(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(1) A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
(a) is accurate, and (b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
(1) A public sector agency must not disclose personal information relating to an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned or another person.
(1) The information protection principles apply to public sector agencies.
(1) Each public sector agency must prepare and implement a privacy management plan within 12 months of the commencement of this section. (2) The privacy management plan of a public sector agency must include provisions relating to the following:
(a) the devising of policies and practices to ensure compliance by the agency with the requirements of this Act or the , if applicable, Health Records and Information Privacy Act 2002 (b) the dissemination of those policies and practices to persons within the agency, (c) the procedures that the agency proposes to provide in relation to internal review under Part 5, (d) such other matters as are considered relevant by the agency in relation to privacy and the protection of personal information held by the agency.
(1) For the purposes of any inquiry or investigation conducted by the Privacy Commissioner under this Act (including in relation to a complaint made under Division 3 of this Part), the Privacy Commissioner has the powers, authorities, protections and immunities conferred on a commissioner by Division 1 of Part 2 of the , and that Act (section 13 and Division 2 of Part 2 excepted) applies (subject to this section) to any witness summoned by or appearing before the Privacy Commissioner in the same way as it applies to a witness summoned by or appearing before a commissioner. Royal Commissions Act 1923 (2) Subsection (1) does not confer any function on the Privacy Commissioner that may be exercised in relation to the Independent Commission Against Corruption, the Inspector of the Independent Commission Against Corruption, the staff of the Inspector of the Independent Commission Against Corruption, Police Integrity Commission, Inspector of the Police Integrity Commission, staff of the Inspector of the Police Integrity Commission or New South Wales Crime Commission.
(1) The Privacy Commissioner may, from time to time, prepare and publish a personal information digest setting out the nature and source of personal information held by public sector agencies.
(1) A complaint may be made to (or by) the Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual. (2) The subject-matter of a complaint may relate to conduct to which Part 5 applies (unless it is conduct that is alleged to have occurred before the commencement of that Part). Note— Section 21 of the provides that certain conduct under that Act by public sector agencies is conduct to which Part 5 of this Act applies. Health Records and Information Privacy Act 2002 (2A) A complaint about a matter referred to in section 42 of the is not to be dealt with under this Division but is to be dealt with by the Privacy Commissioner as a complaint under Part 6 of that Act. Health Records and Information Privacy Act 2002 Note— Section 42 of that provides that a complaint may be made to the Privacy Commissioner about the alleged contravention by a private sector person of a Health Privacy Principle, a provision of Part 4 (Provisions for private sector persons) of that Act or a health privacy code of practice. Health Records and Information Privacy Act 2002
(1) A person ( the applicant ) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct.(2) The review is to be undertaken by the public sector agency concerned. (3) An application for such a review must:
(a) be in writing, and (b) be addressed to the public sector agency concerned, and (c) specify an address in Australia to which a notice under subsection (8) may be sent, and (d) be lodged at an office of the public sector agency within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct the subject of the application, and (e) comply with such other requirements as may be prescribed by the regulations.
(1) A public sector agency that receives an application under section 53 must:
(a) as soon as practicable after receiving the application notify the Privacy Commissioner of the application, and (b) keep the Privacy Commissioner informed of the progress of the internal review, and (c) inform the Privacy Commissioner of the findings of the review and of the action proposed to be taken by the agency in relation to the matter.
(1) If a person who has made an application for internal review under section 53 is not satisfied with:
(a) the findings of the review, or (b) the action taken by the public sector agency in relation to the application, the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53. (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate. (3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the . Administrative Decisions Tribunal Act 1997
(Section 34)
(Section 60 (4))
(Section 74)