IPP entity has occurred, but that there are not
31 reasonable grounds to believe that the
32 information breach is a notifiable information
33 breach -- as soon as practicable give the
page 63
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 72
1 Commissioner a written notice including the
2 information referred to in section 72(2);
3 (iii) if the assessment determines that an information
4 breach involving personal information held by
5 the IPP entity has not occurred -- as soon as
6 practicable give the Commissioner a written
7 notice setting out the reasons for the
8 determination.
9 72. Provisions about directions under s. 71
10 (1) An IPP entity given a direction under section 71(2) must
11 comply with the direction.
12 (2) A notice referred to in section 71(2)(b)(ii) must include the
13 following information --
14 (a) a description of the information breach;
15 (b) the kind of personal information involved in the
16 information breach;
17 (c) the reasons why the assessment determined that there
18 are not reasonable grounds to believe that the
19 information breach is a notifiable information breach;
20 (d) recommendations as to the steps that any affected
21 individuals should take in response to the information
22 breach;
23 (e) if personal information held jointly by 2 or more IPP
24 entities is involved in the information breach -- the
25 name and contact details of each other IPP entity;
26 (f) any other information in relation to the information
27 breach required by the Information Commissioner.
28 (3) If an IPP entity gives the Information Commissioner a notice
29 referred to in section 71(2)(b)(ii), the Commissioner may, by
30 written notice given to the IPP entity, recommend that the IPP
31 entity notify affected individuals in relation to the information
32 breach as if it were an assessed notifiable information breach.
page 64
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Notifiable information breaches Division 6
s. 73
1 (4) For the purposes of subsections (2)(d) and (3), the affected
2 individuals in relation to the information breach are determined
3 in accordance with section 58 as if the information breach were
4 a notifiable information breach.
5 (5) Before giving a direction under section 71(2) or making a
6 recommendation under subsection (3), the Information
7 Commissioner must --
8 (a) give the IPP entity an opportunity to make submissions
9 to the Commissioner within a specified period; and
10 (b) have regard to --
11 (i) any submissions made in accordance with
12 paragraph (a); and
13 (ii) any advice given to the Commissioner by a law
14 enforcement agency; and
15 (iii) any other matters the Commissioner considers
16 relevant.
17 Subdivision 5 -- Policy, register and reporting
18 73. Public entity must prepare information breach policy
19 (1) A public entity must prepare a policy setting out the procedures
20 to be followed by the public entity in complying with the
21 requirements of Subdivisions 2 and 3.
22 (2) The public entity must make the policy publicly available.
23 74. Register of notifiable information breaches
24 (1) A public entity must establish and maintain a register of
25 notifiable information breaches.
26 (2) The register must include the following information in relation
27 to each assessed notifiable information breach of the public
28 entity --
29 (a) whether the notifiable information breach is of a kind
30 referred to in section 57(1), (2) or (3);
page 65
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 6 Notifiable information breaches
s. 74
1 (b) whether the Information Commissioner was notified of
2 the notifiable information breach under section 62;
3 (c) whether affected individuals were notified of the
4 notifiable information breach under section 63 and, if so,
5 the names of the affected individuals notified;
6 (d) details of the steps taken by the public entity to contain,
7 and mitigate the harm caused by, the notifiable
8 information breach;
9 (e) details of any action taken to prevent future notifiable
10 information breaches of the same kind;
11 (f) the estimated cost of the notifiable information breach to
12 the public entity.
13 (3) If an assessment conducted under section 61 by a public entity
14 in relation to a suspected notifiable information breach
15 determines that there are not reasonable grounds to believe that
16 a notifiable information breach has occurred, the register must
17 include the following --
18 (a) whether or not the assessment determined that an
19 information breach involving personal information held
20 by the public entity has occurred;
21 (b) if the assessment determined that an information breach
22 involving personal information held by the public entity
23 has occurred --
24 (i) whether the information breach involved
25 unauthorised access to, unauthorised disclosure
26 of, or loss of, personal information; and
27 (ii) details of any steps taken by the public entity to
28 contain, and mitigate the harm caused by, the
29 information breach; and
30 (iii) details of any action taken to prevent future
31 information breaches of the same kind; and
32 (iv) the estimated cost of the information breach to
33 the public entity.
page 66
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Personal information in public registers Division 7
s. 75
1 (4) The register is not required to be published or otherwise made
2 publicly available.
3 75. Annual report to include information about notifiable
4 information breaches
5 (1) A public entity that is required to prepare an annual report under
6 the Financial Management Act 2006 or another written law
7 must include in the report the information referred to in
8 section 74(2)(a) to (f) in relation to each assessed notifiable
9 information breach of the public entity the assessment of which
10 concluded in the relevant year.
11 (2) Despite subsection (1), the annual report is not required to
12 include the names of affected individuals notified of an assessed
13 notifiable information breach.
14 (3) Subsection (1) does not apply to an assessed notifiable
15 information breach in relation to which the public entity is not
16 required to comply with section 63 (either wholly or to an
17 extent).
18 (4) Subsection (1) does not limit any provision of the written law
19 under which the annual report is required.
20 Division 7 -- Personal information in public registers
21 76. Disclosure of personal information in public registers
22 A public entity responsible for administering a public register
23 must not disclose any personal information contained in the
24 register unless the public entity is satisfied that it is to be used
25 for a purpose related to the purpose of the register or the written
26 law under which the register is maintained.
27 Note for this section:
28 Information contained in a public register is publicly available
29 information to which the information privacy principles do not apply
30 (see section 22).
page 67
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 7 Personal information in public registers
s. 77
1 77. Removal of personal information affecting individual's
2 safety or wellbeing
3 (1) If personal information that relates to an individual is contained,
4 or proposed to be contained, in a public register, the individual
5 may request the public entity responsible for the administration
6 of the public register to remove the information from, or not to
7 include the information in, the public register.
8 (2) A request under subsection (1) must be made on the grounds
9 that any individual's safety or wellbeing is or would be
10 substantially affected by the information being made publicly
11 available.
12 (3) If the public entity is satisfied that the grounds referred to in
13 subsection (2) exist, the public entity must comply with the
14 request unless the public entity is satisfied that the public
15 interest in maintaining public access to the information
16 outweighs any individual interest in the information not being
17 made publicly available.
18 (4) This section does not prevent personal information removed
19 from, or not included in, a public register under this section
20 from being included in a version of the register that is not made
21 publicly available.
22 78. Interaction with written laws establishing public registers
23 If there is a conflict or inconsistency between a provision of this
24 Division and a provision of the written law under which a public
25 register is established or maintained, the provision of this
26 Division prevails.
page 68
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy impact assessments Division 8
s. 79
1 Division 8 -- Privacy impact assessments
2 79. Privacy impact assessment relating to high privacy impact
3 function or activity
4 (1) A function or activity of an IPP entity is a high privacy impact
5 function or activity if the performance of the function or
6 activity --
7 (a) involves the handling of personal information; and
8 (b) is likely to have a significant impact on the privacy of
9 individuals.
10 (2) Before an IPP entity first performs a high privacy impact
11 function or activity, or makes a significant change to the way in
12 which personal information is handled as part of a high privacy
13 impact function or activity, the IPP entity must --
14 (a) conduct an assessment (a privacy impact assessment) of
15 the function or activity; and
16 (b) prepare a written report on the assessment in accordance
17 with subsection (3).
18 (3) The report on the privacy impact assessment must --
19 (a) set out an assessment of the likelihood that the
20 performance of the function or activity will result in an
21 interference with the privacy of any individual; and
22 (b) identify the impact that the performance of the function
23 or activity might have on the privacy of individuals; and
24 (c) set out recommendations for managing, minimising or
25 eliminating that impact; and
26 (d) include any other information the IPP entity considers is
27 relevant.
28 (4) In complying with the requirements of this section, the IPP
29 entity must have regard to --
30 (a) any privacy guidelines referred to in section 81; and
page 69
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 8 Privacy impact assessments
s. 80
1 (b) any other privacy guidelines relating to privacy impact
2 assessments.
3 (5) On request by the Information Commissioner, the IPP entity
4 must give the Commissioner a copy of the report on the privacy
5 impact assessment.
6 (6) If the IPP entity is a contracted service provider, this section has
7 effect subject to section 137.
8 80. Commissioner may direct privacy impact assessment
9 (1) The Information Commissioner may give an IPP entity a written
10 direction in accordance with subsection (2) if --
11 (a) the IPP entity performs, or proposes to perform, a
12 function or activity; and
13 (b) the Commissioner considers that the function or activity
14 is a high privacy impact function or activity.
15 (2) The direction must --
16 (a) identify the function or activity to which it relates; and
17 (b) require the IPP entity to --
18 (i) conduct, and prepare a report on, an assessment
19 (a privacy impact assessment) of the function or
20 activity in accordance with section 79(3) and (4);
21 and
22 (ii) give the report to the Information Commissioner
23 within a specified period.
24 (3) The direction may require specified information (in addition to
25 the information referred to in section 79(3)) to be included in
26 the report on the privacy impact assessment.
27 (4) An IPP entity must comply with a direction given to the IPP
28 entity under this section.
29 (5) If the IPP entity is a contracted service provider, this section has
30 effect subject to section 137.
page 70
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 81
1 81. Guidelines about significant impact on privacy
2 Privacy guidelines may set out matters to be taken into account
3 in determining for the purposes of sections 79(1)(b) and
4 176(1)(a)(i) whether the performance of a function or activity,
5 or a relevant activity under an information sharing agreement, is
6 likely to have a significant impact on the privacy of individuals.
7 Division 9 -- Privacy complaints
8 Subdivision 1 -- Making a privacy complaint
9 82. Individual may complain about interference with privacy
10 (1) An individual may complain to the Information Commissioner
11 about an act or practice of an IPP entity that may be an
12 interference with the privacy of the individual.
13 (2) A privacy complaint must --
14 (a) be given to the Information Commissioner in writing;
15 and
16 (b) state the IPP entity (the respondent) to which the
17 complaint relates; and
18 (c) give details of --
19 (i) the act or practice to which the complaint relates;
20 and
21 (ii) any prior complaint made to the respondent
22 about the act or practice and any response by the
23 respondent to that complaint;
24 and
25 (d) give an address in Australia to which notices under this
26 Part can be sent; and
27 (e) give any other information prescribed by the regulations.
28 (3) It is the duty of the Information Commissioner and members of
29 Commissioner staff to assist an individual who wishes to make
page 71
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 83
1 a privacy complaint and requires assistance to formulate the
2 complaint.
3 83. Complaint on behalf of 2 or more individuals
4 A privacy complaint about an act or practice that may be an
5 interference with the privacy of 2 or more individuals may be
6 made by any of those individuals on behalf of all of them.
7 84. Complaint by or on behalf of child
8 A privacy complaint about an act or practice that may constitute
9 an interference with the privacy of a child may be made --
10 (a) by the child; or
11 (b) on behalf of the child by --
12 (i) a parent or guardian of the child; or
13 (ii) another individual chosen by the child, or chosen
14 by a parent or guardian of the child, to make the
15 complaint on the child's behalf; or
16 (iii) another individual who, in the opinion of the
17 Information Commissioner, has a sufficient
18 interest in the subject matter of the complaint.
19 85. Complaint on behalf of individual with disability
20 If an adult is incapable of making a privacy complaint because
21 of disability, a complaint may be made on behalf of the
22 individual by --
23 (a) another individual chosen by the individual to make the
24 complaint on their behalf; or
25 (b) if the individual is incapable of choosing another
26 individual to make the complaint on their behalf --
27 (i) a guardian (as defined in the Guardianship and
28 Administration Act 1990 section 3(1)) of the
29 individual; or
page 72
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 86
1 (ii) another individual who is related to the
2 individual by blood or marriage or is a de facto
3 partner of the individual; or
4 (iii) another individual who, in the opinion of the
5 Information Commissioner, has a sufficient
6 interest in the subject matter of the complaint.
7 86. Matter referred by Ombudsman may be treated as privacy
8 complaint
9 (1) This section applies if, under the Parliamentary Commissioner
10 Act 1971 section 25(2), the Parliamentary Commissioner for
11 Administrative Investigations reports to the Information
12 Commissioner that a matter connected with a possible
13 interference with the privacy of 1 or more individuals should be
14 referred to the Information Commissioner for further
15 consideration.
16 (2) The matter may be dealt with under this Division as if a privacy
17 complaint had been made in relation to the matter.
18 (3) The privacy complaint may be treated as having been made by
19 the individual or, if there are 2 or more individuals concerned,
20 by each of them or any of them on behalf of all of them, as the
21 Information Commissioner considers appropriate.
22 87. Complaint referred by Health and Disability Complaints
23 Office Director may be treated as privacy complaint
24 (1) This section applies if the Health and Disability Services
25 Complaints Office Director refers a complaint to the
26 Information Commissioner under --
27 (a) the Health and Disability Services (Complaints)
28 Act 1995 section 28 or 32; or
29 (b) the Disability Services Act 1993 section 38(4); or
30 (c) the Mental Health Act 2014 section 323(2) or 329(4).
page 73
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 88
1 (2) The referred complaint is taken to be a privacy complaint made
2 under section 82.
3 Subdivision 2 -- Procedure after complaint is made
4 88. Notice of complaint
5 As soon as practicable after a privacy complaint is made, the
6 Information Commissioner must give written notice of the
7 complaint to the respondent.
8 89. Withdrawal of complaint
9 (1) A complainant may withdraw a privacy complaint at any time
10 by written notice given to the Information Commissioner.
11 (2) If a privacy complaint is withdrawn, the Information
12 Commissioner must give the respondent written notice of the
13 withdrawal.
14 90. Commissioner may decline to deal with complaint
15 (1) The Information Commissioner may decline to deal with a
16 privacy complaint if --
17 (a) before making the privacy complaint, the complainant
18 did not first complain to the respondent in accordance
19 with the complaints management system of the
20 respondent (unless the Commissioner considers that it
21 was reasonable in the circumstances not to complain to
22 the respondent); or
23 (b) the complainant has complained to the respondent and
24 the Commissioner considers --
25 (i) that the respondent has not had sufficient time to
26 deal with the complaint; or
27 (ii) that the respondent is dealing adequately with the
28 complaint;
29 or
page 74
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 90
1 (c) the Commissioner considers that the act or practice (the
2 relevant act or practice) about which the complaint is
3 made is not an interference with the privacy of an
4 individual; or
5 (d) the Commissioner considers that the privacy complaint
6 was made more than 12 months after the day on which
7 the complainant became aware of the relevant act or
8 practice; or
9 (e) the relevant act or practice has been the subject of a
10 previous privacy complaint by the complainant that was
11 withdrawn; or
12 (f) the Commissioner considers that the complaint is
13 frivolous, vexatious, misconceived or lacking in
14 substance; or
15 (g) the relevant act or practice is the subject of an
16 application or complaint under another written law; or
17 (h) the Commissioner considers that the relevant act or
18 practice has been adequately dealt with under another
19 written law.
20 (2) The Information Commissioner may conduct a preliminary
21 assessment of a privacy complaint for the purpose of deciding
22 whether to deal with the complaint.
23 (3) For the purpose of a preliminary assessment the Information
24 Commissioner may, by written notice, request any person to --
25 (a) attend before the Commissioner for the purpose of
26 discussing the subject matter of the privacy complaint;
27 or
28 (b) give the Commissioner any information or document
29 specified in the notice.
30 (4) The Information Commissioner must give written notice of a
31 decision to decline to deal with a privacy complaint under
32 subsection (1) to the complainant and the respondent within
33 90 days after the day on which the complaint is made.
page 75
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 91
1 (5) A complainant given a notice under subsection (4) may apply to
2 the State Administrative Tribunal for a review of the decision to
3 decline to deal with the privacy complaint.
4 91. Commissioner may decline to continue dealing with
5 complaint
6 (1) The Information Commissioner may decline to continue dealing
7 with a privacy complaint if --
8 (a) the complainant does not comply with a reasonable
9 request made by the Commissioner or a conciliator in
10 dealing with the complaint; or
11 (b) the Commissioner is satisfied that the complainant,
12 without reasonable excuse, has failed to cooperate with
13 the Commissioner or a conciliator in dealing with the
14 complaint.
15 (2) The Information Commissioner must give written notice of a
16 decision to decline to continue dealing with a privacy complaint
17 under subsection (1) to the complainant and the respondent.
18 (3) A complainant given a notice under subsection (2) may apply to
19 the State Administrative Tribunal for a review of the decision to
20 decline to continue dealing with the privacy complaint.
21 92. Commissioner may deal with complaint under Freedom of
22 Information Act 1992
23 (1) If the Information Commissioner considers that the act or
24 practice about which a privacy complaint is made could be the
25 subject of a complaint under the Freedom of Information
26 Act 1992 Part 4 Division 3 --
27 (a) the Commissioner may decide that the complaint should
28 be dealt with under that Act; and
29 (b) if the Commissioner so decides, the complaint is taken
30 to be a complaint made under section 65 of that Act.
page 76
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 93
1 (2) If the Information Commissioner makes a decision that a
2 complaint should be dealt with under the Freedom of
3 Information Act 1992, the Commissioner must give written
4 notice of the decision to the complainant and the respondent.
5 93. Commissioner may refer complaint to other authority
6 (1) If the Information Commissioner considers that the act or
7 practice about which a privacy complaint is made could be the
8 subject of a complaint under the Privacy Act 1988
9 (Commonwealth) Part V, the Commissioner may refer the
10 complaint to the Australian Information Commissioner.
11 (2) If the Information Commissioner considers that the act or
12 practice about which a privacy complaint is made could be the
13 subject of a complaint under the Parliamentary Commissioner
14 Act 1971 --
15 (a) the Information Commissioner may refer the complaint
16 to the Parliamentary Commissioner for Administrative
17 Investigations; and
18 (b) the referred complaint is taken to be a complaint made
19 to the Parliamentary Commissioner for Administrative
20 Investigations under the Parliamentary Commissioner
21 Act 1971 section 17.
22 (3) If the Information Commissioner considers that the act or
23 practice about which a privacy complaint is made could be the
24 subject of a complaint under the Health and Disability Services
25 (Complaints) Act 1995 Part 3 --
26 (a) the Commissioner may refer the complaint to the Health
27 and Disability Services Complaints Office Director; and
28 (b) the referred complaint is taken to be a complaint made
29 to that Director under the Health and Disability Services
30 (Complaints) Act 1995 section 19.
31 (4) If the Information Commissioner considers that the act or
32 practice about which a privacy complaint is made could be the
page 77
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 93
1 subject of a complaint under the Disability Services Act 1993
2 Part 6 --
3 (a) the Commissioner may refer the complaint to the Health
4 and Disability Services Complaints Office Director; and
5 (b) the referred complaint is taken to be a complaint made
6 to that Director under the Disability Services Act 1993
7 section 32.
8 (5) If the Information Commissioner considers that the act or
9 practice about which a privacy complaint is made could be the
10 subject of a complaint under the Mental Health Act 2014
11 Part 19 --
12 (a) the Commissioner may refer the complaint to the Health
13 and Disability Services Complaints Office Director; and
14 (b) the referred complaint is taken to be a complaint made
15 to that Director under the Mental Health Act 2014
16 Part 19 Division 3 Subdivision 3.
17 (6) If the Information Commissioner considers that the act or
18 practice about which a privacy complaint is made could be the
19 subject of a complaint under a scheme approved under the
20 Electricity Industry Act 2004 section 92, the Energy
21 Coordination Act 1994 section 11ZPZ or the Water Services
22 Act 2012 section 65 --
23 (a) the Commissioner may refer the complaint to the person
24 (the scheme ombudsman) who investigates and deals
25 with complaints under the scheme; and
26 (b) the referred complaint is taken to be a complaint made
27 to the scheme ombudsman in accordance with the
28 scheme.
29 (7) The Information Commissioner cannot refer a privacy
30 complaint to another authority under this section unless the
31 Commissioner has undertaken appropriate consultation with,
32 and had regard to any views expressed by, the other authority.
page 78
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 94
1 (8) If the Information Commissioner refers a privacy complaint
2 under this section, the Commissioner must give written notice
3 of the referral to the complainant and the respondent.
4 Subdivision 3 -- Parties may resolve complaint
5 94. Parties may resolve complaint
6 (1) A complainant and respondent may resolve a privacy complaint
7 by agreement at any time, whether or not with the assistance of
8 the Information Commissioner and whether or not a conciliation
9 process has begun under Subdivision 4.
10 (2) If a resolution of that kind occurs, the complainant must as soon
11 as practicable give notice of the resolution to the Information
12 Commissioner.
13 (3) If the Information Commissioner becomes aware that a privacy
14 complaint has been resolved, the Commissioner must stop
15 dealing with the complaint under this Division.
16 Subdivision 4 -- Conciliation of complaints
17 95. Commissioner must attempt to resolve complaint by
18 conciliation
19 (1) If the Information Commissioner considers that there is a
20 reasonable likelihood that a privacy complaint can be resolved
21 by conciliation, the Commissioner must --
22 (a) nominate a person to act as a conciliator in relation to
23 the complaint under section 96(1); and
24 (b) otherwise take all reasonable steps to facilitate the
25 resolution of the complaint by conciliation.
26 (2) Subsection (1) does not apply if the Information Commissioner
27 has --
28 (a) declined under section 90(1) to deal with the complaint;
29 or
page 79
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 96
1 (b) declined under section 91(1) to continue dealing with
2 the complaint; or
3 (c) made a decision under section 92(1) that the complaint
4 should be dealt with under the Freedom of Information
5 Act 1992; or
6 (d) referred the complaint under section 93.
7 96. Procedure for conciliation
8 (1) The Information Commissioner may nominate a person to act as
9 a conciliator in relation to a privacy complaint.
10 (2) A conciliator's function is to encourage the resolution of the
11 complaint by --
12 (a) arranging for the complainant and the respondent to hold
13 informal discussions about the complaint; and
14 (b) assisting in the conduct of those discussions; and
15 (c) if possible, assisting the complainant and respondent to
16 reach agreement.
17 (3) A conciliator --
18 (a) may require the complainant and respondent to attend
19 conciliation conferences (either in person or by a means
20 of audiovisual communication); but
21 (b) does not have the power to require the production of
22 documents or provision of information.
23 (4) The Information Commissioner may give any direction, or do
24 any other thing, that the Commissioner considers appropriate to
25 facilitate the resolution of a privacy complaint by conciliation.
26 (5) Without limiting subsection (4), the Information Commissioner
27 may determine the procedure to be followed in a conciliation.
28 97. Representation in conciliation process
29 (1) Neither a complainant nor a respondent may be represented by
30 another person during a conciliation process unless the
page 80
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 98
1 Information Commissioner or a conciliator determines
2 otherwise on the ground that the process will not work
3 effectively without that representation.
4 (2) Subsection (1) does not prevent the personal attendance of any
5 other person who may, in the opinion of the conciliator, assist in
6 the conciliation.
7 98. Conciliation agreement
8 (1) If a privacy complaint is resolved by conciliation, the
9 conciliator must prepare a document (the conciliation
10 agreement) that sets out the terms on which the complaint is
11 agreed to be resolved.
12 (2) The conciliator must give a copy of the conciliation agreement
13 to the complainant, the respondent and the Information
14 Commissioner.
15 (3) The Information Commissioner may, with the written consent of
16 the complainant and respondent, make 1 or more of the
17 following orders for the purpose of giving effect to the
18 conciliation agreement or any part of the conciliation
19 agreement --
20 (a) an order that the respondent must take specified action
21 within a specified period to ensure that the respondent
22 does not repeat or continue the act or practice (the
23 relevant act or practice) about which the complaint was
24 made;
25 (b) an order that the respondent must perform any
26 reasonable act, or carry out any reasonable course of
27 conduct, to redress any loss or damage suffered by the
28 complainant by reason of the relevant act or practice;
29 (c) an order that the respondent must pay the complainant a
30 specified amount of compensation, not exceeding
page 81
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 99
1 $75 000, for loss or damage suffered by the complainant
2 by reason of the relevant act or practice.
3 Note for this subsection:
4 Division 10 Subdivision 6 provides for the enforcement of orders made
5 under this subsection.
6 (4) Loss or damage referred to in subsection (3)(b) and (c) may
7 include --
8 (a) an injury to the feelings of the complainant; and
9 (b) humiliation suffered by the complainant.
10 99. Notice of complaint that cannot be resolved by conciliation
11 (1) The Information Commissioner may decide that a privacy
12 complaint cannot be resolved by conciliation if the
13 Commissioner considers that --
14 (a) there is no reasonable likelihood that the complaint can
15 be resolved by conciliation; or
16 (b) efforts to deal with the complaint by conciliation have
17 not been successful.
18 (2) The Information Commissioner must give written notice of a
19 decision under subsection (1) to the complainant and
20 respondent.
21 (3) The notice must state that, as a result of the decision, the
22 Information Commissioner may exercise powers under
23 Subdivision 5 in relation to the privacy complaint.
24 100. Statements made in conciliation protected
25 Unless the complainant and respondent otherwise agree,
26 evidence of anything said or admitted during the conciliation
27 process for a privacy complaint --
28 (a) is not admissible in proceedings before a court or
29 tribunal; and
page 82
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 101
1 (b) cannot be used by the Information Commissioner for the
2 purposes of exercising a power under Subdivision 5 or
3 Division 10.
4 Subdivision 5 -- Dealing with complaint not resolved by conciliation
5 101. Commissioner may deal with complaint not resolved by
6 conciliation
7 The powers under this Subdivision may be exercised in relation
8 to a privacy complaint if the Information Commissioner has
9 given notice under section 99(2) in relation to the complaint.
10 102. General matters about dealing with complaints
11 (1) In order to deal with a privacy complaint under this Subdivision
12 the Information Commissioner may obtain information from
13 any persons and sources, and make any investigations and
14 inquiries, that the Commissioner considers appropriate.
15 (2) Without limiting subsection (1), the Information Commissioner
16 may, for the purposes of dealing with a privacy complaint --
17 (a) issue a notice to produce or attend and exercise related
18 powers under Division 10 Subdivision 3; and
19 (b) if applicable, exercise powers under section 119.
20 (3) Subject to this Act, the Information Commissioner may
21 determine the procedure for investigating and dealing with
22 complaints and may give any necessary directions as to the
23 conduct of the proceedings.
24 (4) The Information Commissioner must ensure that the
25 complainant and respondent are given a reasonable opportunity
26 to make submissions to the Commissioner.
27 (5) Proceedings for dealing with a privacy complaint must be
28 conducted with as little formality and technicality, and with as
29 much expedition, as the requirements of this Act and a proper
30 consideration of the matters before the Information
page 83
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 9 Privacy complaints
s. 103
1 Commissioner permit, and the Commissioner is not bound by
2 rules of evidence.
3 103. Referral of question of law to Supreme Court
4 (1) The Information Commissioner may refer to the Supreme Court
5 any question of law that arises in the course of dealing with a
6 privacy complaint.
7 (2) A question may be referred under this section on the
8 Information Commissioner's own initiative or at the request of
9 the complainant or respondent.
10 (3) The Supreme Court has jurisdiction to hear and determine a
11 question of law referred to it under this section and, in
12 exercising that jurisdiction, may --
13 (a) as well as determining that question, determine any
14 related or incidental question of law that it considers to
15 be raised; or
16 (b) instead of determining that question, determine any
17 other question of law that it considers to be more
18 pertinent.
19 (4) If a question of law in relation to a privacy complaint is referred
20 to the Supreme Court under this section, the Information
21 Commissioner must not --
22 (a) make a determination in relation to the complaint under
23 section 104 before the Supreme Court makes a decision
24 on the question; or
25 (b) proceed in a manner, or make a decision, that is
26 inconsistent with the decision of the Supreme Court on
27 the question.
28 (5) A complainant or respondent who did not request the referral of
29 a question of law to the Supreme Court --
30 (a) is not required to appear, be represented or make
31 submissions at, or otherwise participate in, the hearing
32 of the referral; and
page 84
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Privacy complaints Division 9
s. 104
1 (b) is not liable for any costs in relation to the referral.
2 104. Determination of complaint
3 (1) The Information Commissioner may determine a privacy
4 complaint --
5 (a) if the Commissioner is satisfied that the act or practice
6 to which the complaint relates is an interference with the
7 privacy of an individual -- by making a determination
8 to that effect; or
9 (b) otherwise -- by making a determination dismissing the
10 complaint.
11 (2) A determination under subsection (1)(a) may include 1 or more
12 of the following orders --
13 (a) an order that the respondent must take specified action
14 within a specified period to ensure that the respondent
15 does not repeat or continue the interference with
16 privacy;
17 (b) an order that the respondent must perform any
18 reasonable act, or carry out any reasonable course of
19 conduct, to redress any loss or damage suffered by the
20 complainant by reason of the interference with privacy;
21 (c) an order that the respondent must pay the complainant a
22 specified amount of compensation, not exceeding
23 $75 000, for loss or damage suffered by the complainant
24 by reason of the interference with privacy;
25 (d) an order that it would be inappropriate for further action
26 to be taken in relation to the interference with privacy.
27 Note for this subsection:
28 Division 10 Subdivision 6 provides for the enforcement of orders made
29 under this subsection.
30 (3) Loss or damage referred to in subsection (2)(b) and (c) may
31 include --
32 (a) an injury to the feelings of the complainant; and
page 85
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 105
1 (b) humiliation suffered by the complainant.
2 (4) The Information Commissioner must give the complainant and
3 respondent written notice of a determination under
4 subsection (1).
5 (5) The Information Commissioner may make a determination
6 under subsection (1) publicly available.
7 105. Review of determination
8 The complainant or respondent in relation to a privacy
9 complaint determined by the Information Commissioner under
10 section 104 may apply to the State Administrative Tribunal for a
11 review of the determination.
12 Division 10 -- Investigations and enforcement
13 Subdivision 1 -- Investigations of acts or practices that may be
14 interferences with privacy
15 106. Commissioner may investigate act or practice that may be
16 interference with privacy
17 (1) The Information Commissioner may investigate an act or
18 practice of an IPP entity that may be an interference with the
19 privacy of an individual.
20 (2) An investigation under this section may be conducted on the
21 Information Commissioner's own initiative.
22 (3) In conducting the investigation the Information Commissioner
23 may obtain information from any persons and sources, and
24 make any investigations and inquiries, that the Commissioner
25 considers appropriate.
26 (4) Without limiting subsection (3), the Information Commissioner
27 may, for the purposes of conducting the investigation --
28 (a) issue a notice to produce or attend and exercise related
29 powers under Subdivision 3; and
page 86
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Investigations and enforcement Division 10
s. 107
1 (b) if applicable, exercise powers under section 119.
2 (5) The Information Commissioner must ensure that the IPP entity
3 the subject of the investigation is given a reasonable opportunity
4 to make submissions to the Commissioner.
5 107. Determination following investigation
6 (1) If, after conducting an investigation under section 106, the
7 Information Commissioner is satisfied that an act or practice of
8 an IPP entity is an interference with the privacy of 1 or more
9 individuals (the affected individuals), the Commissioner may
10 make a determination to that effect.
11 (2) A determination under subsection (1) may include 1 or more of
12 the following orders --
13 (a) an order that the IPP entity must take specified action
14 within a specified period to ensure that the IPP entity
15 does not repeat or continue the interference with
16 privacy;
17 (b) an order that the IPP entity must perform any reasonable
18 act, or carry out any reasonable course of conduct, to
19 redress any loss or damage suffered by any affected
20 individual by reason of the interference with privacy;
21 (c) an order that it would be inappropriate for further action
22 to be taken in relation to the interference with privacy.
23 Note for this subsection:
24 Subdivision 6 provides for the enforcement of orders under this
25 subsection.
26 (3) Loss or damage referred to in subsection (2)(b) may include --
27 (a) an injury to the feelings of the individual; and
28 (b) humiliation suffered by the individual.
29 (4) The Information Commissioner must give the IPP entity written
30 notice of a determination under subsection (1).
page 87
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 108
1 (5) The Information Commissioner may give an affected individual
2 whose identity is known written notice of a determination under
3 subsection (1).
4 (6) The Information Commissioner may make a determination
5 under subsection (1) publicly available.
6 108. Review of determination
7 The IPP entity in relation to a which a determination is made by
8 the Information Commissioner under section 107 may apply to
9 the State Administrative Tribunal for a review of the
10 determination.
11 109. Reports
12 (1) The Information Commissioner may prepare a report in relation
13 to an investigation conducted under section 106.
14 (2) A report may be prepared whether or not the Information
15 Commissioner has made a determination under section 107
16 following the investigation.
17 (3) Before including in a report any matters adverse to an IPP entity
18 or an individual, the Information Commissioner must give a
19 reasonable opportunity to make submissions to the
20 Commissioner concerning those matters to --
21 (a) if the comment relates to an IPP entity -- the principal
22 officer of the IPP entity; or
23 (b) if the comment relates to an individual -- the individual
24 and any IPP entity of which the individual is an officer.
25 (4) If the Information Commissioner prepares a report under
26 subsection (1), the Commissioner may do any of the
27 following --
28 (a) give the report to the principal officer of the IPP entity
29 to which it relates;
30 (b) give the report to the Privacy Minister;
page 88
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Investigations and enforcement Division 10
s. 110
1 (c) give the report to the responsible Minister for any public
2 entity to which the report relates;
3 (d) make the report publicly available.
4 Subdivision 2 -- Monitoring and assessment of compliance
5 110. Commissioner may monitor or conduct assessment of
6 compliance
7 (1) The Information Commissioner may monitor, or conduct an
8 assessment of, an IPP entity's compliance with any or all of its
9 obligations under this Part and the information privacy
10 principles.
11 (2) Without limiting subsection (1), the Information Commissioner
12 may, for the purposes of monitoring or conducting an
13 assessment under that subsection --
14 (a) issue a notice to produce or attend and exercise related
15 powers under Subdivision 3; and
16 (b) if applicable, exercise powers under section 119.
17 111. Reports
18 (1) The Information Commissioner may prepare a report in relation
19 to any monitoring or assessment conducted under section 110.
20 (2) Before including in a report any matters adverse to an IPP entity
21 or an individual, the Information Commissioner must give a
22 reasonable opportunity to make submissions to the
23 Commissioner concerning those matters to --
24 (a) if the comment relates to an IPP entity -- the principal
25 officer of the IPP entity; or
26 (b) if the comment relates to an individual -- the individual
27 and any IPP entity of which the individual is an officer.
page 89
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 112
1 (3) If the Information Commissioner prepares a report under
2 subsection (1), the Commissioner may do any of the
3 following --
4 (a) give the report to the principal officer of the IPP entity
5 to which it relates;
6 (b) give the report to the Privacy Minister;
7 (c) give the report to the responsible Minister for any public
8 entity to which the report relates;
9 (d) make the report publicly available.
10 Subdivision 3 -- Notices to produce or attend
11 112. Purposes for exercise of powers
12 The powers in this Subdivision may be exercised for the
13 purpose of --
14 (a) under Division 9 Subdivision 5 investigating, and
15 making a determination in relation to, a privacy
16 complaint not resolved by conciliation; or
17 (b) under Subdivision 1 investigating, and making a
18 determination in relation to, an act or practice of an IPP
19 entity; or
20 (c) under Subdivision 2 monitoring, or conducting an
21 assessment of, an IPP entity's compliance with any or
22 all of its obligations under this Part.
23 113. Notice to produce or attend
24 (1) If the Information Commissioner has reason to believe that a
25 person has information or a document that is relevant for a
26 purpose referred to in section 112, the Commissioner may give
27 the person a written notice (a notice to produce or attend)
28 requiring the person --
29 (a) to give to the Commissioner specified relevant
30 information or documents; or
page 90
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Investigations and enforcement Division 10
s. 114
1 (b) to attend before the Commissioner to do either or both
2 of the following --
3 (i) give to the Commissioner specified relevant
4 documents;
5 (ii) answer relevant questions.
6 (2) The Information Commissioner must not give a notice to
7 produce or attend for a purpose referred to in section 112(c)
8 unless the Commissioner is satisfied that it is reasonable in the
9 circumstances to do so, having regard to the following --
10 (a) the public interest;
11 (b) the impact on the person of complying with the notice;
12 (c) any other matters the Commissioner considers relevant.
13 114. Contents of notice to produce or attend
14 (1) A notice to produce or attend that includes a requirement to give
15 information or documents under section 113(1)(a) must
16 specify --
17 (a) the time by which, or period within which, the
18 information or documents must be given; and
19 (b) the manner in which the documents must be given,
20 which may be by electronic means.
21 (2) A notice to produce or attend that includes a requirement for a
22 person to attend before the Information Commissioner under
23 section 113(1)(b) must specify --
24 (a) the day and time when the person must attend; and
25 (b) the place at which, or means of audiovisual
26 communication by which, the person must attend; and
27 (c) if documents are required to be given -- the manner in
28 which the documents must be given, which may be by
29 electronic means.
30 (3) A notice to produce or attend must also include an explanation
31 of the effect of section 117.
page 91
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 115
1 115. Variation or withdrawal of notice to produce or attend
2 The Information Commissioner may vary or withdraw a notice
3 to produce or attend given to a person by further written notice
4 given to the person.
5 116. Powers of Commissioner in relation to persons attending
6 and documents
7 (1) The Information Commissioner may administer an oath or
8 affirmation to a person attending before the Commissioner in
9 accordance with a notice to produce or attend and may examine
10 the person on oath or affirmation.
11 (2) The oath or affirmation to be taken or made by a person for the
12 purposes of this section is an oath or affirmation that the
13 answers the person will give will be true.
14 (3) The Information Commissioner may do any of the following in
15 relation to a document given to the Commissioner in accordance
16 with a notice to produce or attend --
17 (a) inspect the document;
18 (b) retain the document for a period the Commissioner
19 considers reasonable;
20 (c) make copies of the document or any of its contents.
21 117. Failure to comply with notice to produce or attend
22 (1) A person given a notice to produce or attend must not, without
23 reasonable excuse, refuse or fail to comply with a requirement
24 under the notice.
25 Penalty for this subsection: a fine of $6 000.
26 (2) Without limiting what is a reasonable excuse for the purposes of
27 subsection (1), it is a reasonable excuse to refuse or fail to
28 comply with a requirement to give information or a document or
29 answer questions if compliance with the requirement would
30 require the person to give information or a document that is
page 92
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Investigations and enforcement Division 10
s. 118
1 exempt matter for the purposes of the Freedom of Information
2 Act 1992 under Schedule 1 clause 1 of that Act.
3 (3) It is not a reasonable excuse to refuse or fail to comply with a
4 requirement under a notice to produce or attend on the basis that
5 compliance would be inconsistent with a secrecy provision or
6 another duty of confidentiality or secrecy imposed by law.
7 (4) If a person gives information or documents, or answers
8 questions, in good faith in compliance with a requirement under
9 a notice to produce or attend --
10 (a) no civil or criminal liability is incurred in respect of the
11 giving of the information or documents or answering of
12 questions; and
13 (b) the giving of the information or documents or answering
14 of questions is not to be regarded as a breach of any
15 secrecy provision or other duty of confidentiality or
16 secrecy imposed by law; and
17 (c) the giving of the information or documents or answering
18 of questions is not to be regarded as a breach of
19 professional ethics or standards or as unprofessional
20 conduct.
21 Subdivision 4 -- Powers of entry, observation and inspection for
22 notifiable information breach compliance purposes
23 118. Purposes for exercise of powers
24 The powers in section 119 may be exercised for any of the
25 following purposes --
26 (a) under Division 9 Subdivision 5 investigating, and
27 making a determination in relation to, a privacy
28 complaint not resolved by conciliation, in a case where
29 the complaint relates to an act or practice that may be an
30 interference with privacy under section 15(b), (c) or (d);
31 or
page 93
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 119
1 (b) under Subdivision 1 investigating, and making a
2 determination in relation to, an act or practice that may
3 be an interference with privacy under section 15(b), (c)
4 or (d); or
5 (c) under Subdivision 2 monitoring, or conducting an
6 assessment of, an IPP entity's compliance with any or
7 all of its obligations under Division 6.
8 119. Powers of entry, observation and inspection for notifiable
9 information breach compliance purposes
10 (1) An authorised officer may, for a purpose referred to in
11 section 118 --
12 (a) give the principal officer of a public entity a written
13 direction requiring the principal officer to give the
14 authorised officer access at a specified time to any place
15 occupied or used by the public entity; and
16 (b) enter the place at the specified time; and
17 (c) do any of the following at the place --
18 (i) observe a demonstration of the public entity's
19 systems and procedures for handling
20 information;
21 (ii) inspect any document that relates to the public
22 entity's systems, policies and procedures for
23 handling information;
24 (iii) inspect any other document provided to the
25 authorised officer or that the authorised officer
26 considers may be relevant for a purpose referred
27 to in section 118;
28 (iv) inspect any location where information is
29 handled by the public entity, including
30 arrangements for the security of that location;
31 (v) inspect or operate any computer system.
page 94
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Investigations and enforcement Division 10
s. 120
1 (2) The principal officer of the public entity must ensure that the
2 authorised officer is given --
3 (a) access to the place at the time specified in the notice;
4 and
5 (b) reasonable assistance in exercising powers under
6 subsection (1)(c).
7 (3) This section does not apply in relation to any place used as a
8 residence for 1 or more individuals.
9 120. Authorised officers
10 (1) The Information Commissioner may, in writing, designate a
11 person who is a member of Commissioner staff as an authorised
12 officer for the purposes of the exercise of powers under
13 section 119.
14 (2) The Information Commissioner may, in writing, revoke a
15 designation under subsection (1) at any time.
16 121. Identity cards
17 (1) The Information Commissioner must ensure that each
18 authorised officer is issued with an identity card in the form
19 approved by the Commissioner.
20 (2) An authorised officer must, when exercising a power under
21 section 119 --
22 (a) carry the authorised officer's identity card; and
23 (b) produce the authorised officer's identity card if
24 requested to do so.
25 (3) In any proceedings, the production of an identity card is
26 evidence of the designation of the authorised officer to whom
27 the identity card relates.
28 (4) A person must not, without reasonable excuse, fail to return the
29 person's identity card to the Information Commissioner within
page 95
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 122
1 14 days after the day on which the person ceases to be an
2 authorised officer.
3 Penalty for this subsection: a fine of $5 000.
4 Subdivision 5 -- Compliance notices
5 122. Issue of compliance notice
6 (1) The Information Commissioner may issue a written notice (a
7 compliance notice) to an IPP entity if the Commissioner is
8 satisfied that --
9 (a) an act or practice of the IPP entity constitutes an
10 interference with the privacy of an individual; and
11 (b) the act or practice --
12 (i) has been done or engaged in repeatedly; or
13 (ii) constitutes a serious or flagrant interference with
14 the privacy of an individual.
15 (2) A compliance notice may be issued on the Information
16 Commissioner's own initiative, whether following a privacy
17 complaint or an investigation under section 106 or otherwise.
18 (3) The compliance notice must be given to the principal officer of
19 the IPP entity.
20 (4) The compliance notice must --
21 (a) specify the action that the IPP entity is required to take
22 to ensure that the IPP entity does not repeat or continue
23 the act or practice; and
24 (b) specify the period within which the action must be
25 taken.
26 (5) The IPP entity may, before the end of the period specified in the
27 compliance notice, apply to the Information Commissioner for
28 an extension of the period within which the action specified in
29 the notice must be taken.
page 96
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Investigations and enforcement Division 10
s. 123
1 (6) An application under subsection (5) must be in the approved
2 form.
3 (7) The Information Commissioner may, on application under
4 subsection (5), extend the period within which the action
5 specified in the notice must be taken if --
6 (a) the Commissioner is satisfied that it is not reasonably
7 practicable for the IPP entity to take the specified action
8 within the period specified in the notice; and
9 (b) the IPP entity has given the Commissioner an
10 undertaking to take the specified action within the
11 extended period.
12 123. IPP entity must comply with compliance notice
13 The principal officer of an IPP entity to which a compliance
14 notice is issued must take all reasonable steps to ensure that the
15 IPP entity complies with the compliance notice.
16 Penalty: a fine of $60 000.
17 124. Review of decision to issue compliance notice
18 An IPP entity to which a compliance notice is issued may apply
19 to the State Administrative Tribunal for a review of the decision
20 to issue the compliance notice.
21 Subdivision 6 -- Enforcement of orders made by Commissioner
22 125. Enforcement of orders requiring payment of compensation
23 (1) A person to whom a payment of an amount of compensation is
24 to be made under an order under section 98(3)(c) or 104(2)(c)
25 may enforce the order by filing in a court of competent
26 jurisdiction --
27 (a) a copy of the order that the Information Commissioner
28 has certified to be a true copy; and
page 97
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 10 Investigations and enforcement
s. 126
1 (b) the person's affidavit as to --
2 (i) the amount not paid under the order; and
3 (ii) if the order is to take effect upon any default --
4 the making of that default.
5 (2) No charge is to be made for filing a copy of an order or an
6 affidavit under this section.
7 (3) On filing, the order is taken to be an order of the court and may
8 be enforced accordingly.
9 126. Enforcement of other orders
10 (1) A person seeking to enforce an order under section 98(3)(a)
11 or (b), 104(2)(a) or (b) or 107(2)(a) or (b) may file in the
12 Supreme Court --
13 (a) a copy of the order that the Information Commissioner
14 has certified to be a true copy; and
15 (b) the person's affidavit as to the non-compliance with the
16 order; and
17 (c) a certificate from the Information Commissioner stating
18 that the order is appropriate for filing in the Supreme
19 Court.
20 (2) No charge is to be made for filing a copy of an order, affidavit
21 or certificate under this section.
22 (3) On filing, the order is taken to be an order of the Supreme Court
23 and may be enforced accordingly.
24 127. Deferral of enforcement until review proceedings concluded
25 An order made under section 104(2) or 107(2) cannot be filed
26 under section 125 or 126 unless --
27 (a) the period within which an application may be made to
28 the State Administrative Tribunal for a review of the
29 determination that includes the order has passed; and
page 98
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Contracted service providers Division 11
s. 128
1 (b) if an application referred to in paragraph (a) has been
2 made -- review proceedings under the State
3 Administrative Tribunal Act 2004 in relation to the
4 application have concluded.
5 Division 11 -- Contracted service providers
6 128. Purpose of Division
7 This Division provides for how this Part and the information
8 privacy principles apply in relation to IPP entities that are
9 contracted service providers.
10 129. State services contract may provide for application of
11 privacy obligations
12 A State services contract may include a provision to the effect
13 that this Part, the information privacy principles, and any
14 applicable approved privacy code of practice, apply in the
15 manner provided for in this Division in relation to the handling
16 of information by the contracted service provider for the
17 purposes of the State services contract.
18 130. Application of information privacy principles and approved
19 privacy codes of practice to contracted service providers
20 (1) If a State services contract in relation to a contracted service
21 provider includes a provision of a kind referred to in
22 section 129 --
23 (a) the information privacy principles, and any approved
24 privacy code of practice that applies to the outsourcing
25 entity (the relevant outsourcing entity) that is a party to
26 the contract, apply to an act done, or practice engaged
27 in, by the contracted service provider for the purposes of
28 the contract in the same way and to the same extent as
29 they would apply if the act were done, or practice were
30 engaged in, by the relevant outsourcing entity; and
page 99
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 11 Contracted service providers
s. 131
1 (b) IPP 6, and any approved privacy code of practice that
2 applies to the contracted service provider, apply to
3 information held by the contracted service provider in
4 connection with services provided under the contract.
5 (2) The information privacy principles, and any approved privacy
6 code of practice, apply to a contracted service provider only to
7 the extent provided for in subsection (1) and not otherwise.
8 131. Privacy codes of practice or amendments submitted by
9 contracted service providers
10 (1) If a contracted service provider submits a privacy code of
11 practice, or an amendment to an approved privacy code of
12 practice, to the Information Commissioner under section 29(1),
13 the Commissioner must give written notice of the submission to
14 each relevant outsourcing entity.
15 (2) A relevant outsourcing entity for the purposes of subsection (1)
16 is an outsourcing entity that is a party to a State services
17 contract, if the privacy code of practice or the amended
18 approved privacy code of practice (as the case requires) would
19 apply in relation to the handling of information by the
20 contracted service provider for the purposes of the contract.
21 132. Requests for access and correction made to contracted
22 service providers
23 (1) A contracted service provider to which a request for access or
24 correction under IPP 6 or an applicable approved privacy code
25 of practice is made must --
26 (a) notify the relevant outsourcing entity of the request as
27 soon as practicable; and
28 (b) consult with the relevant outsourcing entity in relation to
29 dealing with the request.
30 (2) The relevant outsourcing entity for the purposes of
31 subsection (1) is the outsourcing entity that is a party to the
32 State services contract in connection with which the contracted
page 100
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Contracted service providers Division 11
s. 133
1 service provider holds the information in relation to which the
2 request is made.
3 (3) In dealing with a request for access or correction under IPP 6 or
4 an applicable approved privacy code of practice, a contracted
5 service provider must have regard to any privacy guidelines in
6 relation to requests under IPP 6 made to contracted service
7 providers.
8 133. Public interest determinations and temporary public
9 interest determinations applying to contracted service
10 providers
11 (1) If a contracted service provider makes an application under
12 section 46 for a public interest determination, or an application
13 under section 50 for a temporary public interest determination,
14 the Information Commissioner must give each relevant
15 outsourcing entity a written notice that --
16 (a) states that the application has been received from the
17 contracted service provider; and
18 (b) specifies the act or practice, and the information privacy
19 principle or approved privacy code of practice, or both,
20 to which the application relates; and
21 (c) in the case of an application for a public interest
22 determination --
23 (i) invites the relevant outsourcing entity to make
24 submissions in relation to the application in
25 accordance with the notice made publicly
26 available in relation to the application under
27 section 47(1)(a); and
28 (ii) specifies the manner in which, and period within
29 which, those submissions must be made.
30 (2) If the Information Commissioner gives a notice under
31 section 54(3)(a) in relation to the proposed revocation of a
32 public interest determination or temporary public interest
33 determination to an IPP entity that is a contracted service
page 101
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 11 Contracted service providers
s. 134
1 provider, the Commissioner must also give a copy of the notice
2 to each relevant outsourcing entity.
3 (3) A relevant outsourcing entity for the purposes of subsection (1)
4 or (2) is an outsourcing entity that is a party to a State services
5 contract, if the public interest determination or temporary public
6 interest determination (as the case requires) applies or would
7 apply in relation to an act or practice done or engaged in by the
8 contracted service provider for the purposes of the contract.
9 134. Application of notifiable information breach obligations to
10 contracted service providers
11 (1) If a State services contract in relation to a contracted service
12 provider includes a provision of a kind referred to in
13 section 129, Division 6 Subdivisions 2 and 3 apply to a
14 notifiable information breach or suspected notifiable
15 information breach involving personal information held by the
16 contracted service provider in connection with services provided
17 under the State services contract.
18 (2) Division 6 Subdivisions 2 and 3 --
19 (a) apply to a notifiable information breach or suspected
20 notifiable information breach involving personal
21 information held by a contracted service provider only
22 to the extent provided for in subsection (1) and not
23 otherwise; and
24 (b) apply for that purpose with the modifications set out in
25 subsections (3) and (4).
26 (3) Division 6 Subdivision 2 applies as if the requirements under
27 section 61(2) included requirements for the contracted service
28 provider to --
29 (a) notify the outsourcing entity that is a party to the State
30 services contract (the relevant outsourcing entity) of the
31 suspected notifiable information breach as soon as
32 practicable after forming the reasonable suspicion
33 referred to in section 61(1); and
page 102
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Contracted service providers Division 11
s. 134
1 (b) notify the relevant outsourcing entity of the outcome of
2 the assessment conducted under section 61, and give the
3 relevant outsourcing entity a copy of the report on that
4 assessment, as soon as practicable after the assessment
5 is completed.
6 (4) If the assessment conducted by the contracted service provider
7 under section 61 (as that section applies under subsection (3))
8 determines that a notifiable information breach has occurred or
9 there are reasonable grounds to believe that a notifiable
10 information breach has occurred --
11 (a) Division 6 Subdivision 3 applies in relation to the
12 notifiable information breach as if it were an assessed
13 notifiable information breach of the relevant outsourcing
14 entity rather than the contracted service provider; and
15 (b) any notice the relevant outsourcing entity is required to
16 give or make publicly available under section 62 or 63
17 (as those sections apply under paragraph (a)) must
18 include, in addition to the other information required --
19 (i) the name and contact details of the contracted
20 service provider; and
21 (ii) a description of the steps taken, or that will be
22 taken, by the contracted service provider to
23 contain, and mitigate the harm caused by, the
24 notifiable information breach;
25 and
26 (c) the contracted service provider must give the relevant
27 outsourcing entity any information and assistance it
28 requires for the purposes of complying with Division 6
29 Subdivision 3 (as it applies under this subsection).
page 103
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 11 Contracted service providers
s. 135
1 135. Directions about suspected notifiable information breaches
2 given to contracted service providers
3 (1) This section applies if --
4 (a) a State services contract in relation to a contracted
5 service provider includes a provision of a kind referred
6 to in section 129; and
7 (b) the Information Commissioner reasonably suspects that
8 a notifiable information breach has occurred involving
9 personal information held by the contracted service
10 provider in connection with services provided under the
11 State services contract.
12 (2) The Information Commissioner may give a written direction to
13 the contracted service provider and the outsourcing entity that is
14 a party to the State services contract (the relevant outsourcing
15 entity) --
16 (a) requiring the contracted service provider --
17 (i) to comply with section 61 (as it applies under
18 section 134(3)) in relation to the suspected
19 notifiable information breach as if the reasonable
20 suspicion referred to in section 61(1) were
21 formed by the contracted service provider on the
22 day on which the direction is given; and
23 (ii) to give the relevant outsourcing entity any
24 information and assistance it requires to comply
25 with the direction;
26 and
27 (b) requiring the relevant outsourcing entity, after the
28 contracted service provider conducts the assessment, to
29 do whichever of the following is applicable --
30 (i) if the assessment determines that a notifiable
31 information breach has occurred or there are
32 reasonable grounds to believe that a notifiable
33 information breach has occurred -- comply with
page 104
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Contracted service providers Division 11
s. 135
1 Division 6 Subdivision 3 (as it applies under
2 section 134(4)) in relation to the assessed
3 notifiable information breach;
4 (ii) if the assessment determines that an information
5 breach involving personal information held by
6 the contracted service provider in connection
7 with services provided under the State services
8 contract has occurred, but that there are not
9 reasonable grounds to believe that the
10 information breach is a notifiable information
11 breach -- as soon as practicable give the
12 Commissioner a written notice including the
13 information referred to in section 72(2);
14 (iii) if the assessment determines that an information
15 breach involving personal information held by
16 the contracted service provider in connection
17 with services provided under the State services
18 contract has not occurred -- as soon as
19 practicable give the Commissioner a written
20 notice setting out the reasons for the
21 determination.
22 (3) Section 72 applies, with any appropriate modifications, in
23 relation to a direction given under subsection (2) of this section
24 as if --
25 (a) a reference in that section to a direction given under
26 section 71(2) were a reference to a direction given under
27 subsection (2) of this section; and
28 (b) a reference in that section to a notice referred to in
29 section 71(2)(b)(ii) were a reference to a notice referred
30 to in subsection (2)(b)(ii) of this section.
page 105
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 11 Contracted service providers
s. 136
1 136. Details of information breaches affecting contracted service
2 providers to be included in register and report
3 If a contracted service provider has conducted an assessment of
4 a suspected notifiable information breach under section 61 (as it
5 applies under section 134(3)), sections 74 and 75 apply --
6 (a) as if a notifiable information breach to which
7 section 134(4)(a) applies were an assessed notifiable
8 information breach of the outsourcing entity referred to
9 in that section (the relevant outsourcing entity); and
10 (b) otherwise as if the assessment were conducted by the
11 relevant outsourcing entity in relation to a suspected
12 notifiable information breach involving personal
13 information held by the relevant outsourcing entity.
14 137. Privacy impact assessments by contracted service providers
15 (1) If a State services contract in relation to a contracted service
16 provider includes a provision of a kind referred to in
17 section 129, sections 79 and 80 apply to a contracted service
18 provider in relation to a function or activity carried out, or
19 proposed to be carried out, for the purposes of the State services
20 contract.
21 (2) Sections 79 and 80 apply to a contracted service provider only
22 to the extent provided for in subsection (1) and not otherwise.
23 138. Directions about privacy impact assessments given to
24 contracted service providers
25 (1) If the Information Commissioner gives a direction under
26 section 80(1) to an IPP entity that is a contracted service
27 provider, the Commissioner must also give a copy of the
28 direction to the relevant outsourcing entity.
29 (2) The relevant outsourcing entity for the purposes of
30 subsection (1) is the outsourcing entity that is a party to the
31 State services contract for the purposes of which the contracted
page 106
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Contracted service providers Division 11
s. 139
1 service provider carries out, or proposes to carry out, the
2 function or activity to which the direction relates.
3 139. Notices relating to privacy complaints or investigations
4 about contracted service providers
5 (1) If the Information Commissioner gives a notice in relation to a
6 privacy complaint, or a determination of a privacy complaint,
7 under Division 9 to a respondent that is a contracted service
8 provider, the Commissioner must also give a copy of the notice
9 to the relevant outsourcing entity.
10 (2) If the Information Commissioner gives a notice in relation to an
11 investigation under section 106, or a determination under
12 section 107, to an IPP entity that is a contracted service
13 provider, the Commissioner must also give a copy of the notice
14 to the relevant outsourcing entity.
15 (3) The relevant outsourcing entity for the purposes of
16 subsection (1) or (2) is the outsourcing entity that is a party to
17 the State services contract for the purposes of which the
18 contracted service provider did the act, or engaged in the
19 practice, to which the complaint, investigation or determination
20 relates.
21 140. Enforcement action may be taken against outsourcing entity
22 in some circumstances
23 (1) In this section --
24 enforcement action means --
25 (a) making, dealing with or determining a privacy
26 complaint under Division 9; or
27 (b) investigating, or making a determination in relation to,
28 an act or practice under Division 10 Subdivision 1; or
29 (c) exercising any power under Division 10 for the purpose
30 of a matter referred to in paragraph (a) or (b);
page 107
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 11 Contracted service providers
s. 140
1 insolvent --
2 (a) in relation to an individual -- means that the individual
3 is, according to the Interpretation Act 1984 section 13D,
4 a bankrupt or a person whose affairs are under
5 insolvency laws; or
6 (b) in relation to a body corporate -- means that --
7 (i) a liquidator, provisional liquidator or receiver
8 has been appointed in relation to the body
9 corporate; or
10 (ii) the body corporate is otherwise being wound up;
11 relevant act or practice means an act or practice of a contracted
12 service provider that is done or engaged in for the purposes of a
13 State services contract, or in relation to information held in
14 connection with services provided under a State services
15 contract;
16 relevant outsourcing entity, in relation to a relevant act or
17 practice, means the outsourcing entity that is a party to the State
18 service contract in connection with which the relevant act or
19 practice is done or engaged in.
20 (2) If, at the time of a relevant act or practice of a contracted service
21 provider, the State services contract does not include a provision
22 of the kind referred to in section 129, then any enforcement
23 action in relation to the act or practice may be taken in relation
24 to the relevant outsourcing entity as if the act or practice had
25 been done or engaged in by the relevant outsourcing entity
26 instead of the contracted service provider.
27 (3) If subsection (2) does not apply, but any enforcement action
28 cannot be taken in relation to a relevant act or practice of a
29 contracted service provider because at the time of the proposed
30 enforcement action the contracted service provider has died,
31 ceased to exist or become insolvent, the enforcement action may
32 instead be taken in relation to the relevant outsourcing entity as
33 if it were the contracted service provider and had done or
34 engaged in the relevant act or practice.
page 108
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Administration Division 12
s. 141
1 (4) If a privacy complaint is made in relation to a relevant act or
2 practice of a contracted service provider and the contracted
3 service provider dies, ceases to exist or becomes insolvent
4 before the Information Commissioner makes a determination
5 under section 104 in relation to the complaint, the
6 Commissioner may amend the complaint to substitute the
7 relevant outsourcing entity as the respondent, instead of the
8 contracted service provider.
9 (5) If the Information Commissioner makes an order under
10 section 98(3)(c) or 104(2)(c) requiring the payment of
11 compensation by a contracted service provider in relation to a
12 relevant act or practice, and the contracted service provider dies,
13 ceases to exist or becomes insolvent before the compensation is
14 paid or recovered, the Commissioner may amend the order so
15 that it applies to the relevant outsourcing entity instead of the
16 contracted service provider.
17 (6) Before making an amendment under subsection (4) or (5), the
18 Information Commissioner must give the relevant outsourcing
19 entity written notice of, and a reasonable opportunity to make
20 submissions on, the proposed amendment.
21 Division 12 -- Administration
22 Subdivision 1 -- Functions under this Act of Information
23 Commissioner and Privacy Deputy Commissioner
24 141. Functions of Information Commissioner and Privacy
25 Deputy Commissioner under this Act
26 (1) The Information Commissioner has the following functions
27 under this Act --
28 (a) to promote the understanding of matters relating to the
29 information privacy principles and this Part;
30 (b) to promote the objects of this Act set out in section 3(a)
31 to (e);
page 109
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 12 Administration
s. 141
1 (c) to promote compliance with the information privacy
2 principles and this Part;
3 (d) to prepare and make available information and material
4 in relation to protecting the privacy of personal
5 information;
6 (e) to provide assistance to members of the public and IPP
7 entities in relation to any matter relevant to the operation
8 of this Part;
9 (f) to undertake reviews of any matter relating to the
10 privacy of personal information, on request by the
11 Privacy Minister or on the Commissioner's own
12 initiative;
13 (g) to report and make recommendations on any matter
14 relating to the privacy of personal information;
15 (h) to undertake, participate in or promote research in
16 relation to any matter relating to the privacy of personal
17 information;
18 (i) any other function given to the Information
19 Commissioner under this Act.
20 (2) The Privacy Deputy Commissioner also has all the functions of
21 the Information Commissioner under this Act, other than the
22 following --
23 (a) giving approvals under section 142(3) and directions
24 under section 142(4);
25 (b) any function in relation to a report under Subdivision 2;
26 (c) any function in relation to consultation under
27 section 202(2) or serving as a member of the Privacy
28 and Responsible Information Sharing Advisory
29 Committee.
30 Note for this section:
31 The Information Commissioner Act 2024 sections 25 and 27 provide
32 for the functions of the Information Commissioner and Privacy Deputy
33 Commissioner generally.
page 110
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Administration Division 12
s. 142
1 142. Performance of privacy functions
2 (1) The functions under this Act that are functions of both the
3 Information Commissioner and the Privacy Deputy
4 Commissioner are the privacy functions.
5 (2) A privacy function may be performed --
6 (a) by the Information Commissioner; or
7 (b) by the Privacy Deputy Commissioner, subject to
8 subsection (3) and any direction given under
9 subsection (4).
10 (3) The Privacy Deputy Commissioner must obtain the approval of
11 the Information Commissioner before performing any of the
12 following privacy functions --
13 (a) making a public interest determination under
14 section 45(1);
15 (b) making a temporary public interest determination under
16 section 49(1);
17 (c) extending a temporary public interest determination
18 under section 52(3);
19 (d) revoking a public interest determination or temporary
20 public interest determination under section 54(1) or (2);
21 (e) making a notifiable information breach determination
22 under section 60(1);
23 (f) amending or repealing a notifiable information breach
24 determination;
25 (g) issuing privacy guidelines under section 148(1);
26 (h) amending or revoking privacy guidelines under
27 section 148(2).
28 (4) The Information Commissioner may direct the Privacy Deputy
29 Commissioner as to --
30 (a) which of the privacy functions the Privacy Deputy
31 Commissioner is to perform; and
page 111
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 12 Administration
s. 143
1 (b) the manner in which the Privacy Deputy Commissioner
2 must perform any privacy function.
3 (5) If the Privacy Deputy Commissioner performs a privacy
4 function --
5 (a) the Privacy Deputy Commissioner performs the function
6 in the Privacy Deputy Commissioner's own right and
7 not on behalf of the Information Commissioner; and
8 (b) the Privacy Deputy Commissioner may perform the
9 function upon the Privacy Deputy Commissioner's own
10 belief or state of mind (to the extent that the
11 performance or exercise is dependent on the belief or
12 state of mind of the Information Commissioner); and
13 (c) the performance of the function is as effectual for all
14 purposes as if it were performed by the Information
15 Commissioner; and
16 (d) a reference in this Act or another written law to anything
17 done by, to, or in relation to, the Information
18 Commissioner in connection with the function includes
19 a reference to the thing as done by, to, or in relation to,
20 the Privacy Deputy Commissioner; and
21 (e) the Information Commissioner is not prevented from
22 performing the same function on another occasion (in
23 relation to a different matter).
24 143. Certain functions cannot be delegated
25 The following privacy functions cannot be delegated by the
26 Information Commissioner or the Privacy Deputy
27 Commissioner under the Information Commissioner Act 2024
28 section 28 --
29 (a) making a public interest determination under
30 section 45(1);
31 (b) making a temporary public interest determination under
32 section 49(1);
page 112
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Administration Division 12
s. 144
1 (c) extending a temporary public interest determination
2 under section 52(3);
3 (d) revoking a public interest determination or temporary
4 public interest determination under section 54(1) or (2);
5 (e) making a notifiable information breach determination
6 under section 60(1);
7 (f) amending or repealing a notifiable information breach
8 determination;
9 (g) making an order to give effect to a conciliation
10 agreement under section 98(3);
11 (h) determining a privacy complaint under section 104(1);
12 (i) making a determination following an investigation under
13 section 107(1);
14 (j) issuing a compliance notice under section 122(1);
15 (k) issuing privacy guidelines under section 148(1);
16 (l) amending or revoking privacy guidelines under
17 section 148(2).
18 144. Information Commissioner and Privacy Deputy
19 Commissioner must have regard to objects of Act in
20 performing functions
21 In performing their functions under this Act, the Information
22 Commissioner and Privacy Deputy Commissioner must have
23 regard to the objects of this Act.
24 145. Information Commissioner and Privacy Deputy
25 Commissioner may request IPP entity to provide assistance
26 The Information Commissioner or Privacy Deputy
27 Commissioner may request an IPP entity to provide any
28 assistance that that Commissioner reasonably considers
29 appropriate to perform their functions under this Act.
page 113
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 12 Administration
s. 146
1 Subdivision 2 -- Reporting
2 146. Matters to be included in annual report to Parliament
3 (1) Without limiting the Information Commissioner Act 2024
4 section 32, the Information Commissioner must include the
5 following information in the annual report required under that
6 section for a financial year --
7 (a) the number of applications for public interest
8 determinations made under section 46 and the outcome
9 of those applications;
10 (b) the number of applications for temporary public interest
11 determinations made under section 50 and the outcome
12 of those applications;
13 (c) the number of applications for extensions of temporary
14 public interest determinations made under section 52(1)
15 and the outcome of those applications;
16 (d) the number of privacy complaints made and the outcome
17 of those complaints;
18 (e) the number of applications for review made to the State
19 Administrative Tribunal under
20 sections 70(5), 90(5), 91(3), 105, 108 and 124 and the
21 outcome of those applications;
22 (f) the number of appeals made to the Supreme Court under
23 the State Administrative Tribunal Act 2004 section 105
24 from decisions of the State Administrative Tribunal on
25 applications referred to in paragraph (e) and the outcome
26 of those appeals;
27 (g) the number of notifiable information breaches notified
28 under section 62;
29 (h) the number, or an estimate of the number, of affected
30 individuals in relation to notifiable information breaches
31 notified under section 62;
32 (i) the number of compliance notices issued under
33 section 122;
page 114
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
Administration Division 12
s. 147
1 (j) any other information prescribed by the regulations.
2 (2) A public entity must provide the Information Commissioner
3 with any information the Information Commissioner requires
4 for the purposes of including the matters referred to in
5 subsection (1) in the annual report.
6 147. Special reports to Parliament
7 (1) The Information Commissioner may, if the Information
8 Commissioner considers it to be in the public interest to do
9 so --
10 (a) prepare a report on --
11 (i) any matter arising in connection with the
12 performance of the privacy functions; or
13 (ii) any act or practice of an IPP entity that the
14 Information Commissioner considers to be an
15 interference with the privacy of an individual;
16 and
17 (b) submit the report to the President of the Legislative
18 Council and the Speaker of the Legislative Assembly.
19 (2) A report under subsection (1) may include recommendations.
20 (3) The President or Speaker must cause a copy of a report
21 submitted to them under subsection (1) to be laid before the
22 Legislative Council or Legislative Assembly, as the case
23 requires, within 15 sitting days of that House after the report is
24 submitted.
25 Subdivision 3 -- Guidelines, documents and notices
26 148. Privacy guidelines
27 (1) The Information Commissioner may issue guidelines --
28 (a) in relation to any matter required or permitted by this
29 Part or section 176 to be the subject of privacy
30 guidelines; or
page 115
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 12 Administration
s. 149
1 (b) to provide information and guidance in relation to the
2 application and administration of the information
3 privacy principles and this Part.
4 (2) The Information Commissioner may amend or revoke privacy
5 guidelines.
6 (3) The Information Commissioner may consult with any person or
7 body the Commissioner considers appropriate before issuing,
8 amending or revoking any privacy guidelines.
9 (4) The Information Commissioner must ensure that privacy
10 guidelines are made publicly available.
11 Note for this section:
12 Section 221 makes provision for the status and effect of privacy
13 guidelines.
14 149. Making documents publicly available
15 (1) The regulations may make provision for how documents are to
16 be made publicly available by the Information Commissioner or
17 an entity for the purposes of any provision of this Part.
18 (2) If a provision of this Part requires or permits the Information
19 Commissioner to make a document publicly available, the
20 Commissioner must comply with that requirement or exercise
21 that power --
22 (a) if regulations under subsection (1) apply -- in
23 accordance with those regulations; or
24 (b) otherwise -- by making the document publicly available
25 in the manner the Commissioner considers appropriate.
26 150. Notices of decisions or determinations
27 Without limiting any other provision of this Part, the
28 Information Commissioner must include the following
page 116
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
General Division 13
s. 151
1 information in a notice of a decision or determination of the
2 Commissioner given under this Part --
3 (a) the day on which the decision or determination was
4 made;
5 (b) the name and designation of the person who made the
6 decision or determination;
7 (c) the reasons for the decision or determination;
8 (d) any right under this Act to apply for a review of the
9 decision or determination.
10 Division 13 -- General
11 151. Privacy officers of public entities
12 (1) The principal officer of a public entity must ensure that the
13 principal officer, or another senior officer, of the entity is
14 designated as the privacy officer for the public entity.
15 (2) A privacy officer of a public entity is responsible for the
16 following --
17 (a) promoting the public entity's compliance with the
18 information privacy principles and this Part;
19 (b) assisting in the preparation of the public entity's
20 information breach policy under section 73;
21 (c) assisting in the establishment and maintenance of the
22 public entity's register of notifiable information
23 breaches under section 74;
24 (d) assisting in the conduct of privacy impact assessments
25 by the public entity under sections 79 and 80;
26 (e) coordinating the public entity's response to complaints
27 made to the public entity in relation to acts or practices
28 of the public entity that may constitute an interference
29 with the privacy of an individual;
page 117
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 13 General
s. 152
1 (f) coordinating the public entity's dealings with the
2 Information Commissioner in relation to --
3 (i) privacy impact assessments conducted by the
4 public entity under sections 79 and 80; and
5 (ii) privacy complaints in relation to the public
6 entity; and
7 (iii) any investigation, monitoring or assessment
8 conducted by the Commissioner under
9 Division 10 in relation to the public entity.
10 (3) The principal officer of a public entity must ensure that the
11 Information Commissioner is notified of --
12 (a) the name and contact details of the privacy officer; and
13 (b) any change to the individual designated as privacy
14 officer or to the privacy officer's contact details.
15 152. Nature of privacy rights created by this Act
16 (1) Except in accordance with the procedures set out in this Act,
17 nothing in Division 2, 3, 4, 6, 7, 8 or 11, an approved privacy
18 code of practice or the information privacy principles --
19 (a) gives rise to a civil cause of action; or
20 (b) operates to create in any person a legal right enforceable
21 in a court or tribunal.
22 (2) A contravention of Division 2, 3, 4, 6, 7, 8 or 11, an approved
23 privacy code of practice or the information privacy principles
24 does not give rise to an offence except to the extent expressly
25 provided by this Part.
26 (3) A failure to comply with an information privacy principle or
27 approved privacy code of practice does not invalidate any
28 decision made, or thing done, by an IPP entity.
page 118
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
General Division 13
s. 153
1 153. Interaction with other laws
2 (1) Nothing in this Part or the information privacy principles limits
3 the operation of the Freedom of Information Act 1992 or the
4 State Records Act 2000.
5 (2) The information privacy principles and approved privacy codes
6 of practice do not limit the operation of other secrecy provisions
7 that apply to information.
8 (3) If an enactment is expressed to apply despite the Freedom of
9 Information Act 1992, or to disapply or limit the application of
10 the Freedom of Information Act 1992 or Parts 2 and 4 of that
11 Act in relation to any matter, then (as the case requires) the
12 enactment also applies despite, or disapplies or so limits, any
13 application in the circumstances of --
14 (a) IPP 6; or
15 (b) an approved privacy code of practice that provides for
16 modifications to the application of IPP 6 or for how
17 IPP 6 is to be applied or complied with.
18 154. Exercise of powers relating to consent and access by
19 authorised representative of individual
20 (1) In this section --
21 authorised representative, in relation to an individual --
22 (a) means a person who is --
23 (i) a guardian or enduring guardian (as those terms
24 are defined in the Guardianship and
25 Administration Act 1990 section 3(1)) of the
26 individual; or
27 (ii) an attorney for the individual under an enduring
28 power of attorney; or
29 (iii) an administrator (as defined in the Guardianship
30 and Administration Act 1990 section 3(1)) of the
31 individual's estate; or
page 119
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 13 General
s. 154
1 (iv) a person authorised to make treatment decisions
2 for the individual under the Guardianship and
3 Administration Act 1990 Part 9C or 9D; or
4 (v) if the individual is a child -- a parent or guardian
5 of the child; or
6 (vi) otherwise empowered under law to perform any
7 functions or duties, or exercise powers, as an
8 agent or in the best interests of the individual;
9 but
10 (b) does not include a person acting as referred to in
11 paragraph (a) in a manner that is inconsistent with an
12 order made by a court or tribunal.
13 (2) If an information privacy principle or approved privacy code of
14 practice requires the consent of an individual to the collection,
15 holding, management, use or disclosure of personal information,
16 an authorised representative of the individual may give consent
17 if --
18 (a) the individual is incapable of giving consent; and
19 (b) the consent is reasonably necessary for the lawful
20 performance of functions or duties or exercise of powers
21 in relation to the individual by the authorised
22 representative.
23 (3) If an information privacy principle or approved privacy code of
24 practice permits an individual to request access to or correction
25 of personal information, or confers on an individual a right of
26 access to personal information, the power to make that request,
27 or that right of access, may be exercised --
28 (a) by the individual personally, unless the individual is a
29 child who is incapable of making the request; or
30 (b) by an authorised representative of the individual if --
31 (i) the individual is incapable of making the request
32 or exercising the right of access; and
page 120
Privacy and Responsible Information Sharing Bill 2024
Privacy Part 2
General Division 13
s. 154
1 (ii) the personal information to be accessed, or the
2 correction of the personal information, is
3 reasonably necessary for the lawful performance
4 of functions or duties or exercise of powers in
5 relation to the individual by the authorised
6 representative.
7 (4) For the purposes of this section and the information privacy
8 principles, an individual is incapable of giving consent, making
9 a request or exercising a right of access if the individual, by
10 reason of age, injury, disease, senility, illness, disability,
11 physical impairment or mental disorder, is incapable (despite
12 the provision of reasonable assistance by another individual)
13 of --
14 (a) understanding the general nature and effect of giving the
15 consent, making the request or exercising the right of
16 access (as the case requires); or
17 (b) communicating the consent or refusal of consent,
18 making the request, or personally exercising the right of
19 access (as the case requires).
20 (5) An authorised representative of an individual must not give
21 consent under subsection (2), or make a request under
22 subsection (3), if the authorised representative knows or
23 believes that the consent or request does not accord with wishes
24 expressed, and not changed or withdrawn, by the individual
25 before the individual became incapable of giving the consent or
26 making the request.
27 (6) A consent given, or request made, in circumstances referred to
28 in subsection (5) is of no effect.
29 (7) An IPP entity may refuse a request by an authorised
30 representative of an individual for access to personal
31 information that relates to the individual if the IPP entity
32 believes on reasonable grounds that access by the authorised
33 representative may endanger the individual or any other
34 individual.
page 121
Privacy and Responsible Information Sharing Bill 2024
Part 2 Privacy
Division 13 General
s. 155
1 155. Review of privacy provisions of Act
2 (1) In this section --
3 privacy provisions means the following --
4 (a) this Part;
5 (b) Schedule 1;
6 (c) the provisions of Parts 1, 4 and 5, to the extent that those
7 provisions relate to terms or matters relevant to this Part
8 and Schedule 1;
9 (d) regulations made for the purposes of provisions referred
10 to in paragraphs (a) to (c).
11 (2) The Privacy Minister must review the operation and
12 effectiveness of the privacy provisions, and prepare a report
13 based on the review --
14 (a) as soon as practicable after the 5th anniversary of the day
15 on which section 20 comes into operation; and
16 (b) after that, at intervals of not more than 5 years.
17 (3) The Privacy Minister must cause the report to be laid before
18 each House of Parliament as soon as practicable after it is
19 prepared, but not later than 12 months after the 5th anniversary
20 or the expiry of the period of 5 years, as the case may be.
page 122
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Key concepts and preliminary matters Division 1
s. 156
1 Part 3 -- Responsible information sharing
2 Division 1 -- Key concepts and preliminary matters
3 156. Special information sharing entities and external entities
4 (1) A special information sharing entity is --
5 (a) a judicial body; or
6 (b) a public entity that is an exempt agency as defined in the
7 Freedom of Information Act 1992 Glossary clause 1; or
8 (c) another public entity prescribed by the regulations.
9 (2) An external entity --
10 (a) is any of the following --
11 (i) an agency or instrumentality of the
12 Commonwealth, another State or a Territory;
13 (ii) a contracted service provider;
14 (iii) an Aboriginal community controlled
15 organisation;
16 (iv) a person or body that provides or promotes social
17 services as defined in the Children and
18 Community Services Act 2004 section 3;
19 (v) a higher education provider, as defined in the
20 Tertiary Education Quality and Standards
21 Agency Act 2011 (Commonwealth) section 5,
22 that is registered in the "Australian University"
23 provider category under that Act;
24 (vi) a body that carries out health-related research;
25 (vii) any other body, or the holder of any other office,
26 that is prescribed by the regulations;
27 but
28 (b) does not include a public entity.
page 123
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 1 Key concepts and preliminary matters
s. 157
1 157. Government information
2 The government information of a public entity --
3 (a) is the information (including personal information) held
4 by the public entity; but
5 (b) does not include any exempt information held by the
6 public entity.
7 158. Exempt information
8 (1) The following information is exempt information --
9 (a) information the disclosure of which would reasonably
10 be expected to reveal, or enable to be ascertained, the
11 identity of any person as --
12 (i) a confidential source of information in relation to
13 the enforcement of a law; or
14 (ii) a person who is the subject of enforcement
15 proceedings under a law; or
16 (iii) a person who has made an appropriate disclosure
17 of public interest information under the Public
18 Interest Disclosure Act 2003; or
19 (iv) a person in respect of whom a disclosure of
20 public interest information has been made under
21 the Public Interest Disclosure Act 2003; or
22 (v) a participant in a witness protection program; or
23 (vi) a person who has made, or a person who is
24 mentioned in, a report under the Children and
25 Community Services Act 2004 section 124B(1);
26 or
27 (vii) a person who is a notifier as defined in the
28 Children and Community Services Act 2004
29 section 240(1) or a person about whom the
30 information mentioned in that definition is given;
31 or
page 124
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Key concepts and preliminary matters Division 1
s. 158
1 (viii) a person who has made, or a person who is
2 mentioned in, a report under the Parliamentary
3 Commissioner Act 1971 section 19T; or
4 (ix) a person who has given, or a person who is
5 mentioned in, a notification under the Family
6 Court Act 1997 section 160(2) or (3); or
7 (x) a person who has given, or a person who is
8 mentioned in, a notification under the Family
9 Law Act 1975 (Commonwealth) section 67ZA(2)
10 or (3); or
11 (xi) a person in relation to whom information is
12 contained in the Community Protection Offender
13 Register established under the Community
14 Protection (Offender Reporting) Act 2004
15 section 80; or
16 (xii) a person on whom an abortion has been
17 performed or who has performed, or assisted in
18 the performance of, an abortion (as defined in the
19 Public Health Act 2016 section 202MB); or
20 (xiii) a patient who has requested access to, or
21 accessed, voluntary assisted dying under the
22 Voluntary Assisted Dying Act 2019 or a person
23 who has acted as a coordinating practitioner,
24 consulting practitioner or administering
25 practitioner under that Act;
26 (b) information the disclosure of which could reasonably be
27 expected to reveal, or enable to be ascertained --
28 (i) the identity of a person who is a complainant (as
29 defined in the Evidence Act 1906 section 36C(4))
30 in relation to a person accused of, or an
31 accusation alleging, a sexual offence (as defined
32 in section 36A(1) of that Act); or
33 (ii) the school that a complainant referred to in
34 subparagraph (i) attends;
page 125
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 1 Key concepts and preliminary matters
s. 158
1 (c) information the disclosure of which could reasonably be
2 expected to prejudice national security;
3 (d) information the disclosure of which could reasonably be
4 expected to reveal, or enable to be ascertained,
5 investigative measures or procedures of a law
6 enforcement agency;
7 (e) information that is --
8 (i) restricted matter as defined in the Corruption,
9 Crime and Misconduct Act 2003 section 151(1);
10 or
11 (ii) subject to a notation under section 99 of that Act;
12 (f) information of a kind referred to in, or contained in a
13 document referred to in, the Equal Opportunity Act 1984
14 section 167(1)(a) or (c) or (2)(a) or (b);
15 (g) information of a kind referred to in the Inspector of
16 Custodial Services Act 2003 section 47(1) or to which a
17 direction under section 48 of that Act applies;
18 (h) information of a kind referred to in, or contained in a
19 document referred to in, the Legal Aid Commission
20 Act 1976 section 64(2)(a) or (b) or (3) (other than
21 administrative information as defined in section 64(2b)
22 of that Act);
23 (i) information of a kind referred to in the Parliamentary
24 Commissioner Act 1971 section 23(1) or to which a
25 direction under section 23(1a) of that Act applies;
26 (j) information the disclosure of which could reasonably be
27 expected to reveal, or enable to be ascertained,
28 information relating to --
29 (i) the adoption of a child or arrangements or
30 negotiations for, towards, or with a view to, the
31 adoption of a child; or
32 (ii) the participation of a person in an artificial
33 fertilisation procedure (as defined in the Human
34 Reproductive Technology Act 1991 section 3(1))
page 126
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Key concepts and preliminary matters Division 1
s. 158
1 or to a person having been born as a result of
2 such a procedure;
3 (k) entry registration information as defined in the
4 Protection of Information (Entry Registration
5 Information Relating to COVID-19 and Other Infectious
6 Diseases) Act 2021 section 3;
7 (l) information obtained under a taxation Act as defined in
8 the Taxation Administration Act 2003 Glossary clause 1;
9 (m) confidential information as defined in the First Home
10 Owner Grant Act 2000 section 65(7);
11 (n) information given to the Treasurer under the Bank of
12 Western Australia Act 1995 section 22 or to the Minister
13 responsible for the administration of that Act under
14 section 42O of that Act;
15 (o) sensitive Aboriginal family history information, or
16 sensitive Aboriginal traditional information, given in
17 relation to an application or potential application under
18 the Native Title Act 1993 (Commonwealth) section 61
19 (whether given by or on behalf of the applicant or
20 potential applicant or otherwise);
21 (p) a photograph or signature referred to in paragraph (a) or
22 (b) of the definition of identifying information in the
23 Road Traffic (Authorisation to Drive) Act 2008
24 section 11B(1);
25 (q) a photograph or signature referred to in paragraph (a) or
26 (b) of the definition of identifying information in the
27 Western Australian Photo Card Act 2014 section 12(1);
28 (r) information of a class prescribed by the regulations.
29 (2) Without limiting subsection (1) but subject to subsection (3),
30 information is also exempt information if the information
31 originated with or was obtained from any of the following
32 special information sharing entities (including staff under the
page 127
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 1 Key concepts and preliminary matters
s. 159
1 control of any of the following special information sharing
2 entities) --
3 (a) the Auditor General appointed under the Auditor
4 General Act 2006 or the Office of the Auditor General;
5 (b) the Corruption and Crime Commission established
6 under the Corruption, Crime and Misconduct Act 2003
7 section 8;
8 (c) the Director of Public Prosecutions appointed under the
9 Director of Public Prosecutions Act 1991 section 5;
10 (d) the Information Commissioner;
11 (e) the Parliamentary Commissioner for Administrative
12 Investigations;
13 (f) the Public Sector Commissioner, but only in relation to
14 their functions under the Corruption, Crime and
15 Misconduct Act 2003;
16 (g) a judicial body;
17 (h) a special information sharing entity prescribed by the
18 regulations.
19 (3) Information (other than information to which subsection (1)
20 applies) that originated with or was obtained from a special
21 information sharing entity referred to in subsection (2) is not
22 exempt information in relation to --
23 (a) an information sharing request made to the special
24 information sharing entity; or
25 (b) an information sharing agreement or proposed
26 information sharing agreement under which the special
27 information sharing entity is a provider or proposed
28 provider in relation to the information.
29 159. Permitted purposes for sharing of information
30 (1) A permitted purpose is a purpose for which, under
31 subsections (2) and (3), information may be handled under an
32 information sharing agreement.
page 128
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing requests Division 2
s. 160
1 (2) Information may be handled under an information sharing
2 agreement for any of the following purposes --
3 (a) to inform or enable the making or implementation of
4 government policy;
5 (b) to inform or enable the design, management, delivery or
6 evaluation of government programs and services;
7 (c) to inform or enable research and development with clear
8 and direct benefits to the public;
9 (d) to inform or enable emergency management (including
10 prevention of, preparedness for, response to, and
11 recovery from, emergencies);
12 (e) any other purpose prescribed by the regulations.
13 (3) Despite subsection (2), information cannot be handled under an
14 information sharing agreement for --
15 (a) a purpose that relates to a law enforcement function of a
16 law enforcement agency (other than a community
17 policing function of the Police Force of Western
18 Australia that is prescribed by the regulations for the
19 purposes of this paragraph); or
20 (b) a purpose that relates to determining whether a person
21 has complied with a law or monitoring compliance with
22 a law; or
23 (c) a purpose that relates to national security; or
24 (d) a primary purpose of obtaining commercial gain.
25 (4) Subsection (3) applies even if the purpose referred to in
26 subsection (3) is also of a kind referred to in subsection (2).
27 Division 2 -- Information sharing requests
28 160. Information sharing request
29 (1) A public entity may, by written notice, request another public
30 entity to disclose government information under this Part to the
31 public entity making the request.
page 129
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 2 Information sharing requests
s. 161
1 (2) An external entity may, by written notice, request a public entity
2 to disclose government information under this Part to the
3 external entity making the request.
4 (3) If an entity makes a request under subsection (1) or (2) --
5 (a) the request is an information sharing request; and
6 (b) the public entity to which the request is made is the
7 holding entity; and
8 (c) the public entity or external entity that makes the request
9 is the requesting entity.
10 (4) An information sharing request must be given to the principal
11 officer of the holding entity and must state --
12 (a) that the request is an information sharing request for the
13 purposes of this Act; and
14 (b) the government information of the holding entity to
15 which the request relates; and
16 (c) the permitted purpose for which the information would
17 be handled; and
18 (d) the activity that would be carried out for that permitted
19 purpose by the requesting entity using the information;
20 and
21 (e) how the information would be used for the purposes of
22 that activity; and
23 (f) how the requesting entity would otherwise handle the
24 information.
25 (5) A requesting entity may withdraw an information sharing
26 request.
27 161. Response to information sharing request
28 (1) If an information sharing request is made under section 160 and
29 is not withdrawn, the holding entity must give the requesting
page 130
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing requests Division 2
s. 161
1 entity a written notice responding to the request in accordance
2 with subsection (2) within --
3 (a) 45 days after the day on which the request is made; or
4 (b) a longer period agreed with the requesting entity.
5 (2) A notice responding to an information sharing request must do
6 1 of the following --
7 (a) state that the holding entity --
8 (i) considers that the requested information may be
9 disclosed to the requesting entity otherwise than
10 under this Part; and
11 (ii) agrees to disclose the requested information to
12 the requesting entity;
13 (b) state that the holding entity may be willing to disclose
14 some or all of the requested information to the
15 requesting entity under this Part, subject to conducting
16 the required assessments under Division 4 Subdivision 2
17 and entering into an information sharing agreement
18 providing for the disclosure;
19 (c) state that the holding entity refuses to disclose the
20 requested information and the reasons for the refusal.
21 (3) Despite subsection (1), a holding entity is not required to
22 respond to an information sharing request if --
23 (a) either or both of the following apply --
24 (i) the holding entity is a special information
25 sharing entity;
26 (ii) the requesting entity is an external entity;
27 and
28 (b) the holding entity does not intend to share the requested
29 information with the requesting entity.
page 131
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 2 Information sharing requests
s. 162
1 (4) A holding entity is not bound by any response that the holding
2 entity gives to an information sharing request.
3 (5) If the requesting entity is a public entity, a response to an
4 information sharing request must be given to the principal
5 officer of the entity.
6 162. No obligation to disclose requested information
7 (1) A holding entity to which an information sharing request is
8 made may refuse to disclose information to which the request
9 relates if, for any reason, the holding entity considers that the
10 information should not be disclosed to the requesting entity.
11 (2) Without limiting subsection (1), the holding entity may refuse to
12 disclose information because --
13 (a) the information would be privileged from production in
14 legal proceedings on the ground of legal professional
15 privilege; or
16 (b) the disclosure of the information would constitute a
17 breach of any of the following --
18 (i) a contract;
19 (ii) an obligation of confidence for which a legal or
20 equitable remedy could be obtained;
21 (iii) an order of a court or tribunal;
22 or
23 (c) the disclosure or proposed use of the information would
24 contravene --
25 (i) a law of the State (whether or not that law could
26 be overridden by section 187); or
27 (ii) a law of the Commonwealth, another State or a
28 Territory;
29 or
page 132
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing directions Division 3
s. 163
1 (d) the disclosure or proposed use of the information would
2 be likely to prejudice --
3 (i) an investigation of any contravention or possible
4 contravention of a law of the State, the
5 Commonwealth, another State or a Territory; or
6 (ii) the administration or enforcement of a law of the
7 State, the Commonwealth, another State or a
8 Territory; or
9 (iii) a proceeding before a court or tribunal; or
10 (iv) any disciplinary proceedings; or
11 (v) a coronial investigation or inquest;
12 or
13 (e) the disclosure or proposed use of any of the information
14 could reasonably be expected to result in --
15 (i) a serious threat to the life, health, safety or
16 welfare of any individual; or
17 (ii) a threat to the life, health, safety or welfare of
18 any individual due to family violence.
19 Division 3 -- Information sharing directions
20 163. Responsible Minister for public entity may direct sharing of
21 information
22 (1) The responsible Minister for a public entity (other than a special
23 information sharing entity) may give the public entity a written
24 direction (an information sharing direction) requiring the
25 public entity to enter into an information sharing agreement that
26 provides for --
27 (a) the disclosure for a permitted purpose of government
28 information by the public entity to --
29 (i) another public entity; or
30 (ii) an external entity;
31 and
page 133
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 3 Information sharing directions
s. 163
1 (b) the collection, holding, management and use of that
2 information by that other entity for a permitted purpose.
3 (2) If there is more than 1 responsible Minister for the public entity,
4 an information sharing direction can be given to the public
5 entity only by the Minister principally responsible for the
6 functions or activities of the public entity for the purposes of
7 which the relevant government information is held.
8 (3) An information sharing direction must be given to the principal
9 officer of the public entity and must --
10 (a) identify the public entity to which it is given; and
11 (b) identify the public entity or external entity with which
12 the information sharing agreement is required to be
13 entered into; and
14 (c) describe the information sharing agreement that the
15 public entity is required to enter into, including --
16 (i) the information that may be handled under the
17 agreement; and
18 (ii) the permitted purpose for which the information
19 may be handled; and
20 (iii) the activity to be carried out for that permitted
21 purpose using the information.
22 (4) An information sharing direction cannot be given in relation to
23 government information of a public entity unless --
24 (a) an information sharing request has previously been
25 given to the public entity in relation to the information;
26 and
27 (b) the public entity has --
28 (i) not responded to the request within 45 days after
29 the day on which the request is made, or a longer
30 period agreed with the requesting entity; or
page 134
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing directions Division 3
s. 164
1 (ii) responded to the request by refusing to disclose
2 the information;
3 and
4 (c) the responsible Minister is satisfied that --
5 (i) the purpose referred to in subsection (3)(c)(ii) is
6 a permitted purpose; and
7 (ii) the proposed handling of information
8 contemplated by the direction will be consistent
9 with the responsible sharing principles and
10 appropriate in all the circumstances.
11 164. Notice of direction must be laid before Houses of Parliament
12 (1) A responsible Minister who gives an information sharing
13 direction to a public entity must, within 14 days after the day on
14 which the direction is given, cause notice of the direction to
15 be --
16 (a) laid before each House of Parliament or dealt with under
17 section 220; and
18 (b) given to the Chief Data Officer.
19 (2) A notice required under subsection (1) must state --
20 (a) the matters referred to in section 163(3); and
21 (b) the reasons why the responsible Minister is satisfied that
22 the proposed handling of information contemplated by
23 the direction will be consistent with the responsible
24 sharing principles and appropriate in all the
25 circumstances.
26 165. Revocation of direction
27 (1) A responsible Minister who gives an information sharing
28 direction to a public entity may revoke the direction by written
29 notice given to the public entity.
page 135
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 3 Information sharing directions
s. 166
1 (2) A responsible Minister who revokes an information sharing
2 direction must cause notice of the revocation to be given to the
3 Chief Data Officer.
4 166. Requirement to comply with direction
5 If an information sharing direction has been given and not
6 revoked, the public entity given the direction must take all
7 reasonable steps to --
8 (a) enter into an information sharing agreement in
9 compliance with the direction; and
10 (b) disclose information in accordance with the agreement.
11 167. Division has effect subject to laws restricting Ministerial
12 direction
13 (1) This section applies if there is a conflict or inconsistency
14 between --
15 (a) this Division; and
16 (b) a provision of another written law that --
17 (i) provides that a public entity is not subject to
18 direction by a Minister; or
19 (ii) restricts the extent to which a public entity is
20 subject to direction by a Minister.
21 (2) The provision referred to in subsection (1)(b) prevails over this
22 Division.
page 136
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 168
1 Division 4 -- Information sharing agreements
2 Subdivision 1 -- Entry into and contents of information sharing
3 agreement
4 168. Information sharing agreement
5 (1) An information sharing agreement is a written agreement
6 entered into in accordance with the requirements of this
7 Division that provides for --
8 (a) the disclosure for a permitted purpose of government
9 information by a public entity to --
10 (i) another public entity; or
11 (ii) an external entity;
12 and
13 (b) the collection, holding, management and use of that
14 information by that other entity for a permitted purpose;
15 and
16 (c) the activity (the relevant activity) to be carried out for
17 that permitted purpose using the information.
18 (2) A public entity that discloses information under an information
19 sharing agreement (otherwise than as provided for under
20 section 172) is a provider under the agreement.
21 (3) A public entity or external entity that collects, holds, manages
22 and uses information disclosed to it under an information
23 sharing agreement (otherwise than as provided for under
24 section 172) is a recipient under the agreement.
25 (4) An information sharing agreement --
26 (a) may be a multilateral agreement involving 2 or more
27 providers, or 2 or more recipients, or both; and
28 (b) may provide for a public entity to be both a provider and
29 a recipient under the agreement in relation to different
30 information.
page 137
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 4 Information sharing agreements
s. 169
1 (5) Each provider and each recipient under an information sharing
2 agreement must be a party to the agreement.
3 169. Entering into information sharing agreement
4 (1) A public entity may enter into an information sharing agreement
5 if --
6 (a) an associated information sharing request has been made
7 under Division 2; or
8 (b) the agreement is entered into in compliance with an
9 information sharing direction given under Division 3.
10 (2) An information sharing request is associated with an
11 information sharing agreement for the purposes of
12 subsection (1) if --
13 (a) the requesting entity in relation to the request is a
14 recipient under the agreement (whether or not there are
15 other recipients); and
16 (b) the holding entity in relation to the request is a provider
17 under the agreement (whether or not there are other
18 providers); and
19 (c) the information to which the request relates is or
20 includes information to which the agreement relates
21 (whether or not the agreement also relates to other
22 information).
23 (3) Before entering into an information sharing agreement, each
24 proposed provider and proposed recipient must comply with the
25 applicable requirements of Subdivision 2.
26 170. Matters to be included in information sharing agreement
27 An information sharing agreement must --
28 (a) identify each party to the agreement and whether the
29 party is --
30 (i) a provider; or
31 (ii) a recipient; or
page 138
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 170
1 (iii) both a provider and a recipient;
2 and
3 (b) state that the agreement is an information sharing
4 agreement for the purposes of this Act; and
5 (c) provide for the term of the agreement, which must not
6 be more than 5 years; and
7 (d) describe --
8 (i) the information that may be handled under the
9 agreement; and
10 (ii) the permitted purpose for which the information
11 may be handled; and
12 (iii) the relevant activity to be carried out using the
13 information for that purpose; and
14 (iv) if the relevant activity is to involve the use or
15 interpretation of the information to generate new
16 information (derived information) -- the derived
17 information to be generated;
18 and
19 (e) require each recipient under the agreement to comply
20 with sections 192, 193 and 194(4) in relation to a shared
21 information breach or suspected shared information
22 breach involving information disclosed under the
23 agreement; and
24 (f) provide for the consequences of non-compliance with
25 sections 192, 193 or 194(4) by a recipient; and
26 (g) provide for the consequences of a party withdrawing
27 from the agreement; and
28 (h) include provisions about how the disclosed information
29 will be treated --
30 (i) when the agreement ceases to be in force; or
31 (ii) if a party withdraws from the agreement;
32 and
page 139
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 4 Information sharing agreements
s. 171
1 (i) include any other matters the agreement is required to
2 include under section 171 and Subdivision 2; and
3 (j) include any other matters prescribed by the regulations.
4 171. Other matters to be included in information sharing
5 agreement
6 (1) If any secrecy provision would be contravened by the handling
7 of information under an information sharing agreement but for
8 the effect of section 187, the agreement must --
9 (a) identify the secrecy provision; and
10 (b) state whether the secrecy provision is an offence and, if
11 so, the applicable penalty.
12 (2) If any information that may be disclosed by a provider under an
13 information sharing agreement is confidential or commercially
14 sensitive information, the agreement must --
15 (a) describe any contractual or equitable obligations of the
16 provider in relation to how the information is dealt with;
17 and
18 (b) require a recipient to which the information is disclosed
19 to ensure that the information is dealt with in accordance
20 with those obligations.
21 (3) If the relevant activity specified in an information sharing
22 agreement involves the generation of derived information, the
23 agreement must provide for --
24 (a) the ownership of any intellectual property in the derived
25 information; and
26 (b) how the derived information is otherwise to be dealt
27 with; and
28 (c) how the derived information will be treated --
29 (i) when the agreement ceases to be in force; or
30 (ii) if a party withdraws from the agreement.
page 140
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 172
1 172. Information sharing agreement may provide for limited
2 further disclosure
3 An information sharing agreement --
4 (a) may provide for a recipient to be permitted to further
5 disclose information it collects under the agreement to
6 another person who is not a party to the agreement --
7 (i) in specified circumstances in connection with the
8 relevant activity under the agreement; and
9 (ii) with the approval of the responsible Minister for
10 any secrecy provision that would, but for
11 section 187, be contravened by the further
12 disclosure;
13 but
14 (b) must not otherwise permit the further disclosure of
15 information disclosed under the agreement to persons
16 who are not parties to the agreement.
17 173. Other matters that may be dealt with in information sharing
18 agreement
19 An information sharing agreement may also provide for any of
20 the following --
21 (a) the review of the agreement at intervals;
22 (b) how contraventions of the agreement must be dealt with;
23 (c) the termination of the agreement in specified
24 circumstances (including, without limitation, if a party
25 to the agreement commits an offence under section 189
26 or contravenes regulations made under section 190);
27 (d) subject to this Subdivision, any other matters the parties
28 to the agreement consider it appropriate to deal with.
page 141
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 4 Information sharing agreements
s. 174
1 174. Activities under information sharing agreement may include
2 data analytics work, data integration and data linkage
3 Without limiting section 168(1)(c), an information sharing
4 agreement may provide for the use of information disclosed
5 under the agreement for a relevant activity involving data
6 analytics work, data integration or data linkage.
7 Subdivision 2 -- Assessments to be conducted before entering into
8 information sharing agreement
9 175. Assessment of responsible sharing principles
10 (1) The responsible sharing principles are set out in Schedule 2.
11 (2) Before entering into an information sharing agreement, each
12 proposed provider must --
13 (a) conduct, and prepare a written report on, an assessment
14 applying each of the responsible sharing principles to
15 the proposed agreement; and
16 (b) be satisfied that the proposed handling of information in
17 accordance with the agreement is consistent with the
18 responsible sharing principles and appropriate in all the
19 circumstances.
20 (3) The agreement must include provisions (responsible sharing
21 safeguards) for the purposes of ensuring that the handling of
22 information under the agreement is consistent with the
23 responsible sharing principles.
24 (4) Without limiting subsection (3), responsible sharing safeguards
25 may include provisions --
26 (a) regulating the manner in which the information may or
27 must be handled; and
28 (b) setting out how identified risks will be managed; and
29 (c) setting out the action that must be taken if any of the
30 responsible sharing safeguards is contravened.
page 142
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 176
1 (5) If there is more than 1 proposed recipient, an assessment
2 conducted under subsection (2)(a) must apply the responsible
3 sharing principles in relation to each proposed recipient.
4 (6) In conducting and preparing the report on the assessment, a
5 proposed provider must have regard to any Chief Data Officer
6 guidelines about assessments applying the responsible sharing
7 principles.
8 176. Privacy impact assessment
9 (1) This section applies to a proposed information sharing
10 agreement if --
11 (a) the relevant activity under the agreement --
12 (i) is likely to have a significant impact on the
13 privacy of individuals; or
14 (ii) involves data integration or data linkage;
15 or
16 (b) any of the proposed recipients is an external entity.
17 (2) Before entering into the information sharing agreement, the
18 proposed parties must --
19 (a) conduct an assessment (a privacy impact assessment) of
20 the proposed information sharing agreement; and
21 (b) prepare a written report on the assessment in accordance
22 with subsection (3).
23 (3) The report on the privacy impact assessment must --
24 (a) set out an assessment of the likelihood that the relevant
25 activity will result in an interference with the privacy of
26 any individual; and
27 (b) identify the impact that the relevant activity might have
28 on the privacy of individuals; and
29 (c) set out recommendations for managing, minimising or
30 eliminating that impact; and
page 143
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 4 Information sharing agreements
s. 177
1 (d) include any other information the proposed parties
2 consider is relevant.
3 (4) In complying with the requirements of this section, the proposed
4 parties must have regard to --
5 (a) any privacy guidelines referred to in section 81; and
6 (b) any other privacy guidelines relating to privacy impact
7 assessments.
8 (5) If an information sharing agreement is entered into, the parties
9 to the agreement must ensure that a privacy impact assessment
10 report prepared under this section in relation to the agreement is
11 made publicly available.
12 (6) Despite subsection (5), a privacy impact assessment report is
13 not required to be made publicly available --
14 (a) if the Chief Data Officer considers that making the
15 report publicly available would be likely to prejudice
16 any law enforcement function of a law enforcement
17 agency; or
18 (b) in circumstances prescribed by the regulations.
19 177. Aboriginal information assessment
20 (1) Before entering into an information sharing agreement, the
21 proposed parties must conduct, and prepare a written report on,
22 an assessment (an Aboriginal information assessment) in order
23 to determine if either or both of the following apply --
24 (a) any of the information to be disclosed under the
25 agreement is sensitive Aboriginal family history
26 information or sensitive Aboriginal traditional
27 information;
28 (b) the relevant activity under the agreement will primarily
29 or especially affect Aboriginal people.
30 (2) If the assessment determines that any of the information to be
31 disclosed under the agreement is sensitive Aboriginal family
page 144
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 177
1 history information or sensitive Aboriginal traditional
2 information, the proposed provider that is to disclose the
3 relevant information must --
4 (a) before entering into the information sharing agreement,
5 take all reasonable steps to --
6 (i) identify and consult with relevant Aboriginal
7 stakeholders in relation to that information; and
8 (ii) obtain consent from relevant Aboriginal
9 stakeholders for the handling of that information
10 under the agreement;
11 and
12 (b) take all reasonable steps to ensure that the agreement
13 includes provisions (sensitive Aboriginal information
14 safeguards), developed in consultation with relevant
15 Aboriginal stakeholders, regulating the handling of that
16 information.
17 (3) If the assessment determines that the relevant activity under the
18 agreement will primarily or especially affect Aboriginal people,
19 the proposed parties must take all reasonable steps to --
20 (a) identify and consult with relevant Aboriginal
21 stakeholders in relation to the activity before entering
22 into the information sharing agreement; and
23 (b) ensure that the agreement includes an Aboriginal
24 information use plan developed in consultation with
25 relevant Aboriginal stakeholders.
26 (4) An Aboriginal information use plan is a plan that --
27 (a) provides for opportunities for relevant Aboriginal
28 stakeholders to participate in and engage with the
29 relevant activity, including decision-making in
30 connection with the relevant activity; and
31 (b) meets the requirements of subsection (5).
page 145
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 4 Information sharing agreements
s. 178
1 (5) An Aboriginal information use plan must --
2 (a) identify the Aboriginal stakeholders in consultation with
3 whom the plan was developed; and
4 (b) describe the processes already undertaken to engage
5 with those stakeholders; and
6 (c) describe the level of initial support from those
7 stakeholders for the handling of the information for the
8 relevant activity; and
9 (d) outline any benefits to Aboriginal people that are likely
10 to result from the relevant activity; and
11 (e) set out processes for ongoing engagement with relevant
12 Aboriginal stakeholders.
13 (6) In complying with the requirements of this section, the proposed
14 parties must have regard to any Chief Data Officer guidelines in
15 relation to the following --
16 (a) the identification of sensitive Aboriginal family history
17 information or sensitive Aboriginal traditional
18 information;
19 (b) the conduct of Aboriginal information assessments;
20 (c) the identification of relevant Aboriginal stakeholders;
21 (d) the development of sensitive Aboriginal information
22 safeguards or Aboriginal information use plans;
23 (e) any other matters relevant to this section.
24 Subdivision 3 -- Other provisions about information sharing
25 agreements
26 178. Duration of information sharing agreement
27 (1) An information sharing agreement comes into force when notice
28 of the agreement is given to the Chief Data Officer under
29 section 182(1).
page 146
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 179
1 (2) An information sharing agreement remains in force until either
2 of the following occurs --
3 (a) the term provided for in the agreement ends;
4 (b) the agreement is terminated.
5 (3) Subsection (2) does not prevent provisions of an information
6 sharing agreement of the following kinds from continuing or
7 being enforced after the term of the agreement ends or the
8 agreement is terminated --
9 (a) provisions of a kind referred to in section 170(e), (f)
10 or (h)(i) or 171(3);
11 (b) provisions that are expressed to continue despite the
12 agreement ceasing to be in force or to regulate any
13 matter occurring after the agreement ceases to be in
14 force.
15 179. Variation of information sharing agreement
16 (1) An information sharing agreement may be varied by agreement
17 (a variation agreement) between the parties.
18 (2) Without limiting subsection (1), an information sharing
19 agreement may be varied to --
20 (a) add or remove a provider or recipient under the
21 agreement; or
22 (b) make changes to the relevant activity under the
23 agreement.
24 (3) Before entering into a variation agreement, the providers and
25 recipients under the agreement must comply with the applicable
26 requirements of Subdivision 2 in relation to the agreement as
27 proposed to be varied.
28 (4) Subsection (3) does not apply if the variation agreement is for a
29 minor variation that does not materially affect the substance of
30 the information sharing agreement.
page 147
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 4 Information sharing agreements
s. 180
1 (5) For the purposes of subsection (3), Subdivision 2 applies, with
2 any appropriate modifications, as if --
3 (a) a reference in that Subdivision to entering into an
4 information sharing agreement were a reference to
5 entering into the variation agreement; and
6 (b) any other reference in that Subdivision to the
7 information sharing agreement were a reference to the
8 agreement as proposed to be varied.
9 (6) A variation agreement comes into force when notice of the
10 agreement is given to the Chief Data Officer under
11 section 182(2) or at a later time provided for under the variation
12 agreement.
13 180. Withdrawal from and termination of information sharing
14 agreement
15 (1) A party to an information sharing agreement may at any time
16 withdraw from the agreement.
17 (2) An information sharing agreement may be terminated --
18 (a) under terms of the agreement dealing with termination;
19 or
20 (b) at any time by agreement between the providers and
21 recipients.
22 (3) An information sharing agreement is terminated if 1 or more
23 parties to the agreement withdraw from the agreement with the
24 result that there are no providers, or no recipients, under the
25 agreement.
26 181. Enforcement of information sharing agreement
27 (1) An information sharing agreement may be enforced as a
28 contract.
29 (2) This section does not limit section 189.
page 148
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information sharing agreements Division 4
s. 182
1 182. Notification of Chief Data Officer
2 (1) A provider under an information sharing agreement must ensure
3 that written notice of the agreement, and a copy of the
4 agreement, are given to the Chief Data Officer within 30 days
5 after the day on which the agreement is entered into.
6 (2) If a variation agreement is entered into, a provider under the
7 relevant information sharing agreement must ensure that written
8 notice of the variation agreement, and a copy of the variation
9 agreement, are given to the Chief Data Officer within 30 days
10 after the day on which the variation agreement is entered into.
11 (3) If a party to an information sharing agreement withdraws from
12 the agreement, a provider under the agreement must ensure that
13 written notice of the withdrawal is given to the Chief Data
14 Officer within 30 days after the day on which the party
15 withdraws.
16 (4) If an information sharing agreement is terminated under
17 section 180, a former provider under the agreement must ensure
18 that written notice of the termination is given to the Chief Data
19 Officer within 30 days after the day on which the agreement is
20 terminated.
21 183. Register of information sharing agreements
22 (1) The Chief Data Officer must establish and maintain a register of
23 information sharing agreements.
24 (2) The register must include the following information in relation
25 to each information sharing agreement that is in force --
26 (a) the parties to the agreement;
27 (b) the general nature of the information to which the
28 agreement relates and whether it includes personal
29 information;
30 (c) the permitted purpose for which information may be
31 handled under the agreement;
page 149
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 5 Authorisations to share information and related matters
s. 184
1 (d) the relevant activity to be carried out using the
2 information;
3 (e) whether the agreement provides for further disclosure of
4 information to a person who is not a party to the
5 agreement under section 172;
6 (f) any other information prescribed by the regulations.
7 (3) Despite subsection (2), the register is not required to include the
8 information referred to in subsection (2)(c) and (d) in relation to
9 an information sharing agreement --
10 (a) if the Chief Data Officer considers that making that
11 information publicly available would be likely to
12 prejudice any law enforcement function of a law
13 enforcement agency; or
14 (b) in circumstances prescribed by the regulations.
15 (4) The Chief Data Officer must make the register publicly
16 available.
17 (5) Without limiting subsection (4), the Chief Data Officer must
18 make the register available for public inspection during business
19 hours.
20 Division 5 -- Authorisations to share information and related
21 matters
22 184. Authorisation to disclose information under information
23 sharing agreement
24 A public entity (the disclosing entity) is authorised to disclose
25 government information it holds to another public entity, or an
26 external entity, if --
27 (a) an information sharing agreement is in force in relation
28 to the information under which --
29 (i) the disclosing entity is a provider; and
30 (ii) the entity to which the information is disclosed is
31 a recipient;
page 150
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Authorisations to share information and related matters Division 5
s. 185
1 and
2 (b) the information is disclosed --
3 (i) for the permitted purpose described in the
4 agreement; and
5 (ii) for the purposes of the relevant activity described
6 in the agreement; and
7 (iii) in accordance with the provisions of the
8 agreement; and
9 (iv) in accordance with any applicable requirements
10 of regulations made under section 190.
11 185. Authorisation to collect, hold, manage and use information
12 under information sharing agreement
13 A public entity or an external entity (the receiving entity) is
14 authorised to collect, hold, manage and use information
15 disclosed to it by a public entity if --
16 (a) an information sharing agreement is in force in relation
17 to the information under which --
18 (i) the receiving entity is a recipient; and
19 (ii) the entity disclosing the information is a
20 provider;
21 and
22 (b) the information is collected, held, managed and used --
23 (i) for the permitted purpose described in the
24 agreement; and
25 (ii) for the purposes of the relevant activity described
26 in the agreement; and
27 (iii) in accordance with the provisions of the
28 agreement; and
29 (iv) in accordance with any applicable requirements
30 of regulations made under section 190.
page 151
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 5 Authorisations to share information and related matters
s. 186
1 186. Authorisation to further disclose information disclosed
2 under information sharing agreement in certain
3 circumstances
4 A public entity, or external entity, to which information is
5 disclosed under an information sharing agreement is authorised
6 to further disclose that information to a person who is not a
7 recipient under the agreement if --
8 (a) the further disclosure of the information to the other
9 person is --
10 (i) expressly permitted by the agreement; and
11 (ii) carried out in accordance with the provisions of
12 the agreement;
13 and
14 (b) for a further disclosure to which a secrecy provision
15 applies -- the further disclosure has been approved by
16 the responsible Minister for the secrecy provision; and
17 (c) the entity complies with any applicable requirements of
18 regulations made under section 190 in relation to the
19 further disclosure.
20 187. Authorisations override secrecy provisions
21 (1) If the handling of information is authorised under this
22 Division --
23 (a) the information may be handled despite any secrecy
24 provision that applies to the information; and
25 (b) the handling of the information does not contravene any
26 secrecy provision that applies to the information.
27 (2) Subsection (1) applies to a secrecy provision, whether the
28 provision is enacted before, on or after the day on which this
29 section comes into operation.
page 152
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Authorisations to share information and related matters Division 5
s. 188
1 (3) However, subsection (1) does not apply to --
2 (a) a secrecy provision that is expressly stated to have effect
3 despite this section; or
4 (b) any other secrecy provision prescribed by the
5 regulations.
6 188. Protection from liability for authorised information sharing
7 (1) If a person handles information believing in good faith that the
8 handling of the information is authorised under this Division --
9 (a) no civil or criminal liability is incurred in respect of the
10 handling of the information; and
11 (b) the handling of the information is not to be regarded as a
12 breach of any duty of confidentiality or secrecy imposed
13 by law; and
14 (c) the handling of the information is not to be regarded as a
15 breach of professional ethics or standards or as
16 unprofessional conduct.
17 (2) Subsection (1) does not apply in relation to any civil or criminal
18 liability, any breach of a duty of confidentiality or secrecy, or
19 any breach of professional ethics or standards or unprofessional
20 conduct, that arises under or in connection with a secrecy
21 provision to which section 187(1) does not apply because of
22 section 187(3).
23 189. Offences for unauthorised further disclosure or use of
24 information
25 (1) A person commits an offence if the person, without reasonable
26 excuse, discloses or uses information obtained under an
27 information sharing agreement otherwise than --
28 (a) as authorised under this Division; or
29 (b) in connection with the performance of functions under
30 this Part.
page 153
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 5 Authorisations to share information and related matters
s. 190
1 Penalty for this subsection: imprisonment for 12 months and a
2 fine of $12 000.
3 (2) A person commits a crime if --
4 (a) the person, without reasonable excuse, discloses or uses
5 information obtained under an information sharing
6 agreement otherwise than --
7 (i) as authorised under this Division; or
8 (ii) in connection with the performance of functions
9 under this Part;
10 and
11 (b) the person knows, or ought reasonably to know, that the
12 information may be used by another person, to --
13 (i) endanger the life, health, safety or welfare of any
14 individual; or
15 (ii) commit, or assist in the commission of, an
16 indictable offence; or
17 (iii) impede or interfere with the administration of
18 justice.
19 Alternative offence for this subsection: subsection (1).
20 Penalty for this subsection: imprisonment for 3 years.
21 190. Regulations may prescribe safeguards
22 The regulations may make provision for requirements that must
23 be complied with in relation to any of the following --
24 (a) the disclosure of information by a provider under an
25 information sharing agreement;
26 (b) the collection, holding, management or use of
27 information disclosed to a recipient under an
28 information sharing agreement;
29 (c) the further disclosure of information disclosed to a
30 recipient under an information sharing agreement as
31 permitted by the agreement.
page 154
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information breaches involving shared information Division 6
s. 191
1 Division 6 -- Information breaches involving shared
2 information
3 191. Shared information breaches
4 A shared information breach occurs if --
5 (a) information (shared information) has been disclosed to
6 a recipient under an information sharing agreement; and
7 (b) either --
8 (i) an information breach occurs in relation to
9 shared information held by the recipient; or
10 (ii) an event prescribed by the regulations occurs in
11 relation to shared information held by the
12 recipient.
13 192. Assessment, containment, mitigation and notification to
14 provider
15 (1) This section applies if a recipient under an information sharing
16 agreement reasonably suspects that a shared information breach
17 has occurred in relation to shared information held by the
18 recipient.
19 (2) The recipient must --
20 (a) immediately take all reasonable steps to contain the
21 suspected shared information breach; and
22 (b) as soon as reasonably practicable, but in any case within
23 30 days after the day on which the reasonable suspicion
24 is formed --
25 (i) conduct an assessment for the purposes of
26 determining whether a shared information breach
27 has occurred or there are reasonable grounds to
28 believe that a shared information breach has
29 occurred; and
30 (ii) prepare a written report on the assessment;
31 and
page 155
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 6 Information breaches involving shared information
s. 193
1 (c) take all reasonable steps to mitigate the harm caused by
2 the suspected shared information breach.
3 (3) The recipient must also --
4 (a) notify the provider of the suspected shared information
5 breach as soon as practicable after forming the
6 reasonable suspicion referred to in subsection (1); and
7 (b) notify the provider of the outcome of the assessment
8 conducted under subsection (2)(b), and give the provider
9 a copy of the report on that assessment, as soon as
10 practicable after the assessment is completed.
11 (4) If the assessment determines that a shared information breach
12 has occurred, or that there are reasonable grounds to believe that
13 a shared information breach has occurred, the shared
14 information breach is an assessed shared information breach of
15 the recipient.
16 (5) In conducting and preparing the report on the assessment, the
17 recipient must have regard to any Chief Data Officer guidelines
18 about assessments of suspected shared information breaches.
19 Note for this section:
20 A contravention of this section by a recipient is a contravention of the
21 information sharing agreement for which consequences must be set
22 out in the information sharing agreement (see section 170(e) and (f)).
23 193. Notification to Chief Data Officer
24 (1) A recipient must give written notice of an assessed shared
25 information breach of the recipient to the Chief Data Officer.
26 (2) The notice must be given as soon as practicable after the
27 recipient determines that the assessed shared information breach
28 has occurred or that there are reasonable grounds to believe that
29 it has occurred.
30 (3) The notice must be in the approved form and must include the
31 following information --
32 (a) the name and contact details of the recipient;
page 156
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information breaches involving shared information Division 6
s. 193
1 (b) details of the relevant information sharing agreement;
2 (c) the name and contact details of the provider under the
3 information sharing agreement that disclosed the shared
4 information involved in the shared information breach;
5 (d) the date on which the shared information breach
6 occurred;
7 (e) a description of the shared information breach;
8 (f) how the shared information breach occurred;
9 (g) whether the shared information breach involved
10 unauthorised access to, unauthorised disclosure of, or
11 loss of, shared information or is of a kind referred to in
12 section 191(b)(ii);
13 (h) the kind of information involved in the shared
14 information breach, including whether any of the
15 information is personal information;
16 (i) the period of time for which the unauthorised access to,
17 or unauthorised disclosure of, information occurred (if
18 applicable);
19 (j) a description of the steps taken, or that will be taken, by
20 the recipient to contain, and mitigate the harm caused
21 by, the shared information breach;
22 (k) any other information required by the approved form.
23 (4) The requirement to notify the Chief Data Officer under this
24 section is in addition to any requirement to notify the
25 Information Commissioner under section 62 (including any
26 requirement that applies because of section 194(2)).
27 Note for this section:
28 A contravention of this section by a recipient is a contravention of the
29 information sharing agreement for which consequences must be set
30 out in the information sharing agreement (see section 170(e) and (f)).
page 157
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 6 Information breaches involving shared information
s. 194
1 194. Certain shared information breaches to be dealt with as
2 notifiable information breaches
3 (1) This section applies if --
4 (a) under section 192(3)(a) a recipient under an information
5 sharing agreement notifies a suspected shared
6 information breach to the provider that disclosed the
7 information under the agreement; and
8 (b) the recipient is not an IPP entity; and
9 (c) if the recipient were an IPP entity, the occurrence of the
10 shared information breach may also constitute the
11 occurrence of a notifiable information breach.
12 (2) Part 2 Division 6 Subdivisions 2 and 3 apply to the provider as
13 if --
14 (a) the suspected shared information breach were a
15 suspected notifiable information breach in relation to
16 personal information held by the provider; and
17 (b) the reasonable suspicion referred to in section 61(1)
18 were a reasonable suspicion formed by the provider on
19 the day on which the provider is given the notice under
20 section 192(3)(a).
21 (3) If because of subsection (2) the provider is required to give a
22 notice under section 62 or 63, the notice must include, in
23 addition to the other information required under that section --
24 (a) the name and contact details of the recipient; and
25 (b) a description of the steps taken, or that will be taken, by
26 the recipient to contain, and mitigate the harm caused
27 by, the information breach.
28 (4) The recipient must give the provider any information and
29 assistance it requires for the purposes of complying with Part 2
30 Division 6 Subdivisions 2 and 3 as they apply under this
31 section.
page 158
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Information holdings requests Division 7
s. 195
1 Note for this subsection:
2 A contravention of this subsection by a recipient is a contravention of
3 the information sharing agreement for which consequences must be
4 set out in the information sharing agreement (see section 170(e)
5 and (f)).
6 (5) Nothing in this section limits the obligations under Part 2
7 Division 6 Subdivisions 2 and 3 of a recipient that is an IPP
8 entity.
9 195. Agreements that have ceased to be in force
10 The requirements in this Division apply in relation to a shared
11 information breach or suspected shared information breach
12 whether or not the information sharing agreement under which
13 the shared information was disclosed is still in force.
14 Division 7 -- Information holdings requests
15 196. Information holdings request
16 (1) The Chief Data Officer may, by written notice, request a public
17 entity (other than a special information sharing entity) to
18 disclose to the Chief Data Officer specified information about
19 the government information held by the public entity.
20 (2) A request under subsection (1) is an information holdings
21 request.
22 (3) Without limiting subsection (1), the information that may be
23 requested includes the following --
24 (a) the kinds of data sets held by the public entity;
25 (b) the number of data sets held by the public entity;
26 (c) the kinds of information contained in the data sets held
27 by the public entity;
28 (d) the accuracy, currency and completeness of the data sets
29 held by the public entity.
page 159
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 7 Information holdings requests
s. 197
1 (4) An information holdings request must be given to the principal
2 officer of the public entity and must specify --
3 (a) the information requested; and
4 (b) the reasons for the request.
5 197. Response to information holdings request
6 (1) If an information holdings request is made under section 196,
7 the public entity given the request must give the Chief Data
8 Officer a written notice responding to the request in accordance
9 with subsection (2) within --
10 (a) 45 days after the day on which the request is made; or
11 (b) a longer period agreed with the Chief Data Officer.
12 (2) The response to an information holdings request must either --
13 (a) disclose the requested information about the government
14 information held by the public entity to the Chief Data
15 Officer; or
16 (b) state --
17 (i) that the public entity refuses to disclose the
18 requested information about the government
19 information held by the public entity; and
20 (ii) the reasons for the refusal.
21 (3) A public entity to which an information holdings request is
22 made may refuse to provide the requested information about the
23 government information held by the public entity if, for any
24 reason, the public entity considers that the requested
25 information should not be disclosed to the Chief Data Officer
26 (including, without limitation, for a reason referred to in
27 section 162(2)).
28 (4) If a public entity discloses information to the Chief Data Officer
29 in accordance with an information holdings request --
30 (a) no civil or criminal liability is incurred in respect of the
31 disclosure; and
page 160
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Administration Division 8
s. 198
1 (b) the disclosure is not to be regarded as a breach of any
2 duty of confidentiality or secrecy imposed by law; and
3 (c) the disclosure is not to be regarded as a breach of
4 professional ethics or standards or as unprofessional
5 conduct.
6 Division 8 -- Administration
7 Subdivision 1 -- Chief Data Officer
8 198. Chief Data Officer
9 A Chief Data Officer must be appointed under the Public Sector
10 Management Act 1994 Part 3 as a senior executive officer in the
11 information sharing Department.
12 199. Chief Data Officer is separate public entity for information
13 sharing purposes
14 (1) For the purposes of a reference to a public entity in this Part --
15 (a) the Chief Data Officer is to be treated as a separate
16 public entity and not as part of the information sharing
17 Department; and
18 (b) the Chief Data Officer is to be treated as the principal
19 officer of that public entity.
20 (2) Without limiting subsection (1), the Chief Data Officer may, on
21 the Chief Data Officer's own initiative, make information
22 sharing requests and enter into information sharing agreements
23 as a public entity under this Part.
24 (3) Subsection (1) does not affect --
25 (a) the power under section 207 for the Chief Data Officer
26 to delegate to an officer of the information sharing
27 Department; or
28 (b) the requirement under section 211 for matters relating to
29 the Chief Data Officer to be included in the annual
page 161
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 8 Administration
s. 200
1 report in respect of the information sharing Department
2 referred to in that section.
3 200. Functions of Chief Data Officer
4 (1) The Chief Data Officer has the following functions --
5 (a) on request by a public entity or Minister or on the Chief
6 Data Officer's own initiative, to undertake data analytics
7 work, data integration and data linkage on information
8 disclosed to the Chief Data Officer under this Part;
9 (b) to disclose or make publicly available information
10 generated from undertaking data analytics work, data
11 integration or data linkage if the Chief Data Officer
12 considers it appropriate to do so;
13 (c) to do anything the Chief Data Officer may do as a public
14 entity under this Part (including as referred to in
15 section 199(2));
16 (d) to promote the objects of this Act;
17 (e) to build the capability of public entities to share
18 information in accordance with this Part;
19 (f) to prepare and make available information and material
20 in relation to the sharing of information in accordance
21 with this Part;
22 (g) to provide assistance to public entities and external
23 entities in relation to the sharing of information in
24 accordance with this Part;
25 (h) to provide advice to the Information Sharing Minister or
26 to any other person or body about any matters relating to
27 the sharing of information held by public entities;
28 (i) to oversee and monitor the use of information sharing
29 agreements;
30 (j) to promote and support the responsible sharing of
31 information between public entities in the State and
32 agencies and instrumentalities in other jurisdictions;
page 162
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Administration Division 8
s. 201
1 (k) any other functions given to the Chief Data Officer
2 under this Act or another written law.
3 (2) The Chief Data Officer has all the powers that are needed for
4 the performance of the Chief Data Officer's functions.
5 201. Power to issue guidelines
6 (1) The Chief Data Officer may issue guidelines --
7 (a) in relation to any matter required or permitted by this
8 Part to be the subject of Chief Data Officer guidelines;
9 or
10 (b) to provide information and guidance in relation to
11 matters relating to this Part and the responsible sharing
12 principles.
13 (2) Without limiting subsection (1)(b), guidelines may be issued in
14 relation to any of the following --
15 (a) the form and contents of information sharing
16 agreements, including template provisions for inclusion
17 in information sharing agreements;
18 (b) processes to be followed before entering into
19 information sharing agreements;
20 (c) processes and safeguards relating to the handling of
21 information shared under this Part, including for the
22 purposes of protecting --
23 (i) the privacy of individuals; and
24 (ii) the confidentiality and security of information;
25 (d) the management of risks relating to the sharing of
26 information under this Part;
27 (e) the use of information shared under this Part for
28 activities involving data analytics work, data integration
29 or data linkage, including in relation to the design and
30 governance of those activities.
page 163
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 8 Administration
s. 202
1 (3) The Chief Data Officer may amend or revoke Chief Data
2 Officer guidelines.
3 (4) The Chief Data Officer must ensure that Chief Data Officer
4 guidelines are made publicly available.
5 Note for this section:
6 Section 221 makes provision for the status and effect of Chief Data
7 Officer guidelines.
8 202. Consultation on guidelines
9 (1) The Chief Data Officer may consult with any person or body the
10 Chief Data Officer considers appropriate before issuing,
11 amending or revoking any guidelines under section 201.
12 (2) The Chief Data Officer must consult with the Information
13 Commissioner before issuing, amending or revoking under
14 section 201 any guidelines that relate to the handling of personal
15 information or the privacy of individuals.
16 (3) The Chief Data Officer must consult with the Privacy and
17 Responsible Information Sharing Advisory Committee before
18 issuing, amending or revoking under section 201 any guidelines
19 for the purpose of section 177(6).
20 203. Chief Data Officer must have regard to objects of Act
21 In performing functions under this Act, the Chief Data Officer
22 must have regard to the objects of this Act.
23 Subdivision 2 -- Privacy and Responsible Information Sharing
24 Advisory Committee
25 204. Privacy and Responsible Information Sharing Advisory
26 Committee
27 (1) A committee called the Privacy and Responsible Information
28 Sharing Advisory Committee is established.
page 164
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Administration Division 8
s. 205
1 (2) The committee consists of the following members --
2 (a) the Chief Data Officer;
3 (b) the Information Commissioner;
4 (c) at least 2, and no more than 5, other members appointed
5 by the Information Sharing Minister.
6 (3) The Information Sharing Minister must ensure that each person
7 appointed under subsection (2)(c) has appropriate qualifications,
8 skills or experience relevant to the functions of the committee.
9 (4) Before appointing a person under subsection (2)(c), the
10 Information Sharing Minister must consult with the Privacy
11 Minister.
12 (5) A person may be appointed under subsection (2)(c) --
13 (a) for a period not exceeding 3 years; and
14 (b) on a full-time basis or part-time basis.
15 (6) A person who has been appointed under subsection (2)(c) is
16 eligible for reappointment.
17 205. Functions of Privacy and Responsible Information Sharing
18 Advisory Committee
19 (1) The Privacy and Responsible Information Sharing Advisory
20 Committee has the function of advising the Chief Data Officer
21 in relation to the performance of the Chief Data Officer's
22 functions.
23 (2) Without limiting subsection (1), the Privacy and Responsible
24 Information Sharing Advisory Committee may give the Chief
25 Data Officer advice in relation to the following --
26 (a) balancing the public interest in the protection of privacy
27 with the public interest in the free flow of information;
28 (b) community expectations in relation to the matters
29 referred to in section 177(6)(a) to (e);
page 165
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 8 Administration
s. 206
1 (c) technical best practices in relation to the handling of
2 information;
3 (d) developments in industry or other jurisdictions relevant
4 to the handling of information.
5 (3) The Privacy and Responsible Information Sharing Advisory
6 Committee may consult with any person or body for the
7 purposes of providing advice to the Chief Data Officer.
8 206. Regulations about Privacy and Responsible Information
9 Sharing Advisory Committee
10 (1) The regulations may make provision for or in relation to the
11 Privacy and Responsible Information Sharing Advisory
12 Committee.
13 (2) Without limiting subsection (1), regulations made under that
14 subsection may make provision for or in relation to any of the
15 following --
16 (a) the appointment of a chairperson and deputy chairperson
17 of the committee;
18 (b) the conditions of appointment of members of the
19 committee appointed under section 204(2)(c), including
20 remuneration, allowances and leave;
21 (c) the resignation or removal of members of the committee
22 appointed under section 204(2)(c);
23 (d) meetings and procedures of the committee, including the
24 management of any conflicts of interest relating to the
25 committee.
26 (3) Subject to any regulations made under subsection (1), the
27 committee may determine its own procedures.
page 166
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
Administration Division 8
s. 207
1 Subdivision 3 -- Delegation and secrecy
2 207. Delegation by Chief Data Officer
3 (1) The Chief Data Officer may delegate to a person employed or
4 engaged in the information sharing Department any power or
5 duty of the Chief Data Officer under another provision of this
6 Act.
7 (2) The delegation must be in writing signed by the Chief Data
8 Officer.
9 (3) A person to whom a power or duty is delegated under this
10 section cannot delegate that power or duty.
11 (4) A person exercising or performing a power or duty that has been
12 delegated to the person under this section is taken to do so in
13 accordance with the terms of the delegation unless the contrary
14 is shown.
15 (5) Nothing in this section limits the ability of the Chief Data
16 Officer to perform a function through an officer or agent.
17 208. Secrecy and authorised disclosure and use of information
18 (1) In this section --
19 relevant official means a person who is or has been --
20 (a) the Chief Data Officer; or
21 (b) a member of the Privacy and Responsible Information
22 Sharing Advisory Committee; or
23 (c) a person employed or engaged in the information
24 sharing Department.
25 (2) A relevant official must not, directly or indirectly, record,
26 disclose or use information obtained in the administration of this
27 Act.
28 Penalty for this subsection: a fine of $6 000.
page 167
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 8 Administration
s. 209
1 (3) Subsection (2) does not apply to the recording, disclosure or use
2 of statistical or other information that is not personal
3 information.
4 (4) A relevant official does not commit an offence under
5 subsection (2) if the recording, disclosure or use of the
6 information is authorised under subsection (5).
7 (5) The recording, disclosure or use of information to which
8 subsection (2) applies is authorised if the information is
9 recorded, disclosed or used --
10 (a) for the purpose of, or in connection with, performing a
11 function under this Act; or
12 (b) as permitted or required by this Act or another written
13 law; or
14 (c) for the purposes of legal proceedings arising out of the
15 administration of this Act or another written law; or
16 (d) with the written consent of the person to whom the
17 information relates; or
18 (e) in circumstances prescribed by the regulations.
19 Subdivision 4 -- Making documents publicly available
20 209. Making documents publicly available
21 (1) The regulations may make provision for how documents are to
22 be made publicly available by the Chief Data Officer or an
23 entity for the purposes of any provision of this Part.
24 (2) If a provision of this Part requires or permits the Chief Data
25 Officer to make a document publicly available, the Chief Data
26 Officer must comply with that requirement or exercise that
27 power --
28 (a) if regulations under subsection (1) apply -- in
29 accordance with those regulations; or
page 168
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
General Division 9
s. 210
1 (b) otherwise -- by making the document publicly available
2 in the manner the Chief Data Officer considers
3 appropriate.
4 Division 9 -- General
5 210. Information sharing officers of public entities
6 (1) The principal officer of a public entity must ensure that the
7 principal officer, or another senior officer, of the entity is
8 designated as the information sharing officer for the public
9 entity.
10 (2) An information sharing officer of a public entity is responsible
11 for the following --
12 (a) promoting the public entity's compliance with this Part;
13 (b) assisting in relation to --
14 (i) information sharing requests made by or to the
15 public entity; and
16 (ii) information sharing agreements entered into or
17 proposed to be entered into by the public entity;
18 (c) assisting in the conduct by the public entity of the
19 following assessments --
20 (i) assessments of the responsible sharing principles
21 under section 175;
22 (ii) privacy impact assessments under section 176;
23 (iii) Aboriginal information assessments under
24 section 177;
25 (d) coordinating the public entity's dealings with the Chief
26 Data Officer in relation to --
27 (i) notifications relating to information sharing
28 agreements under section 182; and
29 (ii) information holdings requests made to the public
30 entity.
page 169
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 9 General
s. 211
1 (3) The principal officer of a public entity must ensure that the
2 Chief Data Officer is notified of --
3 (a) the name and contact details of the information sharing
4 officer; and
5 (b) any change to the individual designated as information
6 sharing officer or to the information sharing officer's
7 contact details.
8 211. Matters to be included in annual report
9 Without limiting the Financial Management Act 2006
10 section 61(1), the annual report for a financial year required
11 under Part 5 of that Act in respect of the information sharing
12 Department must include the following information for the
13 financial year --
14 (a) the number of information sharing agreements entered
15 into;
16 (b) the number of information sharing agreements in force
17 as at 30 June;
18 (c) a list of the information sharing agreements in force as
19 at 30 June, setting out in relation to each agreement the
20 information referred to in section 183(2)(a) to (d) that is
21 required to be included in the register of information
22 sharing agreements;
23 (d) the number of information sharing requests made, and
24 information sharing agreements entered into, by the
25 Chief Data Officer;
26 (e) the number of shared information breaches notified to
27 the Chief Data Officer under section 193 and how many
28 of those breaches involved personal information;
29 (f) the number of information holdings requests made by
30 the Chief Data Officer and the response to those
31 requests;
32 (g) the number of information sharing directions given
33 under section 163;
page 170
Privacy and Responsible Information Sharing Bill 2024
Responsible information sharing Part 3
General Division 9
s. 212
1 (h) a description of the data analytics work, data integration
2 and data linkage undertaken by the Chief Data Officer;
3 (i) an assessment of the effectiveness of this Part and the
4 responsible sharing principles in facilitating information
5 sharing;
6 (j) an assessment of the issues and challenges that have
7 arisen in relation to the operation of this Part and the
8 responsible sharing principles.
9 212. Interaction with other laws
10 This Part does not limit the operation of any other written law
11 that authorises the disclosure, collection, holding, management
12 or use of information.
13 213. Application of Freedom of Information Act 1992 to shared
14 information
15 (1) In this section --
16 agency, document and exempt agency have the meanings given
17 in the Freedom of Information Act 1992 Glossary clause 1.
18 (2) Despite any provision of the Freedom of Information Act 1992,
19 a person does not have a right under that Act to access a
20 document of an agency if the document was --
21 (a) obtained by the agency under an information sharing
22 agreement; or
23 (b) otherwise obtained by the Chief Data Officer in the
24 performance of a function under this Act.
25 (3) Subsection (2) does not affect any right of the person under the
26 Freedom of Information Act 1992 to be given access to the
27 document by the agency that disclosed the document under the
28 information sharing agreement.
29 (4) If an agency to which an access application is made under the
30 Freedom of Information Act 1992 Part 2 holds the requested
31 documents, but the documents were obtained from another
page 171
Privacy and Responsible Information Sharing Bill 2024
Part 3 Responsible information sharing
Division 9 General
s. 214
1 agency (other than an exempt agency) under an information
2 sharing agreement, the agency must transfer the access
3 application to that other agency under section 15(2) of that Act.
4 214. Review of information sharing provisions of Act
5 (1) In this section --
6 information sharing provisions means the following --
7 (a) this Part;
8 (b) Schedule 2;
9 (c) the provisions of Parts 1, 4 and 5, to the extent that those
10 provisions are relevant to this Part and Schedule 2;
11 (d) regulations made for the purposes of provisions referred
12 to in paragraphs (a) to (c).
13 (2) The Information Sharing Minister must review the operation
14 and effectiveness of the information sharing provisions, and
15 prepare a report based on the review --
16 (a) as soon as practicable after the 5th anniversary of the day
17 on which section 160 comes into operation; and
18 (b) after that, at intervals of not more than 5 years.
19 (3) The Information Sharing Minister must cause the report to be
20 laid before each House of Parliament as soon as practicable
21 after it is prepared, but not later than 12 months after the
22 5th anniversary or the expiry of the period of 5 years, as the case
23 may be.
page 172
Privacy and Responsible Information Sharing Bill 2024
Miscellaneous Part 4
s. 215
1 Part 4 -- Miscellaneous
2 215. False or misleading information
3 A person commits an offence if the person gives to the
4 Information Commissioner or Chief Data Officer a document or
5 information that the person knows to be false or misleading in a
6 material particular.
7 Penalty: a fine of $6 000.
8 216. Acts and practices of public entities and other IPP entities
9 (1) The following actions by a public entity or other IPP entity must
10 be taken for the entity by the principal officer or by an officer
11 authorised by the principal officer for that purpose (either
12 generally or in a particular case) --
13 (a) making any application or submission, or giving any
14 notice or other document, to the Information
15 Commissioner under this Act;
16 (b) giving any notice or other document to the Chief Data
17 Officer under this Act (subject to subsection (2));
18 (c) conducting, or preparing a report on, any assessment
19 required under this Act.
20 (2) The following actions by a public entity must be taken for the
21 entity by the principal officer or by a senior officer authorised
22 by the principal officer for that purpose (either generally or in a
23 particular case) --
24 (a) making an information sharing request;
25 (b) responding to an information sharing request;
26 (c) entering into an information sharing agreement;
27 (d) responding to an information holdings request.
28 (3) Subject to subsections (1) and (2), any act done or practice
29 engaged in by an officer of a public entity or other IPP entity,
30 acting in their capacity as officer and within the scope of their
page 173
Privacy and Responsible Information Sharing Bill 2024
Part 4 Miscellaneous
s. 217
1 actual or apparent authority, is taken for the purposes of this Act
2 to have been done or engaged in by the entity.
3 217. States of mind of public entities and other IPP entities
4 (1) In this section --
5 state of mind includes --
6 (a) knowledge, intention, opinion, belief, suspicion or
7 purpose; and
8 (b) reasons for an intention, opinion, belief, suspicion or
9 purpose.
10 (2) If this Act refers to a state of mind of a public entity or other
11 IPP entity, the entity is considered to have that state of mind if
12 an officer of the entity, acting in their capacity as officer and
13 within the scope of their actual or apparent authority, has that
14 state of mind.
15 218. Protection from personal liability
16 (1) In this section --
17 relevant official means a person who is or has been --
18 (a) the Privacy Minister; or
19 (b) the Information Sharing Minister; or
20 (c) the Chief Data Officer; or
21 (d) a member of the Privacy and Responsible Information
22 Sharing Advisory Committee; or
23 (e) a person employed or engaged in the information
24 sharing Department.
25 (2) No civil liability is incurred by a relevant official for anything
26 that the relevant official has done, in good faith, in the
27 performance or purported performance of a function under this
28 Act.
page 174
Privacy and Responsible Information Sharing Bill 2024
Miscellaneous Part 4
s. 219
1 (3) The protection given by this section applies even though the
2 thing done as described in subsection (2) may have been
3 capable of being done whether or not this Act had been enacted.
4 (4) Despite subsection (2), the State is not relieved of any liability
5 that it might have for a relevant official having done anything as
6 described in that subsection.
7 (5) Subsection (2) does not affect the operation of section 181.
8 (6) In this section, a reference to the doing of anything includes a
9 reference to an omission to do anything.
10 219. Giving documents
11 (1) The regulations may make provision for or in relation to the
12 following --
13 (a) the giving of a document required or permitted to be
14 given under this Act (including the giving of the
15 document by electronic means);
16 (b) the time at which the document is taken to have been
17 given;
18 (c) the means of satisfying a requirement under this Act in
19 relation to a document in writing (for example, a
20 requirement that the original of a document be given or
21 that a document be signed) if the document is given by
22 electronic means.
23 (2) This section applies to a requirement or permission to give a
24 document whether the term "give", "issue", "send" or "serve",
25 or any other similar term, is used.
26 220. Laying documents before House of Parliament not sitting
27 (1) This section applies if --
28 (a) a provision of this Act requires a Minister (the relevant
29 Minister) to cause a document to be laid before each
30 House of Parliament, or dealt with under this section,
31 within a specified period; and
page 175
Privacy and Responsible Information Sharing Bill 2024
Part 4 Miscellaneous
s. 221
1 (b) at the beginning of the period, a House of Parliament is
2 not sitting; and
3 (c) in the relevant Minister's opinion, the House will not sit
4 before the end of the period.
5 (2) The relevant Minister must send the document to the Clerk of
6 the House before the end of the period.
7 (3) When the document is sent to the Clerk of the House it is taken
8 to have been laid before the House.
9 (4) The laying of the document that is taken to have occurred under
10 subsection (3) must be recorded in the Minutes, or Votes and
11 Proceedings, of the House on the first sitting day of the House
12 after the Clerk receives the document.
13 221. General provisions about guidelines
14 (1) Privacy guidelines and Chief Data Officer guidelines are not
15 subsidiary legislation for the purposes of the Interpretation
16 Act 1984.
17 (2) If there is a conflict or inconsistency between a provision of this
18 Act and a provision of privacy guidelines or Chief Data Officer
19 guidelines, the provision of this Act prevails.
20 (3) A requirement under this Act to have regard to privacy
21 guidelines or Chief Data Officer guidelines does not --
22 (a) derogate from a duty to exercise discretion in a
23 particular case; or
24 (b) prevent a person from having regard to matters not set
25 out in the guidelines; or
26 (c) require the entity to have regard to guidelines that are
27 inconsistent with a provision of this Act.
28 222. Regulations
29 (1) The Governor may make regulations prescribing matters --
30 (a) required or permitted by this Act to be prescribed; or
page 176
Privacy and Responsible Information Sharing Bill 2024
Miscellaneous Part 4
s. 222
1 (b) necessary or convenient for giving effect to the purposes
2 of this Act.
3 (2) Without limiting any other provision of this Act, regulations
4 may make provision for or in relation to the following --
5 (a) applications under this Act;
6 (b) forms for the purposes of this Act;
7 (c) fees or charges in relation to any matter under this Act.
8 (3) Regulations for the purposes of section 6(1)(h) or (4)
9 or 9(2)(f)(i) can only be made on the recommendation of the
10 Privacy Minister and the Information Sharing Minister.
page 177
Privacy and Responsible Information Sharing Bill 2024
Part 5 Transitional provisions
s. 223
1 Part 5 -- Transitional provisions
2 223. Application of information privacy principles
3 (1) In this section --
4 commencement day means the day on which section 20 comes
5 into operation.
6 (2) The following information privacy principles apply only in
7 relation to personal information collected on or after
8 commencement day --
9 (a) IPP 1;
10 (b) IPP 7;
11 (c) IPP 8;
12 (d) IPP 10.
13 (3) The following information privacy principles apply in relation
14 to personal information whether collected before, on or after
15 commencement day --
16 (a) IPP 2;
17 (b) IPP 3;
18 (c) IPP 4;
19 (d) IPP 5;
20 (e) IPP 6;
21 (f) IPP 9.1.
22 (4) The following information privacy principles apply to
23 de-identified information whether collected before, on or after
24 commencement day --
25 (a) IPP 9.2;
26 (b) IPP 11.
page 178
Privacy and Responsible Information Sharing Bill 2024
Transitional provisions Part 5
s. 224
1 224. Application of approved privacy codes of practice
2 (1) In this section --
3 commencement day means the day on which section 33 comes
4 into operation.
5 (2) To the extent that an approved privacy code of practice modifies
6 the application of an IPP referred to in section 223(2), or
7 provides for how an IPP referred to in section 223(2) is to be
8 applied or complied with, the approved privacy code of practice
9 applies only in relation to personal information collected on or
10 after commencement day.
11 (3) Any other provision of an approved privacy code of practice
12 applies in relation to personal information or de-identified
13 information whether collected before, on or after
14 commencement day.
15 (4) Subsections (2) and (3) apply subject to any provision of the
16 approved privacy code of practice that provides for the
17 approved privacy code of practice, or any provision of it, to
18 apply only in relation to information collected on or after a day
19 that is later than commencement day.
20 225. Notifiable information breach may involve personal
21 information collected before commencement day
22 (1) In this section --
23 commencement day means the day on which section 61 comes
24 into operation.
25 (2) For the purposes of section 57, a notifiable information breach
26 may occur in relation to personal information held by an IPP
27 entity whether the personal information was collected before, on
28 or after commencement day.
page 179
Privacy and Responsible Information Sharing Bill 2024
Part 5 Transitional provisions
s. 226
1 226. Public register obligations apply to personal information
2 collected before commencement day
3 (1) In this section --
4 commencement day means the day on which section 76 comes
5 into operation.
6 (2) Part 2 Division 7 applies to personal information contained, or
7 proposed to be contained, in a public register whether the
8 personal information was collected before, on or after
9 commencement day.
10 227. Privacy impact assessments not required for functions or
11 activities performed before commencement day
12 (1) In this section --
13 commencement day means the day on which section 79 comes
14 into operation.
15 (2) The requirement under section 79(2) for an IPP entity to
16 conduct a privacy impact assessment before first performing a
17 high privacy impact function or activity does not apply in
18 relation to a function or activity that the IPP entity started to
19 perform before commencement day.
20 (3) Subsection (2) does not limit --
21 (a) any requirement under section 79(2) for an IPP entity to
22 conduct a privacy impact assessment before making a
23 significant change to the way in which personal
24 information is handled as part of a high privacy impact
25 function or activity that the IPP entity started to perform
26 before commencement day; or
27 (b) any requirement under section 79(2) for an IPP entity to
28 conduct a privacy impact assessment in relation to an
29 activity that the IPP entity first performs on or after
30 commencement day, even if the activity is performed in
31 connection with a function that the IPP entity started to
32 perform before commencement day; or
page 180
Privacy and Responsible Information Sharing Bill 2024
Transitional provisions Part 5
s. 228
1 (c) the Information Commissioner's power to issue a
2 direction under section 80 in relation to a function or
3 activity that an IPP entity started to perform before
4 commencement day.
5 228. State services contracts entered into before commencement
6 day
7 (1) In this section --
8 commencement day means the day on which section 129 comes
9 into operation.
10 (2) This Act applies in relation to a provision of a State services
11 contract of the kind referred to in section 129 even if that
12 provision was included in the contract before commencement
13 day.
14 (3) Section 140(2) does not apply in relation to a State services
15 contract entered into before commencement day.
16 229. Transitional regulations
17 (1) In this section --
18 specified means specified or described in regulations;
19 transitional matter --
20 (a) means a matter or issue of a transitional nature that
21 arises as a result of the enactment of this Act or the
22 coming into operation of any provisions of this Act or
23 regulations made under it; and
24 (b) includes a savings or application matter.
25 (2) If there is not sufficient provision in this Part for dealing with a
26 transitional matter, regulations may prescribe anything required,
27 necessary or convenient to be prescribed in relation to the
28 matter.
page 181
Privacy and Responsible Information Sharing Bill 2024
Part 5 Transitional provisions
s. 229
1 (3) Without limiting subsection (2), regulations made for the
2 purposes of that subsection may provide that specified
3 provisions of this Act --
4 (a) do not apply to, or in relation to, a specified matter or
5 thing; or
6 (b) apply with specified modifications to, or in relation to, a
7 specified matter or thing.
8 (4) If regulations made for the purposes of subsection (2) provide
9 that a specified state of affairs is taken to have existed, or not to
10 have existed, on and from a day that is earlier than the day on
11 which the regulations are published in accordance with the
12 Interpretation Act 1984 section 41(1)(a) but not earlier than the
13 day on which this section comes into operation, the regulations
14 have effect according to their terms.
15 (5) If regulations made for the purposes of subsection (2) contain a
16 provision of a kind described in subsection (4), the provision
17 does not operate so as --
18 (a) to affect in a manner prejudicial to any person (other
19 than the State or an authority of the State) the rights of
20 that person existing before the day of publication of
21 those regulations; or
22 (b) to impose liabilities on any person (other than the State
23 or an authority of the State) in respect of anything done
24 or omitted to be done before the day of publication of
25 those regulations.
page 182
Privacy and Responsible Information Sharing Bill 2024
Other Acts amended Part 6
Education and Care Services National Law (WA) Act 2012 Division 1
amended
s. 230
1 Part 6 -- Other Acts amended
2 Division 1 -- Education and Care Services National Law (WA)
3 Act 2012 amended
4 230. Act amended
5 This Division amends the Education and Care Services
6 National Law (WA) Act 2012.
7 231. Section 5 amended
8 In section 5(1):
9 (a) delete "Acts" and insert:
10
11 enactments
12
13 (b) in paragraph (b) delete "1984." and insert:
14
15 1984;
16
17 (c) after paragraph (b) insert:
18
19 (c) the Privacy and Responsible Information
20 Sharing Act 2024 Part 2 and Schedule 1.
21
22 Division 2 -- Freedom of Information Act 1992 amended
23 232. Act amended
24 This Division amends the Freedom of Information Act 1992.
page 183
Privacy and Responsible Information Sharing Bill 2024
Part 6 Other Acts amended
Division 2 Freedom of Information Act 1992 amended
s. 233
1 233. Section 23 amended
2 In section 23(5) delete "is an intellectually handicapped
3 person," and insert:
4
5 has a cognitive impairment,
6
7 234. Section 32 amended
8 (1) Delete section 32(2)(b) and insert:
9
10 (b) if the third party is dead, the third party's
11 nearest relative,
12
13 (2) In section 32(3) delete "closest" and insert:
14
15 nearest
16
17 (3) In section 32(4) delete "closest relative of a dead third party, is
18 an intellectually handicapped person, the views of the person's
19 closest" and insert:
20
21 nearest relative of a dead third party, has a cognitive
22 impairment, the views of the person's nearest
23
24 235. Section 45 amended
25 In section 45(2) delete "closest" (each occurrence) and insert:
26
27 nearest
28
page 184
Privacy and Responsible Information Sharing Bill 2024
Other Acts amended Part 6
Freedom of Information Act 1992 amended Division 2
s. 236
1 236. Section 67A inserted
2 After section 67 insert:
3
4 67A. Commissioner may deal with complaint under
5 Privacy and Responsible Information Sharing
6 Act 2024
7 (1) If the Information Commissioner considers that the
8 matter about which a complaint is made could be the
9 subject of a complaint under the Privacy and
10 Responsible Information Sharing Act 2024 Part 2
11 Division 9 --
12 (a) the Commissioner may decide that the
13 complaint should be dealt with under that Act;
14 and
15 (b) if the Commissioner so decides, the complaint
16 is taken to be a privacy complaint made under
17 section 82 of that Act.
18 (2) If the Information Commissioner makes a decision that
19 a complaint should be dealt with under the Privacy and
20 Responsible Information Sharing Act 2024, the
21 Commissioner must inform the complainant and
22 agency, in writing, of the decision.
23
24 237. Section 98 replaced
25 Delete section 98 and insert:
26
27 98. Application on behalf of child or person with
28 disability
29 (1) An access application or application for amendment
30 may be made to an agency on behalf of a child by the
page 185
Privacy and Responsible Information Sharing Bill 2024
Part 6 Other Acts amended
Division 2 Freedom of Information Act 1992 amended
s. 237
1 child's guardian or a person who has custody or care
2 and control of the child.
3 (2) An access application or application for amendment
4 may be made to an agency on behalf of a person who is
5 incapable of making the application because of a
6 disability (as defined in the Disability Services
7 Act 1993 section 3) by --
8 (a) another person chosen by the person to make
9 the application on their behalf; or
10 (b) if the person is incapable of choosing another
11 person to make the application on their
12 behalf --
13 (i) a guardian (as defined in the
14 Guardianship and Administration
15 Act 1990 section 3(1)) of the person; or
16 (ii) another person who is related to the
17 person by blood or marriage or is a
18 de facto partner of the person; or
19 (iii) another person who, in the opinion of
20 the principal officer of the agency, has a
21 sufficient interest in the subject matter
22 of the application.
23 (3) Subsections (1) and (2) do not limit the ability of
24 persons to make applications on behalf of other persons
25 generally.
26 98A. Certain requests under Privacy and Responsible
27 Information Sharing Act 2024 taken to be
28 applications for access or amendment
29 (1) In this section --
30 IPP means an information privacy principle set out in
31 the Privacy and Responsible Information Sharing
32 Act 2024 Schedule 1.
page 186
Privacy and Responsible Information Sharing Bill 2024
Other Acts amended Part 6
Freedom of Information Act 1992 amended Division 2
s. 237
1 (2) A reference in this section to an IPP followed by a
2 designation is a reference to the provision with that
3 designation in the Privacy and Responsible
4 Information Sharing Act 2024 Schedule 1.
5 (3) If a request made by an individual to an agency (other
6 than an exempt agency) purports to be a request for
7 access to personal information that relates to the
8 individual under IPP 6.1, and the request complies with
9 the requirements of the Privacy and Responsible
10 Information Sharing Act 2024 section 40 --
11 (a) the request is taken to be an access application
12 under this Act that complies with the
13 requirements of section 12; and
14 (b) the agency must deal with the request
15 accordingly under this Act.
16 (4) If a request made by an individual to an agency
17 purports to be a request for correction of personal
18 information that relates to the individual under IPP 6.5,
19 and the request complies with the requirements of the
20 Privacy and Responsible Information Sharing Act 2024
21 section 41 --
22 (a) the request is taken to be an application for
23 amendment under this Act that complies with
24 the requirements of section 46; and
25 (b) the agency must deal with the request
26 accordingly under this Act.
27 (5) If a request made by an individual to an agency
28 purports to be an application for access to or correction
29 of personal information under IPP 6.1 or IPP 6.5, but
30 does not comply with the requirements of the Privacy
31 and Responsible Information Sharing Act 2024
32 section 40 or 41 (as the case requires), the agency must
33 comply with its obligations under section 11 or 45 to
page 187
Privacy and Responsible Information Sharing Bill 2024
Part 6 Other Acts amended
Division 2 Freedom of Information Act 1992 amended
s. 238
1 help the individual to make an access application or
2 application for amendment under this Act.
3 Note for this section:
4 Under the Privacy and Responsible Information Sharing
5 Act 2024 section 27, IPP 6 does not apply to an agency.
6
7 238. Glossary clause 1 amended
8 (1) In the Glossary clause 1 delete the definition of personal
9 information.
10 (2) In the Glossary clause 1 insert in alphabetical order:
11
12 nearest relative, in relation to a person, has the meaning
13 given in the Guardianship and Administration Act 1990
14 section 3(1);
15 personal information --
16 (a) means information or an opinion, whether true or
17 not, and whether recorded in a material form or not,
18 that relates to an individual, whether living or dead,
19 whose identity is apparent or can reasonably be
20 ascertained from the information or opinion; and
21 (b) includes information of the following kinds to
22 which paragraph (a) applies --
23 (i) a name, date of birth or address;
24 (ii) a unique identifier, online identifier or
25 pseudonym;
26 (iii) contact information;
27 (iv) information that relates to an individual's
28 location;
29 (v) technical or behavioural information in
30 relation to an individual's activities,
31 preferences or identity;
page 188
Privacy and Responsible Information Sharing Bill 2024
Other Acts amended Part 6
Freedom of Information Act 1992 amended Division 2
s. 239
1 (vi) inferred information that relates to an
2 individual, including predictions in relation
3 to an individual's behaviour or preferences
4 and profiles generated from aggregated
5 information;
6 (vii) information that relates to 1 or more
7 features specific to the physical,
8 physiological, genetic, mental, behavioural,
9 economic, cultural or social identity of an
10 individual;
11
12 239. Various references to personal information "about" an
13 individual amended
14 In the provisions listed in the Table delete "about" (each
15 occurrence" and insert:
16
17 that relates to
18
19 Table
s. 16(1)(d) s. 21
s. 29 s. 32(1)
s. 45(1) and (2) s. 109(a)
s. 112(3)(b) Sch. 1 cl. 3(1) and (2)
20 Note: The heading to the amended sections listed in the Table are to read as
21 set out in the Table:
22 Table
Amended section Section heading
s. 21 Consideration of application for personal
information that relates to applicant
page 189
Privacy and Responsible Information Sharing Bill 2024
Part 6 Other Acts amended
Division 3 Government Trading Enterprises Act 2023 amended
s. 240
Amended section Section heading
s. 29 Agency's duties when giving access to
personal information that relates to applicant
s. 32 When access may be given to personal
information that relates to third party
1 Division 3 -- Government Trading Enterprises Act 2023
2 amended
3 240. Act amended
4 This Division amends the Government Trading Enterprises
5 Act 2023.
6 241. Section 86 amended
7 In section 86 delete the definition of personal information and
8 insert:
9
10 personal information has the meaning given in the
11 Privacy and Responsible Information Sharing Act 2024
12 section 4;
13
14 Division 4 -- Health Practitioner Regulation National Law
15 Application Act 2024 amended
16 242. Act amended
17 This Division amends the Health Practitioner Regulation
18 National Law Application Act 2024.
page 190
Privacy and Responsible Information Sharing Bill 2024
Other Acts amended Part 6
National Health Funding Pool Act 2012 amended Division 5
s. 243
1 243. Section 22 amended
2 In section 22(2):
3 (a) delete "Acts" and insert:
4
5 enactments
6
7 (b) after paragraph (d) insert:
8
9 (da) the Privacy and Responsible Information
10 Sharing Act 2024 Part 2 and Schedule 1;
11
12 Division 5 -- National Health Funding Pool Act 2012 amended
13 244. Act amended
14 This Division amends the National Health Funding Pool
15 Act 2012.
16 245. Section 25 amended
17 In section 25:
18 (a) delete "Acts" and insert:
19
20 enactments
21
22 (b) after paragraph (b) insert:
23
24 (ba) the Privacy and Responsible Information
25 Sharing Act 2024 Part 2 and Schedule 1;
26
page 191
Privacy and Responsible Information Sharing Bill 2024
Part 7 Amendment to this Act linked to commencement of Criminal
Law (Mental Impairment) Act 2023
s. 246
1 Part 7 -- Amendment to this Act linked to
2 commencement of Criminal Law (Mental Impairment)
3 Act 2023
4 246. Act amended
5 This Part amends this Act.
6 247. Section 4 amended
7 In section 4 in the definition of law enforcement agency delete
8 paragraph (e) and insert:
9
10 (e) the Mental Impairment Review Tribunal
11 established under the Criminal Law (Mental
12 Impairment) Act 2023 section 156; or
13
page 192
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 1
1 Schedule 1 -- Information privacy principles
2 [s. 4, 5 and 19]
3 1. Principle 1: Collection
4 1.1 An IPP entity must not collect personal information (other than
5 sensitive personal information) unless the information is necessary for
6 1 or more of the IPP entity's functions or activities.
7 1.2 An IPP entity must not collect sensitive personal information that
8 relates to an individual unless the information is necessary for 1 or
9 more of the IPP entity's functions or activities and --
10 (a) the individual consents to the collection of the information; or
11 (b) the collection of the information is required or authorised by
12 or under law; or
13 (c) both of the following apply --
14 (i) the collection of the information is necessary to
15 prevent or lessen a serious threat to the life, health,
16 safety or welfare of any individual, or a threat to the
17 life, health, safety or welfare of any individual due to
18 family violence;
19 (ii) the individual to whom the information relates is
20 incapable under section 154(4) of giving consent to
21 the collection;
22 or
23 (d) the collection of the information is necessary for the
24 establishment, exercise or defence of a legal or equitable
25 claim; or
26 (e) the collection of the information is permitted under
27 subclause 1.3.
28 1.3 For the purposes of subclause 1.2(e), collecting sensitive personal
29 information is permitted if --
30 (a) the collection --
31 (i) is necessary for research, or the compilation or
32 analysis of statistics, relevant to government-funded
33 targeted welfare or educational services; or
page 193
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 1
1 (ii) is of information relating to an individual's racial or
2 ethnic origin and is collected for the purpose of
3 providing government-funded targeted welfare or
4 educational services;
5 and
6 (b) there is no reasonably practicable alternative to collecting the
7 information for that purpose; and
8 (c) it is impracticable for the IPP entity to seek the individual's
9 consent to the collection.
10 1.4 An IPP entity must not collect personal information that relates to an
11 individual unless the collection is fair and reasonable in the
12 circumstances, taking into account the following matters --
13 (a) whether the individual would reasonably expect the
14 information to be collected in the circumstances;
15 (b) the kind of personal information collected, including whether
16 any of that information is sensitive personal information;
17 (c) the amount of personal information collected;
18 (d) whether the collection of the information is necessary for 1 or
19 more of the IPP entity's functions or activities;
20 (e) whether there is a risk of loss, harm or other detriment to any
21 individual as a result of the collection of the information;
22 (f) whether the collection of the information for 1 or more of the
23 IPP entity's functions or activities is, on balance, in the public
24 interest;
25 (g) in the case of personal information that relates to a child --
26 whether the collection of the information is in the best
27 interests of the child;
28 (h) the objects of this Act.
29 1.5 Subclause 1.4 does not apply to the collection of personal information
30 if --
31 (a) the collection is required or authorised by or under law; or
page 194
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 1
1 (b) the IPP entity reasonably believes that the collection is
2 necessary to prevent or lessen --
3 (i) a serious threat to the life, health, safety or welfare of
4 any individual; or
5 (ii) a threat to the life, health, safety or welfare of any
6 individual due to family violence;
7 or
8 (c) the collection is necessary for the establishment, exercise or
9 defence of a legal or equitable claim.
10 1.6 An IPP entity must not collect personal information in an
11 unreasonably intrusive way.
12 1.7 Before collecting personal information, an IPP entity must make a
13 written record of the purposes for which the information will be
14 collected and used or disclosed.
15 1.8 An IPP entity must collect personal information that relates to an
16 individual only from the individual unless --
17 (a) the individual consents to the collection of the information
18 from someone other than the individual; or
19 (b) the collection of the information is required or authorised by
20 or under law; or
21 (c) it is unreasonable or impracticable to do so.
22 1.9 At or before the time (or, if that is not practicable, as soon as
23 practicable after) an IPP entity collects personal information that
24 relates to an individual from the individual, it must take such steps (if
25 any) as are reasonable in the circumstances to ensure that the
26 individual is given, or made aware of, the following information --
27 (a) the identity of the IPP entity and how to contact it;
28 (b) how the individual may access the information (if
29 applicable);
30 (c) the purposes for which the information is collected and will
31 be used or disclosed;
page 195
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 2
1 (d) whether the IPP entity usually discloses information of that
2 kind and, if so, the persons or bodies or kinds of persons or
3 bodies to which the information is usually disclosed;
4 (e) any law that requires the particular information to be
5 collected;
6 (f) the main consequences (if any) for the individual if all or part
7 of the information is not provided.
8 1.10 If an IPP entity collects personal information that relates to an
9 individual from someone other than the individual, the IPP entity
10 must take such steps (if any) as are reasonable in the circumstances --
11 (a) to satisfy itself that the information was not originally
12 collected from the individual in contravention of this clause;
13 and
14 (b) to ensure that the individual is given, or made aware of, the
15 information referred to in subclause 1.9(a) to (f), except to the
16 extent that giving or making the individual aware of that
17 information would pose --
18 (i) a serious threat to the life, health, safety or welfare of
19 any individual; or
20 (ii) a threat to the life, health, safety or welfare of any
21 individual due to family violence.
22 1.11 If an IPP entity collects personal information that relates to an
23 individual from someone other than the individual in connection with
24 a complaint made about the individual, the IPP entity is not required
25 to comply with subclause 1.10 in relation to the collection of the
26 information unless the IPP entity contacts the individual about the
27 complaint.
28 1.12 An IPP entity must ensure that the information that an individual is
29 given, or made aware of, under subclause 1.9 or 1.10(b) is up-to-date,
30 clear, concise and expressed in plain language.
31 2. Principle 2: Use and disclosure
32 2.1 If an IPP entity holds personal information that relates to an
33 individual that was collected to be used or disclosed for a particular
34 purpose (the primary purpose), the IPP entity must not use or disclose
page 196
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 2
1 the information for another purpose (the secondary purpose)
2 unless --
3 (a) the individual would reasonably expect the IPP entity to use
4 or disclose the information for the secondary purpose and the
5 secondary purpose is --
6 (i) if the information is not sensitive personal
7 information -- related to the primary purpose; or
8 (ii) if the information is sensitive personal information --
9 directly related to the primary purpose;
10 or
11 (b) the individual consents to the use or disclosure; or
12 (c) all of the following apply --
13 (i) the use or disclosure is necessary for research, or the
14 compilation or analysis of statistics, in the public
15 interest;
16 (ii) the research or statistics are not to be published in a
17 form that identifies any particular individual;
18 (iii) it is impracticable for the IPP entity to seek the
19 individual's consent before the use or disclosure or,
20 in the case of disclosure, the IPP entity reasonably
21 believes that the recipient of the information will not
22 further disclose the information;
23 or
24 (d) the IPP entity reasonably believes that the use or disclosure is
25 necessary to prevent or lessen --
26 (i) a serious threat to the life, health, safety or welfare of
27 any individual; or
28 (ii) a serious threat to public health, public safety or
29 public welfare; or
30 (iii) a threat to the life, health, safety or welfare of any
31 individual due to family violence;
32 or
33 (e) the IPP entity has reason to suspect that unlawful activity has
34 been, is being, or may be, engaged in and uses or discloses
35 the information as a necessary part of its investigation of the
page 197
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 2
1 matter or in reporting the matter to relevant persons or
2 authorities; or
3 (f) the use or disclosure is required or authorised by or under
4 law; or
5 (g) the IPP entity reasonably believes that the use or disclosure is
6 necessary for --
7 (i) a law enforcement function to be performed by a law
8 enforcement agency; or
9 (ii) proceedings before a court or tribunal.
10 2.2 An IPP entity must not use or disclose personal information unless the
11 use or disclosure is fair and reasonable in the circumstances, taking
12 into account the following matters --
13 (a) whether the individual would reasonably expect the
14 information to be used or disclosed in the circumstances;
15 (b) the kind of personal information used or disclosed, including
16 whether any of that information is sensitive personal
17 information;
18 (c) the amount of personal information used or disclosed;
19 (d) whether the use or disclosure is necessary for 1 or more of the
20 IPP entity's functions or activities;
21 (e) whether there is a risk of loss, harm or other detriment to any
22 individual as a result of the use or disclosure of the
23 information;
24 (f) whether the disclosure or use of the information for 1 or more
25 of the IPP entity's functions or activities is, on balance, in the
26 public interest;
27 (g) in the case of personal information that relates to a child --
28 whether the use or disclosure of the information is in the best
29 interests of the child;
30 (h) the objects of this Act.
31 2.3 Subclause 2.2 does not apply to the use or disclosure of personal
32 information if --
33 (a) the use or disclosure is required or authorised by or under
34 law; or
page 198
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 3
1 (b) the IPP entity reasonably believes that the use or disclosure is
2 necessary to prevent or lessen --
3 (i) a serious threat to the life, health, safety or welfare of
4 any individual; or
5 (ii) a serious threat to public health, public safety or
6 public welfare; or
7 (iii) a threat to the life, health, safety or welfare of any
8 individual due to family violence;
9 or
10 (c) the IPP entity has reason to suspect that unlawful activity has
11 been, is being, or may be, engaged in and uses or discloses
12 the information as a necessary part of its investigation of the
13 matter or in reporting the matter to relevant persons or
14 authorities; or
15 (d) the IPP entity reasonably believes that the use or disclosure is
16 necessary for --
17 (i) a law enforcement function to be performed by a law
18 enforcement agency; or
19 (ii) proceedings before a court or tribunal.
20 2.4 Before using or disclosing personal information for a secondary
21 purpose, the IPP entity must make a written record of the secondary
22 purpose.
23 2.5 If an IPP entity uses or discloses personal information in a manner
24 permitted by subclause 2.1(g) or 2.3(d), the IPP entity must make a
25 written record of the use or disclosure.
26 2.6 For the purposes of this clause, a disclosure of information that is
27 covered by an express exception from a secrecy provision in a written
28 law is taken to be authorised by law.
29 3. Principle 3: Information quality
30 An IPP entity must take such steps (if any) as are reasonable in the
31 circumstances to ensure that personal information it collects, uses or
32 discloses is accurate, complete and up-to-date.
page 199
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 4
1 4. Principle 4: Information security
2 4.1 An IPP entity must take reasonable steps to protect the personal
3 information it holds from misuse and loss and from unauthorised
4 access, modification or disclosure.
5 4.2 An IPP entity must take reasonable steps to destroy or permanently
6 de-identify personal information if it is no longer needed for any
7 purpose, unless the IPP entity is expressly required or authorised to
8 retain the information by or under another law.
9 5. Principle 5: Openness and transparency
10 5.1 An IPP entity must develop a document setting out policies on its
11 handling of personal information and must make the document
12 available to anyone who requests it.
13 5.2 A document referred to in subclause 5.1 must be up-to-date, clear,
14 concise and expressed in plain language.
15 5.3 On request by a person, an IPP entity must take reasonable steps to let
16 the person know, generally --
17 (a) the kinds of personal information that the IPP entity collects
18 and holds; and
19 (b) how the IPP entity handles personal information; and
20 (c) the purposes for which the IPP entity handles personal
21 information; and
22 (d) whether any personal information held by the IPP entity is
23 used for an automated decision-making process.
24 6. Principle 6: Access and correction
25 6.1 If an IPP entity holds personal information that relates to an
26 individual, it must provide the individual with access to the
27 information on a request made by the individual in accordance with
28 section 40, except to the extent that --
29 (a) providing access would endanger the life or physical safety of
30 any person; or
page 200
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 6
1 (b) there are reasonable grounds to believe that --
2 (i) the person requesting access is a perpetrator, or
3 alleged perpetrator of family violence; and
4 (ii) denying access is necessary to prevent or lessen a
5 threat to the life, health, safety or welfare of any
6 individual due to family violence;
7 or
8 (c) providing access would enable the existence, non-existence,
9 or identity, of any confidential source of information in
10 relation to the enforcement or administration of the law to be
11 discovered; or
12 (d) providing access would have an unreasonable impact on the
13 privacy of other individuals; or
14 (e) the request for access is frivolous or vexatious; or
15 (f) the information relates to existing legal proceedings between
16 the IPP entity and the individual, and the information would
17 not be accessible by the process of discovery or subpoena in
18 those proceedings; or
19 (g) providing access would reveal the intentions of the IPP entity
20 in relation to negotiations with the individual in such a way as
21 to prejudice those negotiations; or
22 (h) providing access would be unlawful; or
23 (i) denying access is required or authorised by or under law; or
24 (j) providing access would be likely to prejudice an investigation
25 of possible unlawful activity; or
26 (k) providing access would be likely to prejudice any of the law
27 enforcement functions of a law enforcement agency; or
28 (l) providing access would be likely to reveal evaluative
29 information generated within the IPP entity about a
30 commercially sensitive decision-making process.
31 6.2 If the IPP entity denies access to the personal information because of
32 subclause 6.1(l), the IPP entity may include in the reasons for the
33 denial of access referred to in subclause 6.7 an explanation for the
34 commercially sensitive decision.
page 201
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 7
1 6.3 If an IPP entity is not required to provide an individual with access to
2 information because of any of subclause 6.1(a) to (l), the IPP entity
3 must, if reasonable, consider whether the use of mutually agreed
4 intermediaries would allow sufficient access to meet the needs of both
5 parties.
6 6.4 If a fee for making a request for access to personal information
7 applies under regulations made for the purposes of section 40(2)(e),
8 the IPP entity may refuse access to the personal information until the
9 fee is paid.
10 6.5 If an individual makes a request to an IPP entity in accordance with
11 section 41 for the correction of personal information that relates to the
12 individual, and the individual establishes that the information is not
13 accurate, complete and up-to-date, the IPP entity must take reasonable
14 steps to correct the information so that it is accurate, complete and
15 up-to-date.
16 6.6 If the individual and the IPP entity disagree about whether the
17 information is accurate, complete and up-to-date, and the individual
18 requests the IPP entity to associate with the information a statement
19 claiming that the information is not accurate, complete or up-to-date,
20 the IPP entity must take reasonable steps to do so.
21 6.7 An IPP entity must provide reasons for a denial of access to, or a
22 refusal of a request for the correction of, personal information.
23 6.8 If an individual requests access to, or the correction of, personal
24 information held by an IPP entity, the IPP entity must, as soon as
25 practicable, but no later than 45 days after the day on which the
26 request is made --
27 (a) provide access to the information or reasons for the denial of
28 access; or
29 (b) correct the information or provide reasons for the refusal of
30 the request for the correction of the information; or
31 (c) provide reasons for the delay in responding to the request.
32 7. Principle 7: Unique identifiers
33 7.1 An IPP entity must not assign unique identifiers to individuals unless
34 the assignment of unique identifiers is necessary to enable the
35 IPP entity to perform any of its functions or activities efficiently.
page 202
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 8
1 7.2 An IPP entity must not adopt as its own unique identifier of an
2 individual a unique identifier of the individual that has been assigned
3 by another IPP entity unless --
4 (a) the adoption of the unique identifier is necessary to enable the
5 IPP entity to perform any of its functions efficiently; or
6 (b) the individual consents to the use of the unique identifier; or
7 (c) the IPP entity is an outsourcing entity under a State services
8 contract and is adopting the unique identifier assigned by a
9 contracted service provider in the provision of services under
10 the contract; or
11 (d) the IPP entity is a contracted service provider under a State
12 services contract and is adopting the unique identifier
13 assigned by the relevant outsourcing entity.
14 7.3 An IPP entity must not use or disclose a unique identifier assigned to
15 an individual by another IPP entity unless --
16 (a) the use or disclosure is necessary for the IPP entity to fulfil its
17 obligations to the other IPP entity; or
18 (b) circumstances referred to in IPP 2.1(c), (e), (f) or (g) apply to
19 the use or disclosure; or
20 (c) the individual consents to the use or disclosure.
21 7.4 An IPP entity must not require an individual to provide a unique
22 identifier in order to obtain a service unless --
23 (a) the provision of the identifier is required or authorised by or
24 under law; or
25 (b) the provision is in connection with the purpose for which the
26 identifier was assigned or a directly related purpose.
27 8. Principle 8: Anonymity
28 8.1 Individuals must have the option of not identifying themselves when
29 dealing with an IPP entity.
30 8.2 Subclause 8.1 does not apply to an IPP entity in relation to a matter
31 if --
32 (a) the IPP entity is required or authorised by or under law to
33 deal with individuals who have identified themselves in
34 relation to that matter; or
page 203
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 9
1 (b) it is impracticable for the IPP entity to deal with individuals
2 who have not identified themselves in relation to that matter.
3 9. Principle 9: Disclosures outside Australia
4 9.1 An IPP entity must not disclose personal information that relates to an
5 individual to a person (other than the individual) outside Australia
6 unless --
7 (a) the IPP entity reasonably believes that the person to whom
8 the information is disclosed is subject to a law, binding
9 administrative scheme, or contract, that requires the person to
10 comply with principles for handling the information that are
11 substantially similar to the information privacy principles; or
12 (b) the individual consents to the disclosure; or
13 (c) the disclosure is required or authorised by or under law; or
14 (d) the disclosure is necessary for the performance of a contract
15 between the individual and the IPP entity or for the
16 implementation of pre-contractual measures taken in response
17 to the individual's request; or
18 (e) the disclosure is necessary for the conclusion or performance
19 of a contract that is concluded in the interest of the individual
20 between the IPP entity and a third party; or
21 (f) all of the following apply --
22 (i) the disclosure is for the benefit of the individual;
23 (ii) it is impracticable to obtain the consent of the
24 individual to the disclosure;
25 (iii) if it were practicable to obtain that consent, the
26 individual would be likely to give it;
27 or
28 (g) the IPP entity has taken reasonable steps to ensure that the
29 information will not be held, used or disclosed by the
30 recipient inconsistently with the information privacy
31 principles.
page 204
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 10
1 9.2 An IPP entity must not disclose de-identified information that relates
2 to an individual to a person (other than the individual) outside
3 Australia unless the IPP entity takes reasonable steps to ensure that
4 the person to whom the de-identified information is disclosed --
5 (a) protects the de-identified information from misuse and loss
6 and from unauthorised re-identification, access, modification
7 or disclosure; and
8 (b) does not --
9 (i) re-identify the de-identified information (except in
10 circumstances referred to in IPP 11.2(c) or (d)); or
11 (ii) further disclose the information in a manner that is
12 likely to undermine the effectiveness of the
13 de-identification of the information.
14 10. Principle 10: Automated decision-making
15 10.1 An IPP entity that employs an automated decision-making process
16 involving the use of personal information in making significant
17 decisions about individuals must --
18 (a) conduct an assessment of the impact of the automated
19 decision-making process on those individuals, having regard
20 to --
21 (i) the elimination or minimisation of harm, bias and
22 discrimination; and
23 (ii) whether there is a process by which individuals about
24 whom decisions are made can request human
25 intervention; and
26 (iii) whether the handling of personal information in the
27 process complies with any applicable requirements
28 under this Act;
29 and
30 (b) periodically evaluate the operation and effectiveness of the
31 automated decision-making process; and
32 (c) reassess the matter referred to in paragraph (a) when changes
33 are made to the automated decision-making process.
page 205
Privacy and Responsible Information Sharing Bill 2024
Schedule 1 Information privacy principles
cl. 11
1 10.2 If an IPP entity employs an automated decision-making process
2 involving the use of personal information in making a significant
3 decision about an individual, the IPP entity must --
4 (a) notify the individual that an automated decision-making
5 process has been employed in making the decision; and
6 (b) on request, give the individual information about how the
7 automated decision-making process is employed in making
8 decisions; and
9 (c) provide a process by which the individual can request human
10 intervention in relation to the decision.
11 10.3 A notification under subclause 10.2(a) --
12 (a) may be given with, or as part of, any notification of the
13 significant decision required to be given under a written law;
14 and
15 (b) subject to paragraph (a), must be given as soon as practicable.
16 10.4 Information provided under subclause 10.2(b) must be reasonably
17 comprehensive and provided in a form that is capable of being
18 understood by a person without specialist knowledge.
19 11. Principle 11: De-identified information
20 11.1 An IPP entity must take reasonable steps to protect the de-identified
21 information it holds from misuse and loss and from unauthorised
22 re-identification, access, modification or disclosure.
23 11.2 An IPP entity must not re-identify de-identified information that it
24 holds unless --
25 (a) the de-identified information was de-identified by the IPP
26 entity itself; or
27 (b) all of the following apply --
28 (i) the de-identified information was collected from
29 another IPP entity;
30 (ii) that other IPP entity has given written authorisation
31 for the IPP entity to re-identify the de-identified
32 information for a specified purpose;
33 (iii) the re-identification is undertaken for the specified
34 purpose;
page 206
Privacy and Responsible Information Sharing Bill 2024
Information privacy principles Schedule 1
cl. 11
1 or
2 (c) the re-identification is undertaken to test the effectiveness of
3 de-identification processes or security measures protecting
4 information; or
5 (d) the re-identification is required or authorised by or under law.
page 207
Privacy and Responsible Information Sharing Bill 2024
Schedule 2 Responsible sharing principles
cl. 1
1 Schedule 2 -- Responsible sharing principles
2 [s. 4 and 175]
3 1. Principle 1: Activities
4 The relevant activity to be carried out using the information to be
5 disclosed must be appropriate, having regard to the following --
6 (a) whether there is a direct and identifiable connection between
7 the relevant activity and a permitted purpose;
8 (b) whether it is necessary to disclose and use the information for
9 the relevant activity in order to achieve the permitted
10 purpose;
11 (c) whether the methods to be used in carrying out the relevant
12 activity can reasonably be expected to result in the
13 achievement of the permitted purpose;
14 (d) whether the relevant activity will be of benefit to the public;
15 (e) whether there is a risk of loss, harm or other detriment to the
16 public if the disclosure and use of the information for the
17 relevant activity does not occur;
18 (f) whether there is a risk of loss, harm or other detriment to the
19 public as a result of the proposed disclosure and use of the
20 information for the relevant activity (including whether there
21 is a risk of an interference with the privacy of any individual)
22 and, if so, whether the risk can be appropriately mitigated;
23 (g) whether the relevant activity will primarily or especially
24 affect Aboriginal people;
25 (h) whether the proposed disclosure and use of the information
26 for the relevant activity is, on balance, in the public interest.
27 2. Principle 2: Recipients
28 The proposed recipient of the information must be an entity to which
29 it is appropriate to disclose the information, having regard to the
30 following --
31 (a) whether the proposed recipient has the appropriate skills,
32 experience and capability to use the information effectively in
33 carrying out the relevant activity;
page 208
Privacy and Responsible Information Sharing Bill 2024
Responsible sharing principles Schedule 2
cl. 3
1 (b) whether the proposed recipient will restrict access to the
2 information to appropriate persons (for example, persons with
3 security clearances or other authorisations);
4 (c) whether the proposed recipient will require support from the
5 proposed provider to use the information in carrying out the
6 relevant activity and, if so, whether the proposed provider has
7 capacity to provide that support;
8 (d) whether any person other than the proposed recipient has an
9 interest in the relevant activity, or in any derived information
10 to be generated as a result of the relevant activity, and if so,
11 the nature of that interest;
12 (e) whether the systems, processes and governance arrangements
13 of the proposed recipient are appropriate for carrying out the
14 relevant activity using the information.
15 3. Principle 3: Information
16 3.1 The information must be information that it is appropriate to disclose
17 and use for the relevant activity, having regard to the following --
18 (a) whether the information is limited to only such information as
19 is necessary to use to achieve the permitted purpose;
20 (b) whether the information is of sufficient quality for the
21 proposed use;
22 (c) whether the information includes sensitive Aboriginal family
23 history information or sensitive Aboriginal traditional
24 information;
25 (d) whether circumstances affecting the appropriateness of
26 disclosing or using the information are likely to change
27 during the period in which the information is to be disclosed
28 and used;
29 (e) if the information is or includes de-identified information --
30 (i) whether there is a risk that the de-identified
31 information could be re-identified; and
32 (ii) if so, how that re-identification could occur.
page 209
Privacy and Responsible Information Sharing Bill 2024
Schedule 2 Responsible sharing principles
cl. 4
1 3.2 The information to be disclosed and used for the relevant activity
2 must not include personal information that relates to an individual
3 unless --
4 (a) the individual consents to the disclosure of the personal
5 information for the proposed use; or
6 (b) the individual would reasonably expect the personal
7 information to be disclosed for the proposed use and the
8 proposed use relates to the purpose for which the information
9 was collected; or
10 (c) the personal information is to be used for the permitted
11 purpose of informing or enabling emergency management
12 (including prevention of, preparedness for, response to, and
13 recovery from, emergencies); or
14 (d) the relevant activity consists only of data linkage, data
15 integration or both; or
16 (e) all of the following apply --
17 (i) it is impracticable to seek the individual's consent to
18 the disclosure of the personal information for the
19 proposed use;
20 (ii) the permitted purpose cannot be achieved by the use
21 of de-identified information;
22 (iii) the proposed disclosure and use of the personal
23 information for the relevant activity is, on balance, in
24 the public interest.
25 4. Principle 4: Settings
26 The environments in which, and manner in which, the information
27 proposed to be disclosed will be collected, held, managed and used
28 must be appropriate, having regard to the following --
29 (a) the physical locations where the information will be held,
30 managed and used;
31 (b) the digital environments in which the information will be
32 held, managed and used;
33 (c) the methods that will be used to transport or transmit the
34 information;
page 210
Privacy and Responsible Information Sharing Bill 2024
Responsible sharing principles Schedule 2
cl. 5
1 (d) the period for which the information is proposed to be held by
2 the proposed recipient;
3 (e) whether the proposed recipient has appropriate security
4 systems and processes to protect the information from
5 unauthorised access, use or disclosure;
6 (f) the likelihood that an information breach could occur in
7 relation to the information and whether the proposed
8 recipient's systems and processes are adequate to respond to
9 an information breach;
10 (g) how the information will be dealt with after it has been used
11 in carrying out the relevant activity.
12 5. Principle 5: Outputs
13 If the relevant activity to be carried out using the information to be
14 disclosed will or may involve the disclosure of any derived
15 information, that proposed disclosure must be appropriate, having
16 regard to the following --
17 (a) the nature of the proposed disclosure;
18 (b) the persons to whom the proposed disclosure is to be made;
19 (c) the likelihood that the identity of any individual to whom the
20 information relates could be ascertained as a result of the
21 proposed disclosure;
22 (d) whether there will be an external audit or review prior to the
23 disclosure and, if so, whether the proposed provider would be
24 involved in that audit or review.
25
page 211
Privacy and Responsible Information Sharing Bill 2024
Defined terms
Defined terms
[This is a list of terms defined and the provisions where they are defined.
The list is not part of the law.]
Defined term Provision(s)
Aboriginal community controlled organisation .................................................... 4
Aboriginal information assessment .......................................................... 4, 177(1)
Aboriginal information use plan .............................................................. 4, 176(4)
act.......................................................................................................................... 4
affected individual .......................................................................................... 4, 58
affected individuals ...................................................................................... 107(1)
agency .......................................................................................................... 213(1)
approved form .......................................................................................................4
approved privacy code of practice ........................................................................4
assessed notifiable information breach ...................................................... 4, 61(3)
assessed shared information breach ......................................................... 4, 192(4)
associated ..................................................................................................... 169(2)
Australian Information Commissioner ..................................................................4
authorised officer ..................................................................................................4
authorised representative ............................................................................. 154(1)
automated decision-making process .......................................................... 4, 16(2)
automated system ....................................................................................... 4, 16(1)
care leaver .............................................................................................................4
Chief Data Officer ................................................................................................ 4
Chief Data Officer guidelines ...............................................................................4
child ...................................................................................................................... 4
child protection functions ..................................................................................... 4
collect .................................................................................................................... 4
commencement day ...................... 223(1), 224(1), 225(1), 226(1), 227(1), 228(1)
Commissioner notice ..................................................................................... 69(2)
community policing functions ..............................................................................4
compliance notice .................................................................................... 4, 122(1)
conciliation agreement ................................................................................... 98(1)
conciliator .............................................................................................................4
confidential or commercially sensitive information..............................................4
consent .................................................................................................................. 4
contracted service provider .......................................................................... 4, 8(2)
data analytics work ............................................................................................... 4
Data analytics work........................................................................................ 12(2)
data integration .....................................................................................................4
Data integration.............................................................................................. 12(4)
data linkage ...........................................................................................................4
Data linkage ................................................................................................... 12(3)
data linkage key ............................................................................................. 12(3)
page 212
Privacy and Responsible Information Sharing Bill 2024
Defined terms
data set ....................................................................................................... 4, 12(1)
de-identified information ........................................................................... 4, 11(2)
de-identify .................................................................................................. 4, 11(1)
derived information ....................................................................................... 4, 170
disability ...............................................................................................................4
disclose ................................................................................................................. 4
disclosing ............................................................................................................ 10
disclosing entity ................................................................................................ 184
document...................................................................................................... 213(1)
draft determination ......................................................................................... 47(2)
electronic means ...................................................................................................4
emergency response functions ..............................................................................4
enforcement action ....................................................................................... 140(1)
exempt agency ............................................................................................. 213(1)
exempt information ............................................................... 4, 158(1), (2) and (3)
external entity .......................................................................................... 4, 156(2)
family violence .....................................................................................................4
government information................................................................................ 4, 157
handle.................................................................................................................... 4
Health and Disability Services Complaints Office Director .................................4
health information .................................................................................................4
health service ........................................................................................................4
high privacy impact function or activity .................................................... 4, 79(1)
hold ....................................................................................................................... 4
holding entity ........................................................................................... 4, 160(3)
information breach ................................................................................................ 4
Information Commissioner ................................................................................... 4
information holdings request ................................................................... 4, 196(2)
information privacy principle................................................................................ 4
information sharing agreement ................................................................ 4, 168(1)
information sharing CEO ...................................................................................... 4
information sharing Department ...........................................................................4
information sharing direction ................................................................... 4, 163(1)
Information Sharing Minister................................................................................ 4
information sharing provisions .................................................................... 214(1)
information sharing request ..................................................................... 4, 160(3)
insolvent ....................................................................................................... 140(1)
instrument of extension .................................................................................. 55(1)
interference with the privacy........................................................................... 4, 15
IPP......................................................................................................................... 4
IPP entity ................................................................................................... 4, 14(1)
judicial body ................................................................................................ 4, 7(1)
law enforcement agency ....................................................................................... 4
law enforcement functions .................................................................................... 4
page 213
Privacy and Responsible Information Sharing Bill 2024
Defined terms
materially assisted ...................................................................................... 4, 16(3)
member of Commissioner staff .............................................................................4
notice to produce or attend ....................................................................... 4, 113(1)
notifiable information breach .................................................. 4, 57(1), (2) and (3)
notifiable information breach determination .................................................. 60(1)
officer .................................................................................................................... 4
outsourcing entity ........................................................................................ 4, 8(1)
Parliamentary Commissioner for Administrative Investigations .......................... 4
Parliamentary Secretary ........................................................................................ 4
permitted purpose .................................................................................... 4, 159(1)
personal information ............................................................................................. 4
Police Force of Western Australia ........................................................................4
primary purpose ................................................................................. Sch. 1 cl. 2.1
principal officer......................................................................... 4, 9(1), (2) and (3)
privacy code of practice ............................................................................. 4, 28(1)
privacy complaint .................................................................................................4
Privacy Deputy Commissioner .............................................................................4
privacy functions...................................................................................... 4, 142(1)
privacy guidelines .................................................................................................4
privacy impact assessment .................................................. 4, 79(2), 80(2), 176(2)
Privacy Minister ....................................................................................................4
privacy provisions ........................................................................................ 155(1)
proposed provider .................................................................................................4
proposed recipient .................................................................................................4
provider .................................................................................................... 4, 168(2)
public entity ..................................................................................... 4, 6(1) and (2)
public interest determination ...................................................................... 4, 45(1)
public register .......................................................................................................4
receiving entity ................................................................................................. 185
recipient ................................................................................................... 4, 168(3)
re-identify .................................................................................................. 4, 11(3)
relevant activity........................................................................................ 4, 168(1)
relevant act or practice ............................................................ 90(1), 98(3), 140(1)
relevant exception .......................................................................................... 69(1)
relevant IPP entity ............................................................................................... 64
relevant Minister .......................................................................................... 220(1)
relevant official ............................................................................... 208(1), 218(1)
relevant outsourcing entity ........................ 130(1), 131(2), 132(2), 133(3), 134(3),
....................................................................... 135(2), 136, 138(2), 139(3), 140(1)
requesting entity ....................................................................................... 4, 160(3)
respondent .................................................................................................. 4, 82(2)
responsible Minister .............................................................................................. 4
responsible sharing principle ................................................................................ 4
responsible sharing safeguards..................................................................... 175(3)
page 214
Privacy and Responsible Information Sharing Bill 2024
Defined terms
scheme ombudsman ....................................................................................... 93(6)
secondary purpose.............................................................................. Sch. 1 cl. 2.1
secrecy provision ..................................................................................................4
senior executive officer ......................................................................................... 4
senior officer .........................................................................................................4
sensitive Aboriginal family history information ................................................... 4
sensitive Aboriginal information safeguards ............................................... 177(2)
sensitive Aboriginal traditional information ......................................................... 4
sensitive personal information ..............................................................................4
shared information ........................................................................................ 4, 191
shared information breach............................................................................. 4, 191
significant decision .................................................................................... 4, 16(4)
special information sharing entity ............................................................ 4, 156(1)
specified ....................................................................................................... 229(1)
state of mind................................................................................................. 217(1)
State services contract .................................................................................. 4, 8(1)
temporary public interest determination .................................................... 4, 49(1)
transitional matter ........................................................................................ 229(1)
unique identifier ....................................................................................................4
variation agreement.................................................................................. 4, 179(1)
[Index] [Search] [Download] [Related Items] [Help]