Appendix A: Key terms

13 July 2019

‘Agency’ is defined in s 6(1) of the Privacy Act and includes most Australian Government agencies, agencies and Ministers.

‘APPs’ are the Australian Privacy Principles set out Schedule 1 to the Privacy Act, which apply to APP entities.

’APP entity’ is defined in s 6(1) of the Privacy Act to mean an agency or organisation.

’Assessment’ is a key step in responding to a data breach, which should enable entities to make an evidence-based decision about whether serious harm is likely. Entities that are subject to the NDB scheme are required to conduct assessments of suspected eligible data breaches under s 26WH of the Privacy Act.

’Australian Information Commissioner’, administers the Privacy Act, and is appointed under s 14 of the Australian Information Commissioner Act 2010 (Cth).

‘Consumer Data Right’ is regulated by Part IVD of the Competition and Consumer Act 2010 and associated rules, which aims to give consumers greater control over their data, by allowing them to share their data with accredited third parties.

’Credit provider’ is defined in s 6(1) of the Privacy Act.

’Credit reporting body’ is defined in s 6(1) of the Privacy Act and generally applies to a business or undertaking that involves collecting, holding, using, or disclosing personal information about individuals for the purpose of providing an entity with information about the credit worthiness of an individual (s 6P of the Privacy Act).

’Data breach’ is the unauthorised access or disclosure of personal information, or loss of personal information.

’Eligible data breach’ is the unauthorised access or disclosure of personal information, or loss of personal information in circumstances where this is likely to occur, that is likely to result in serious harm to any of the individuals to whom the information relates (see s 26WE(2) of the Privacy Act).

’Enforcement body’ is a body listed in s 6(1) of the Privacy Act.

’Enforcement related activities’ are functions listed in s 6(1) of the Privacy Act.

’Entity’ is an agency, organisation, credit reporting body, credit provider, or file number recipient that has obligations under s 26WE(1) of the Privacy Act.

’File number recipient’ is defined in s 11 of the Privacy Act as a person in possession or control of a record that contains a tax file number.

’Health service’ is defined in s 6FB of the Privacy Act, and includes general activities to assess, maintain or improve an individual’s health.

’My Health Records Act’ is the My Health Records Act 2012 (Cth).

’NDB scheme’ is the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act.

’Notifiable data breach’ is the same as eligible data breach.

’Notification statement’ is a statement about an eligible data breach, prepared by an entity under s 26WK.

’OAIC’ is the Office of the Australian Information Commissioner.

’Organisation’ is defined in s 6C of the Privacy Act, and includes all businesses and non-government organisations with an annual turnover of more than $3 million, all health service providers and some small businesses (see s 6D and 6E of the Privacy Act).

’Privacy Act’ is the Privacy Act 1988 (Cth).

’Personal information’ is defined in s 6(1) of the Privacy Act, as information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.

’Remedial action’ is the steps that an entity may take to prevent the likelihood of serious harm occurring for any individuals whose personal information is involved in an eligible data breach.

’Sensitive information’ is defined in s 6(1) of the Privacy Act to include personal information about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record. Sensitive information also includes all health information, genetic information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification, and biometric templates.

’Small business operator’ is defined in s 6D of the Privacy Act.

’State or Territory authority’ is defined in s 6C(3) of the Privacy Act.

’TFN’ means Tax File Number, as defined in s 6(1) of the Privacy Act.