The Privacy Act of 1974 is a federal law that governs our collection and use of records we maintain on you in a system of records. A system of records is any grouping of information about an individual under the control of a Federal agency from which information is retrievable by personal identifiers, such as name, social security number, or other identifying number or symbol. Under the Privacy Act, Federal agencies may not disclose information without consent unless certain exceptions apply to the disclosure. The Privacy Act provides protections to individuals in three primary ways. It provides individuals with: Show
All OSC's System of Records Notices (SORNs) are published in the Federal Register. These notices provide the legal authority for collecting and storing records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used. The following are the twelve (12) Privacy Act Exemptions when consent to release information is not required:
Personal Data Protection This revised edition incorporates all amendments up to and including 1 December 2021 and comes into operation on 31 December 2021 An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith. [22/2016] [2 January 2013: Parts I, II, VIII, IX (except sections 36 to 38, 41 and 43 to 48) and X (except section 67(1)), and the First, Seventh and Ninth Schedules ; 2 December 2013: Sections 36, 37, 38 and 41 ; 2 January 2014: Sections 43 to 48 and 67(1) and the Eighth Schedule ; 2 July 2014: Parts III to VII, and the Second to Sixth Schedules ] PART 1 1. This Act is the Personal Data Protection Act 2012. 2.—(1) In this Act, unless the context otherwise requires — “advisory committee” means an advisory committee appointed under section 7; “Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule; “Appeal Panel” means the Data Protection Appeal Panel established by section 48P(1); “authorised officer”, in relation to the exercise of any power or performance
of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 38 of the Info‑communications Media Development Authority Act 2016; “Authority” means the Info‑communications Media Development Authority established by section 3 of the Info‑communications Media Development Authority Act 2016; “benefit plan” means an insurance
policy, a pension plan, an annuity, a provident fund plan or other similar plan; “business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his or her personal or domestic capacity; “business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail
address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes; “Chief Executive”, in relation to the Authority, means the Chief Executive of the Authority appointed under section 40(2) of the Info‑communications Media Development Authority Act 2016, and includes any individual acting in that capacity; “Commission” means the person designated as the Personal Data Protection
Commission under section 5 to be responsible for the administration of this Act; “Commissioner” means the Commissioner for Personal Data Protection appointed under section 8(1)(a), and includes any Deputy Commissioner for Personal Data Protection or Assistant Commissioner for Personal Data Protection appointed under section 8(1)(b); “credit bureau” means an organisation which —
“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual; “data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation; “derived personal data” —
“document” includes information recorded in any form; “domestic” means related to home or family; “education institution” means an organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with, or by affiliation with, any other person; “employee” includes a volunteer; “employment” includes working under an unpaid volunteer work relationship; “evaluative purpose” means —
“individual” means a natural person, whether living or deceased; “inspector” means an individual appointed as an inspector under section 8(1)(b); “investigation” means an investigation relating to —
“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs; “organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —
“personal data” means data, whether true or not, about an individual who can be identified —
“prescribed healthcare body” means a healthcare body prescribed for the purposes of the Second Schedule by the Minister charged with the responsibility for health; “prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of sections 21(4) and 26D(6) and the Second Schedule by the Minister charged with the responsibility for that authority; “private trust” means a trust for the benefit of one or more designated individuals who are the settlor’s friends or family members; “proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of —
“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:
“public agency” includes —
“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —
“relevant body” means the Commission, the Appeal Panel or any Appeal Committee; “tribunal” includes a judicial or quasi‑judicial body or a disciplinary, an arbitral or a mediatory body; “user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation; “user‑provided data”, in relation to an organisation, means personal data provided by an individual to the organisation. [22/2016; 40/2020] (2) The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act. 3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. 4.—(1) Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on —
[40/2020] (2) Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except sections 26C(3)(a) and 26E) and 6B do not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing. [40/2020] (3) An organisation has the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. (4) This Act does not apply in respect of —
(5) Except where business contact information is expressly mentioned, Parts 3, 4, 5, 6 and 6A do not apply to business contact information. [40/2020] (6) Unless otherwise expressly provided in this Act —
Who does the Australian Privacy Act apply to?The Privacy Act provides 13 Australian Privacy Principles (APPs). The APPs apply to government agencies and private sector organisations with an annual turnover of $3 million or more. The APPs are principles-based—protecting privacy while not burdening agencies and organisations with inflexible prescriptive rules.
What acts are covered by the Data Privacy Act?Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.
What does the Australian Privacy Act cover?The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.
|