
Chapter 9: Reporting under the National Cancer Screening Register Act
Under s 22A of the National Cancer Screening Register Act 2016 (NCSR Act), the Secretary of the Department of Health (the Secretary)...
Under s 22A of the National Cancer Screening Register Act 2016 (NCSR Act), the Secretary of the Department of Health (the Secretary)...
Under s 75 of the My Health Records Act, some entities have a mandatory obligation to provide notification of certain data breaches....
The OAIC administers a Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act....
The OAIC has published the Guide...
The OAIC will generally publish all PIA directions issued, and will require the agency to publish all final PIAs prepared in response to a PIA direction...
Where an agency does not comply with a PIA direction, the OAIC will use the following procedure...
The OAIC will consider that an agency has complied with a PIA direction when the agency has given...
Where the OAIC becomes aware of a proposed activity or function of an agency it may seek further information about the impact of the proposal on the privacy of individuals...
Section 33D of the Privacy Act empowers the Commissioner to direct an agency to give the Commissioner a privacy impact assessment (PIA)...
Section 33D of the Privacy Act empowers the Commissioner to direct an agency to give the Commissioner a privacy impact assessment (PIA)...
Risk based assessments.
Generally, the OAIC will publish all assessment reports...
There are four main stages commonly involved in assessments...
As outlined in the Privacy regulatory action policy...
Section 33C of the Privacy Act provides the Commissioner with the power to conduct assessments of APP entities about...
Chapter 1 of this guide for information relating to the OAIC’s complaint investigation procedures...
The OAIC will publicly communicate the following information in connection with civil penalty proceedings...
When seeking a civil penalty order from the courts is a possible regulatory outcome in a matter...
Section 13G of the Privacy Act is a civil penalty provision for cases of serious or repeated interference with privacy by an entity...
By requiring the payment of a penalty to the Commonwealth, a civil penalty order financially penalises an entity or person...
Section 80W of the Privacy Act empowers the Commissioner to apply to the Federal Court or Federal Circuit Court for an order that an entity...
Generally, the OAIC will publicly communicate the following information in connection with an injunction application...
The Court may discharge or vary an injunction granted under s 98 of the Privacy Act or s 81 of the My Health Records Act (see also Part 7 of the Regulatory Powers Act)...
When seeking an injunction, the OAIC will generally use the following steps...
Injunctions are an important enforcement tool for compelling a person to modify their behaviour in order to prevent them from contravening...
An injunction is a Court order directing a person to do a specific thing or, more commonly, to not do a specific thing...
Under s 55 of the Privacy Act, where a determination applies to a respondent that is not a government agency...
A party may apply under s 96 of the Privacy Act to have a decision under subsection 52(1) or (1A) to make a determination reviewed by the AAT...
Once made, and sent to the parties, determinations will be published on the OAIC’s website and on the AustLII website...
A determination will generally contain the following information...
A determination will generally contain the following information...
In making a determination, the Commissioner may conduct further investigation, and consider additional submissions and information provided by the parties...
The Commissioner generally tries to resolve complaints through conciliation as provided for by the Privacy Act (s 40A).....
After investigating a complaint,1 the Commissioner may make a determination which either dismisses the complaint or finds that the complaint is substantiated (s 52(1)).....
Section 33E(5) of the Privacy Act and s 80(4) of the My Health Records Act allow the OAIC to publish an enforceable undertaking on the OAIC’s website....
Where the OAIC believes that a respondent has breached the terms of an enforceable undertaking, the OAIC will generally use the following procedure...
A respondent can vary or withdraw an enforceable undertaking, but must have the consent of the Commissioner in order to do so...
When the acceptance of an enforceable undertaking is a possible regulatory outcome in a matter...
An enforceable undertaking under the Privacy Act can only be given by ‘an entity’...
An enforceable undertaking is a written agreement between an entity or person (the respondent) and the Commissioner...
Where the OAIC decides to commence a CII, the following four steps will be taken...
The Commissioner’s primary objective when undertaking a CII is improving the privacy practices of investigated entities and the regulated community generally...
The OAIC has a range of options available to respond to referrals, including no action...
The OAIC becomes aware of matters that may warrant the commencement of a CII through a number of channels...
Section 40 of the Privacy Act gives the Commissioner the power to conduct investigations...
Section 50 of the Privacy Act allows the OAIC to not investigate...
The OAIC may at any time during the complaint process exercise the discretion not to investigate a complaint or not to investigate...
The OAIC is not required to attempt to resolve the complaint through conciliation where the OAIC has decided not to investigate, or not to further investigate, a complaint...
Where possible the OAIC tries to handle privacy complaints informally and flexibly...
Complaints must be in writing and must identify the person making the complaint...
The OAIC provides a free, informal and accessible complaint process...
A complaint about an act or practice that may be an interference with privacy can be made by an individual on their own behalf, and on behalf of other individuals with their consent...
APP 11 requires entities to actively consider whether they are permitted to retain personal information...
Entities must take reasonable steps to ensure that the personal information they collect is accurate...
APP 8 and s 16C of the Privacy Act apply when an entity discloses personal information overseas...
Direct marketing is where an organisation directly promotes goods or services to an individual...
APP 6 outlines when an entity may use or disclose personal information...
When your organisation collects personal information...
APP 3 outlines when personal information, including sensitive information...
The objective of APP 1 is to ensure that organisations manage personal information in an open and transparent way...
Privacy is not an obstacle to innovation...
The Privacy Act regulates how organisations handle personal information...
While organisations have undertaken data analytics activities for a long time...
Through the amassing, aggregating and analysing of data to discover new relationships...
Data analytics describes processes or activities which are designed to obtain and evaluate data to extract useful information...
The aim of the Guide is to assist organisations to identify and take steps to address the privacy issues that may arise.