The Law Handbook 2024

1100 Section 12: Government and the individual expressed in penalty units (see ‘A note about penalty units’ at the start of this book). The civil penalty provisions in the PA 1988 include: • for a serious or repeated interference with privacy (s 13G), maximum penalties including $2 500 000 for a person other than a body corporate; • for a body corporate, an amount not exceeding the greater of: – $50 000 000; – three times the value of the benefit obtained directly or indirectly by the body corporate and any related bodies corporate that is reasonably attributable to the conduct constituting the contravention; or – if the court cannot determine the value of the benefit, 30% of the body corporate’s adjusted turnover during the breach turnover period for the contravention; and • various civil penalty provisions set also out in pt IIIA, with penalties of 500, 1000 or 2000 pu. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) amended the PA 1988 to enshrine a mandatory data breach notification scheme. Since 22 February 2018, APP entities have been required to notify the Information Commissioner, and in most cases the individuals affected, of any data breach that is likely to result in serious harm to any individuals whose personal information is involved. The notification to individuals must include recommendations about steps individuals should take to respond to the breach. Failure to notify the Information Commissioner of a data breach is deemed to be an interference with privacy and triggers the Information Commissioner’s existing enforcement powers. The OAIC has published ‘Guide to Privacy Regulatory Action’ under the Privacy Act (see www.oaic.gov.au/about-the-OAIC/our-regulatory- approach/guide-to-privacy-regulatory-action) . Recognised external dispute resolution schemes Under section 35A of the PA 1988, the Information Commissioner can ‘recognise’ external dispute resolution ( EDR ) schemes to handle particular privacy related complaints. The Information Commissioner has issued guidelines for recognising EDRs. For a list of EDR schemes that are recognised by the Information Commissioner, see ‘Contacts’ at the end of this chapter. Privacy codes The Information Commissioner has the power to approve and register enforceable codes for certain entities (e.g. entities in a particular industry). The commissioner has issued guidelines for developing privacy codes (available at www.oaic.gov.au) . The most recent version of the Privacy (Credit Reporting) Code 2014 (‘ CRCode 2014 ’) commenced on 1 July 2022. (See ‘Privacy and credit reporting’, below.) The Privacy (Market and Social Research) Code 2014 was registered on 28 November 2014. On 22 March 2021, it was replaced by the Privacy (Market and Social Research) Code 2021. The Privacy (Australian Government Agencies – Governance) APP Code (‘ 2017 code ’) was registered on 27 October 2017 and commenced 1 July 2018. The 2017 code sets out specific requirements and steps that agencies must take in complying with APP 1.2. APP 1.2 requires an APP entity to take reasonable steps to implement practices, procedures and systems to ensure it complies with the APPs, and any binding registered APP code, and can deal with related enquiries and complaints. Office of the Australian Information Commissioner The OAIC is the independent statutory agency that was created by the Australian Information Commissioner Act 2010 (Cth) (‘ AICA 2010 ’) to administer the PA 1988 and the Freedom of Information Act 1982 (Cth) (‘ FoI Act (Cth) ’). The AICA 2010 (s 6) created three information officers: the Information Commissioner, the Freedom of Information Commissioner, and the Privacy Commissioner. The Privacy Commissioner has the privacy functions, but certain actions can only be undertaken with the Information Commissioner’s approval. The Information Commissioner has all the functions under the PA 1988 and the FoI Act (Cth). The Information Commissioner can delegate all their functions under the PA 1988, apart from the power to issue rules under section 17 and making a determination for the purposes of section 52 (s 25 AICA 2010).