{"id":"a-2014-24","name":"Information Privacy Act 2014","slug":"information-privacy-act-2014","collection":"act","jurisdiction":"act","status":"in_force","isInForce":true,"actNumber":"24 of 2014","makingDate":null,"administeringDepartment":null,"currentVersion":{"id":23766,"registerId":"act-a-2014-24-current","compilationNumber":null,"startDate":"2026-04-01","status":"InForce","reasons":null,"registeredAt":null},"sections":[{"sectionNumber":"Part 2","sectionType":"part","heading":"Objects and important concepts","content":"Part 2 Objects and important concepts\nSection 11\npage 6 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n11 Meaning of interference with individual’s privacy\n(1) For this Act, an act or practice of a public sector agency is\nan interference with an individual’s privacy if the act or practice\nbreaches—\n(a) a TPP in relation to personal information about the individual;\nor\n(b) a TPP code that binds the agency in relation to personal\ninformation about the individual.\n(2) For this Act, an act or practice of a contracted service provider under\na government contract is an interference with an individual’s privacy\nif the act or practice would be an interference with an individual’s\nprivacy if the act or practice was done or engaged in by the relevant\npublic sector agency for the contract.\n(3) In this section:\nrelevant public sector agency, for a government contract, means—\n(a) if the Territory is a party to the contract—the public sector\nagency that entered into the contract on behalf of the Territory;\nor\n(b) if the Territory is not a party to the contract—the public sector\nagency that is a party to the contract.\n12 Meaning of breach a TPP etc\n(1) For this Act, an act or practice breaches a TPP only if it is contrary\nto, or inconsistent with, the TPP.\n(2) However, an act or practice does not breach a TPP if—\n(a) the act is done, or the practice is engaged in, outside the ACT;\nand\n(b) the act or practice is required by a law of another jurisdiction or\na foreign country.\n\nObjects and important concepts Part 2\nSection 12\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 7\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(3) In this section:\nTPP includes a TPP code.\n\nPart 3 Territory privacy principles\nDivision 3.1 Important concepts—Territory privacy principles\nSection 13\npage 8 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 3 Territory privacy principles\nDivision 3.1 Important concepts—Territory privacy\nprinciples\n13 Territory privacy principles\n(1) The Territory privacy principles (the TPPs) are set out in schedule 1.\nNote The TPPs differ from the Commonwealth APPs (see sch 1, note 3).\n(2) If a provision of this Act refers to a TPP by a number, the reference\nis a reference to the provision of schedule 1 having that number.\n14 Definitions—sch 1\nIn schedule 1:\nAustralian law—\n(a) means a Territory, Commonwealth or State law; and\n(b) includes the common law.\nNote State includes the Northern Territory (see Legislation Act, dict, pt 1).\ncollects, personal information—see section 15.\ncourt or tribunal order—\n(a) means an order, direction or other instrument made by an ACT\ncourt; and\n(b) includes an order, direction or other instrument of an interim or\ninterlocutory nature.\nde-identified, personal information—see section 18.\n\nTerritory privacy principles Part 3\nImportant concepts—Territory privacy principles Division 3.1\nSection 14\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 9\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nenforcement body means any of the following:\n(a) the Australian Federal Police;\n(b) a State police force or service;\nNote State includes the Northern Territory (see Legislation Act, dict,\npt 1).\n(c) the DPP or similar body established under a Commonwealth or\nState law;\n(d) a body established under a territory, Commonwealth or State\nlaw to the extent that it is responsible for administering, or\nexercising a function under—\n(i) a law that imposes a penalty or sanction; or\n(ii) a law prescribed by regulation;\n(e) a body established under a territory, Commonwealth or State\nlaw to conduct criminal investigations or inquiries;\n(f) a body established under a territory, Commonwealth or State\nlaw to the extent that it is responsible for administering a law\nrelating to the protection of public revenue;\n(g) the integrity commission;\n(h) a body prescribed by regulation.\nenforcement-related activity means—\n(a) the prevention, detection, investigation, prosecution or\npunishment of—\n(i) criminal offences; or\n(ii) breaches of a law imposing a penalty or sanction; or\n(b) the conduct of surveillance activities, intelligence gathering\nactivities or monitoring activities; or\n(c) the conduct of protective or custodial activities; or\n\nPart 3 Territory privacy principles\nDivision 3.1 Important concepts—Territory privacy principles\nSection 14\npage 10 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(d) the enforcement of law relating to the confiscation of the\nproceeds of crime; or\n(e) the protection of public revenue; or\n(f) the prevention, detection, investigation or remedying of\nmisconduct of a serious nature, or other conduct prescribed by\nregulation; or\n(g) the prevention, detection or investigation of corrupt conduct; or\n(h) the preparation for, or conduct of, a proceeding before a court or\ntribunal; or\n(i) the implementation of a court or tribunal order.\nholds, personal information—see section 16.\npermitted general situation, in relation to the collection, use or\ndisclosure of personal information—see section 19.\nrelated body corporate—see the Corporations Act, section 9.\nsensitive information, in relation to an individual, means personal\ninformation that is—\n(a) about the individual’s—\n(i) racial or ethnic origin; or\n(ii) political opinions; or\n(iii) membership of a political association; or\n(iv) religious beliefs or affiliations; or\n(v) philosophical beliefs; or\n(vi) membership of a professional or trade association; or\n(vii) membership of a trade union; or\n(viii) sexual orientation or practices; or\n(ix) criminal record; or\n\nTerritory privacy principles Part 3\nImportant concepts—Territory privacy principles Division 3.1\nSection 15\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 11\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(b) genetic information about the individual; or\n(c) biometric information about the individual that is to be used for\nthe purpose of automated biometric verification or biometric\nidentification; or\n(d) a biometric template that relates to the individual.\nNote Sensitive information does not include personal health information\n(see s 8).\nsolicits, personal information—see section 17.\nterritory record—see the Territory Records Act 2002, section 9 (3).\nTPP privacy policy—see TPP 1.3.\n15 Meaning of collects personal information—sch 1\nFor schedule 1, a public sector agency collects personal information\nonly if the agency collects the personal information for inclusion in a\nrecord or generally available publication.\n16 Meaning of holds personal information—sch 1\nFor schedule 1, a public sector agency holds personal information if\nthe agency has possession or control of a record that contains the\npersonal information.\n17 Meaning of solicits personal information—sch 1\nFor schedule 1, a public sector agency solicits personal information\nif the agency requests another entity to provide—\n(a) the personal information; or\n(b) a kind of information in which the personal information is\nincluded.\n\nPart 3 Territory privacy principles\nDivision 3.1 Important concepts—Territory privacy principles\nSection 18\npage 12 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n18 Meaning of de-identified personal information—sch 1\nFor schedule 1, personal information is de-identified if the\ninformation is no longer about an identifiable individual or an\nindividual who is reasonably identifiable.\n","sortOrder":0},{"sectionNumber":"19","sectionType":"section","heading":"Meaning of permitted general situation in relation to the","content":"19 Meaning of permitted general situation in relation to the\ncollection, use or disclosure of personal information—\nsch 1\n(1) For schedule 1, a permitted general situation exists in relation to the\ncollection, use or disclosure by a public sector agency of personal\ninformation about an individual if—\n(a) both of the following apply:\n(i) it is unreasonable or impracticable to obtain the\nindividual’s consent to the collection, use or disclosure;\n(ii) the agency reasonably believes that the collection, use or\ndisclosure is necessary to lessen or prevent a serious threat\nto the life, health or safety of an individual, or to public\nhealth or safety; or\n(b) both of the following apply:\n(i) the agency has reason to suspect that unlawful activity, or\nmisconduct of a serious nature, that relates to the agency’s\nfunctions or activities has been, is being or may be engaged\nin;\n(ii) the agency reasonably believes that the collection, use or\ndisclosure is necessary in order for the agency to take\nappropriate action in relation to the matter; or\n\nTerritory privacy principles Part 3\nImportant concepts—Territory privacy principles Division 3.1\nSection 19\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 13\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(c) both of the following apply:\n(i) the agency reasonably believes that the collection, use or\ndisclosure is reasonably necessary to assist an entity to\nlocate a person who has been reported as missing;\nNote Entity includes an unincorporated body and a person\n(including a person occupying a position) (see Legislation\nAct, dict, pt 1).\n(ii) the collection, use or disclosure complies with the rules\nmade under subsection (2); or\n(d) the collection, use or disclosure is reasonably necessary for the\nestablishment, exercise or defence of a legal or equitable claim;\nor\n(e) the collection, use or disclosure is reasonably necessary for the\npurposes of a confidential alternative dispute resolution process.\n(2) For subsection (1) (c) (ii), the information privacy commissioner may\nmake rules relating to the collection, use or disclosure of personal\ninformation.\nNote See s 56 (Instruments made under this Act).\n(3) A rule is a notifiable instrument.\n\nPart 3 Territory privacy principles\nDivision 3.2 Compliance with TPPs\nSection 20\npage 14 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nDivision 3.2 Compliance with TPPs\n","sortOrder":1},{"sectionNumber":"20","sectionType":"section","heading":"Public sector agencies must comply with TPPs","content":"20 Public sector agencies must comply with TPPs\nA public sector agency must not do an act, or engage in a practice,\nthat breaches a TPP.\n","sortOrder":2},{"sectionNumber":"21","sectionType":"section","heading":"Privacy protection requirements for government","content":"21 Privacy protection requirements for government\ncontracts\n(1) A public sector agency must not enter into a government contract\nunless the contract contains appropriate contractual provisions\nrequiring the contracted service provider, and any subcontractor for\nthe contract, to comply with—\n(a) the TPPs; or\n(b) a TPP code that binds the agency; or\n(c) a corresponding privacy law.\n(2) Also, a public sector agency must not enter into a government\ncontract that authorises the contracted service provider, or any\nsubcontractor for the contract, to do an act, or engage in a practice,\nthat breaches a TPP, TPP Code or corresponding law that applies to\nthe contract under the contractual provisions mentioned in subsection\n(1).\n(3) Failure by a public sector agency to comply with this section does not\naffect any obligation the agency, or the contracted service provider,\nhas under this Act or the government contract in relation to\ncompliance with the TPPs, or a TPP code that binds the agency.\n(4) In this section:\ncorresponding privacy law means—\n(a) the Privacy Act 1988 (Cwlth); or\n(b) a law of a State, external territory or foreign country prescribed\nby regulation.\n\nTerritory privacy principles Part 3\nOther privacy compliance matters Division 3.3\nSection 22\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 15\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nsubcontractor, in relation to a government contract—\n(a) means a person engaged by the contracted service provider\nunder the government contract to provide the services the\nsubject of the government contract; and\n(b) includes any other person engaged under a subcontracting\narrangement to provide the services the subject of the\ngovernment contract.\nDivision 3.3 Other privacy compliance matters\n","sortOrder":3},{"sectionNumber":"22","sectionType":"section","heading":"Deemed breach in relation to acts and practices of","content":"22 Deemed breach in relation to acts and practices of\noverseas recipients of personal information\n(1) This section applies if—\n(a) a public sector agency discloses personal information about an\nindividual to an overseas recipient; and\n(b) TPP 8.1 applies to the disclosure of the information; and\n(c) the TPPs do not apply, under this Act, to an act done, or a\npractice engaged in, by the overseas recipient in relation to the\ninformation; and\n(d) the overseas recipient does an act, or engages in a practice, in\nrelation to the information that would be a breach of a TPP\n(other than TPP 1) if the TPP applied to the act or practice.\n(2) The act done, or the practice engaged in, by the overseas recipient is\ntaken, for this Act—\n(a) to have been done, or engaged in, by the public sector agency;\nand\n(b) to be a breach of the TPP by the agency.\n\n","sortOrder":4},{"sectionNumber":"Part 3","sectionType":"part","heading":"Territory privacy principles","content":"Part 3 Territory privacy principles\n","sortOrder":5},{"sectionNumber":"Div 3","sectionType":"division","heading":"3 Other privacy compliance matters","content":"Division 3.3 Other privacy compliance matters\nSection 23\npage 16 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n23 Commonwealth APPs apply to certain public sector\nagencies engaged in commercial activities\n(1) This section applies to the acts and practices of a public sector agency\nif—\n(a) the agency is prescribed by regulation; and\n(b) the acts and practices relate to the agency’s commercial\nactivities.\n(2) The Commonwealth APPs apply to the acts and practices of the\npublic sector agency as if the agency were an organisation within the\nmeaning of the Commonwealth Act.\n\nExemptions from application of Act Part 4\nSection 24\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 17\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 4 Exemptions from application of\nAct\n24 Exempt public sector agencies\nThis Act does not apply to the following public sector agencies:\n(a) a board of inquiry under the Inquiries Act 1991;\n(b) a judicial commission under the Judicial Commissions\nAct 1994;\n(c) the judicial council established under the Judicial Commissions\nAct 1994, section 5A;\n(d) a royal commission under the Royal Commissions Act 1991;\n(e) Icon Water Limited, Icon Distribution Investments Limited or\nIcon Retail Investments Limited;\n(f) an agency prescribed by regulation.\n","sortOrder":6},{"sectionNumber":"25","sectionType":"section","heading":"Exempt acts or practices","content":"25 Exempt acts or practices\n(1) This Act does not apply to the following acts and practices:\n(a) for a Minister—an act done, or a practice engaged in, by the\nMinister other than an act done, or a practice engaged in, by the\nMinister in relation to the affairs of a public sector agency\nadministered by the Minister;\n(b) for an ACT court—an act done, or a practice engaged in, by the\nACT court other than an act done, or a practice engaged in, by\nthe ACT court in relation to a matter of an administrative nature;\n(c) for the Office of the Legislative Assembly—an act done, or a\npractice engaged in, by the Office in exercising a function in\nrelation to a proceeding of the Legislative Assembly;\n\nPart 4 Exemptions from application of Act\nSection 25\npage 18 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(d) for officers of the Assembly—an act done, or a practice engaged\nin, by the officer of the Assembly other than an act done, or a\npractice engaged in, by the officer in relation to a matter of an\nadministrative nature;\n(e) an act done, or a practice engaged in, by a public sector agency\nin relation to information that is taken to be contrary to the\npublic interest to disclose under the FOI Act, schedule 1\n(f) an act done, or a practice engaged in, by a public sector agency\nin relation to a record that has originated with, or has been\nreceived from, a Commonwealth enforcement or intelligence\nbody;\n(g) an act done, or a practice engaged in, by a public sector agency\nthat involves the disclosure of personal information to a\nCommonwealth intelligence body if the body, in connection\nwith its functions, requests that the agency disclose the personal\ninformation and—\n(i) the disclosure is made to an officer or employee of the\nCommonwealth intelligence body authorised in writing by\nthe head (however described) of the body to receive the\ndisclosure; and\n(ii) the officer or employee certifies in writing that the\ndisclosure is connected with the performance of the body’s\nfunctions;\n(h) for an agency prescribed by regulation—an act done, or a\npractice engaged in, by the agency in relation to a matter\nprescribed by regulation.\nNote A reference to an act done, or a practice engaged in, by a public sector\nagency includes a reference to a person exercising a function of the\nagency, whether under a delegation, subdelegation or otherwise (see\nLegislation Act, s 184A).\n\nExemptions from application of Act Part 4\nSection 25\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 19\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(2) In this section:\nCommonwealth enforcement or intelligence body means the\nfollowing:\n(a) a Commonwealth intelligence body;\n(b) the Office of National Intelligence established under the Office\nof National Intelligence Act 2018 (Cwlth), section 6;\n(c) that part of the Defence Department known as the Defence\nIntelligence Organisation;\n(d) that part of the Defence Department known as the Australian\nGeospatial-Intelligence Organisation;\n(e) the National Anti-Corruption Commissioner appointed under\nthe National Anti-Corruption Commission Act 2022 (Cwlth),\nsection 241;\n(f) a staff member of the National Anti-Corruption Commission\nestablished under the National Anti-Corruption Commission\nAct 2022 (Cwlth), section 20;\n(g) the Australian Crime Commission established under the\nAustralian Crime Commission Act 2002 (Cwlth), section 7;\n(h) the board of the Australian Crime Commission established\nunder the Australian Crime Commission Act 2002 (Cwlth),\nsection 7B.\nCommonwealth intelligence body means the following:\n(a) the Australian Security Intelligence Organisation continued in\nexistence under the Australian Security Intelligence\nOrganisation Act 1979 (Cwlth), section 6;\n(b) the Australian Secret Intelligence Service continued in existence\nunder the Intelligence Services Act 2001 (Cwlth), section 16;\n(c) the Defence Signals Directorate of the Defence Department.\n\n","sortOrder":7},{"sectionNumber":"Part 4","sectionType":"part","heading":"Exemptions from application of Act","content":"Part 4 Exemptions from application of Act\nSection 25\npage 20 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nDefence Department means the Commonwealth department that\ndeals with defence and that is administered by the Commonwealth\nMinister administering the Defence Act 1903 (Cwlth).\nFOI Act means the Freedom of Information Act 2016.\n\nInformation privacy commissioner Part 5\nSection 26\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 21\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 5 Information privacy\ncommissioner\n26 Appointment of information privacy commissioner\nThe Executive may appoint a person as Information Privacy\nCommissioner.\nNote 1 For the making of appointments (including acting appointments), see the\nLegislation Act, pt 19.3.\nNote 2 In particular, an appointment may be made by naming a person or\nnominating the occupant of a position (see Legislation Act, s 207).\n","sortOrder":8},{"sectionNumber":"27","sectionType":"section","heading":"Term and conditions of appointment","content":"27 Term and conditions of appointment\n(1) The information privacy commissioner must not be appointed for\nlonger than 7 years.\nNote A person may be reappointed to a position if the person is eligible to be\nappointed to the position (see Legislation Act, s 208 and dict, pt 1,\ndef appoint).\n(2) The information privacy commissioner is appointed on the conditions\nagreed between the Executive and the commissioner, subject to this\npart and any determination under the Remuneration Tribunal\nAct 1995.\n","sortOrder":9},{"sectionNumber":"28","sectionType":"section","heading":"Arrangements for privacy commissioner of another","content":"28 Arrangements for privacy commissioner of another\njurisdiction to exercise functions\nIf an appointment is not made under section 26, the Minister may\nmake arrangements for the commissioner (however described)\nresponsible for exercising functions under a Commonwealth or State\nlaw that substantially correspond to this Act to exercise 1 or more of\nthe functions of the information privacy commissioner.\n\n","sortOrder":10},{"sectionNumber":"Part 5","sectionType":"part","heading":"Information privacy commissioner","content":"Part 5 Information privacy commissioner\nSection 29\npage 22 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":11},{"sectionNumber":"29","sectionType":"section","heading":"Information privacy commissioner’s functions","content":"29 Information privacy commissioner’s functions\nThe information privacy commissioner’s functions are to—\n(a) promote an understanding of the TPPs and the objects of the\nTPPs; and\n(b) provide information and educational programs to promote the\nprotection of the privacy of individuals; and\n(c) help public sector agencies to comply with the TPPs and TPP\ncodes; and\n(d) investigate privacy complaints made under this Act; and\n(e) exercise any other functions given to the commissioner under\nthis Act or another territory law.\n","sortOrder":12},{"sectionNumber":"30","sectionType":"section","heading":"Disclosure of interests","content":"30 Disclosure of interests\nThe information privacy commissioner must give written notice to\nthe Executive of all financial and other interests that the\ncommissioner has or acquires that conflict or could conflict with the\nproper exercise of the commissioner’s functions.\n","sortOrder":13},{"sectionNumber":"31","sectionType":"section","heading":"Delegation of information privacy commissioner’s","content":"31 Delegation of information privacy commissioner’s\nfunctions\nThe information privacy commissioner may delegate the\ncommissioner’s functions under this Act or another territory law to a\nperson.\nNote For the making of delegations and the exercise of delegated functions,\nsee the Legislation Act, pt 19.4.\n\nInformation privacy commissioner Part 5\nSection 32\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 23\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":14},{"sectionNumber":"32","sectionType":"section","heading":"Ending of information privacy commissioner’s","content":"32 Ending of information privacy commissioner’s\nappointment\n(1) If an appointment is made under section 26, the Executive may end\nthe appointment—\n(a) if the information privacy commissioner contravenes a territory\nlaw or law of another jurisdiction; or\n(b) for misbehaviour; or\n(c) if the commissioner becomes bankrupt or personally insolvent;\nor\nNote Bankrupt or personally insolvent—see the Legislation Act,\ndictionary, pt 1.\n(d) if the commissioner is absent, other than on approved leave, for\n14 consecutive days or for 28 days in any 12-month period.\n(2) The Executive must end the information privacy commissioner’s\nappointment—\n(a) for physical or mental incapacity, if the incapacity substantially\naffects the exercise of the commissioner’s functions; or\n(b) if the commissioner fails to comply, without reasonable excuse,\nwith section 30 (Disclosure of interests).\nNote A person’s appointment also ends if the person resigns (see Legislation\nAct, s 210).\n\nPart 6 Privacy complaints\nDivision 6.1 Important concepts\nSection 33\npage 24 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 6 Privacy complaints\nDivision 6.1 Important concepts\n","sortOrder":15},{"sectionNumber":"33","sectionType":"section","heading":"What is a privacy complaint etc?","content":"33 What is a privacy complaint etc?\nIn this Act:\ncomplainant, in relation to a privacy complaint, means the individual\nwho made the complaint.\nprivacy complaint means a complaint about an act or practice of a\npublic sector agency or contracted service provider that may be an\ninterference with an individual’s privacy.\nrespondent, in relation to a privacy complaint, means the public\nsector agency or contracted service provider to which the complaint\nrelates.\nDivision 6.2 Making privacy complaints\n","sortOrder":16},{"sectionNumber":"34","sectionType":"section","heading":"Who may make a privacy complaint?","content":"34 Who may make a privacy complaint?\n(1) An individual may make a privacy complaint to the information\nprivacy commissioner.\n(2) For an act or practice of a public sector agency or contracted service\nprovider that may be an interference with the privacy of 2 or more\nindividuals, any 1 of those individuals may make a privacy complaint\non behalf of all of the individuals.\n(3) The information privacy commissioner must give help to the\nindividual to make the privacy complaint, as the commissioner\nconsiders appropriate.\nExamples—help\n1 advising the individual about the complaint process\n2 helping the individual to put a privacy complaint in writing\n\nPrivacy complaints Part 6\nMaking privacy complaints Division 6.2\nSection 35\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":17},{"sectionNumber":"35","sectionType":"section","heading":"How may a privacy complaint be made?","content":"35 How may a privacy complaint be made?\n(1) A privacy complaint must—\n(a) be in writing; and\n(b) include the complainant’s name, address and telephone number;\nand\n(c) identify the respondent and include details about the act or\npractice the subject of the complaint.\n(2) Despite subsection (1) (a), a privacy complaint may be made orally\nto the information privacy commissioner if the commissioner is\nreasonably satisfied that exceptional circumstances justify the\ncommissioner dealing with the complaint without it being in writing.\nExample—exceptional circumstances\nwaiting until the privacy complaint is put in writing would make dealing with the\ncomplaint impossible or impractical\n","sortOrder":18},{"sectionNumber":"36","sectionType":"section","heading":"Privacy complaint may be referred to commissioner","content":"36 Privacy complaint may be referred to commissioner\n(1) A privacy complaint may be referred to the information privacy\ncommissioner by any of the following:\n(a) the ombudsman;\n(b) the human rights commission;\n(c) an entity having functions, under a State or Commonwealth law\nthat corresponds to this Act, that correspond to the functions of\nthe information privacy commissioner;\n(d) an entity prescribed by regulation.\n(2) If an entity mentioned in subsection (1) refers a privacy complaint to\nthe information privacy commissioner, the entity must—\n(a) give the commissioner any information the entity has in relation\nto the complaint; and\n(b) tell the complainant about the referral.\n\nPart 6 Privacy complaints\nDivision 6.3 Dealing with privacy complaints\nSection 37\npage 26 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":19},{"sectionNumber":"37","sectionType":"section","heading":"Commissioner must tell respondent about complaint","content":"37 Commissioner must tell respondent about complaint\nAfter receiving a privacy complaint, the information privacy\ncommissioner must give a copy of the complaint to the respondent.\nNote 1 The information privacy commissioner must comply with this section as\nsoon as possible after receiving a privacy complaint (see Legislation Act,\ns 151B).\nNote 2 If the respondent is a contracted service provider under a government\ncontract, the information privacy commissioner must also give a copy of\nthe privacy complaint to the public sector agency to which the contract\nrelates (see s 48).\nDivision 6.3 Dealing with privacy complaints\n","sortOrder":20},{"sectionNumber":"38","sectionType":"section","heading":"Commissioner may make preliminary inquiries","content":"38 Commissioner may make preliminary inquiries\nThe information privacy commissioner may make inquiries of the\nrespondent for a privacy complaint, or any other person, for the\npurpose of deciding whether to deal with the complaint.\n","sortOrder":21},{"sectionNumber":"39","sectionType":"section","heading":"Commissioner may decide not to deal with privacy","content":"39 Commissioner may decide not to deal with privacy\ncomplaint\nThe information privacy commissioner may decide not to deal with a\nprivacy complaint if the commissioner is reasonably satisfied—\n(a) the act or practice the subject of the complaint is not an\ninterference with an individual’s privacy; or\n(b) the complaint was made more than 12 months after the\ncomplainant became aware of the act or practice; or\n(c) the complaint is frivolous, vexatious, misconceived, lacking in\nsubstance or not made in good faith; or\n(d) the act or practice is the subject of an application under another\nterritory law, or a State or Commonwealth law, and the\nsubstance of the complaint has been, or is being, dealt with\nadequately under that law; or\n\nPrivacy complaints Part 6\nDealing with privacy complaints Division 6.3\nSection 40\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 27\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(e) the complaint would be better dealt with under another territory\nlaw, or a State or Commonwealth law; or\n(f) dealing, or further dealing, with the act or practice is not\nwarranted having regard to all the circumstances; or\n(g) the complainant has complained to the respondent about the act\nor practice and—\n(i) the respondent has dealt, or is dealing, adequately with the\ncomplaint; or\n(ii) the respondent has not yet had an adequate opportunity to\ndeal with the complaint.\n","sortOrder":22},{"sectionNumber":"40","sectionType":"section","heading":"Dealing with privacy complaints","content":"40 Dealing with privacy complaints\n(1) If the information privacy commissioner decides to deal with a\nprivacy complaint, the commissioner may make inquiries and\ninvestigations in relation to the complaint, as the commissioner thinks\nappropriate.\n(2) The information privacy commissioner may decide not to continue\ndealing with the privacy complaint, or part of the complaint, if—\n(a) the complainant does not comply with a reasonable request\nmade by the commissioner in dealing with the complaint, or part\nof the complaint; or\n(b) the commissioner is reasonably satisfied that the complainant,\nwithout reasonable excuse, has not cooperated in the\ncommissioner’s dealing with the complaint, or part of the\ncomplaint; or\n(c) the commissioner has not been able to contact the complainant\nfor a reasonable period of time using the contact details stated in\nthe privacy complaint; or\n(d) conciliation of the complaint, or part of the complaint, ends\nwithout agreement being reached.\n\nPart 6 Privacy complaints\nDivision 6.3 Dealing with privacy complaints\nSection 41\npage 28 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(3) In this section:\nconciliation—see section 44A.\n","sortOrder":23},{"sectionNumber":"41","sectionType":"section","heading":"Commissioner must tell parties about decision to not","content":"41 Commissioner must tell parties about decision to not\ndeal with privacy complaint\nIf the information privacy commissioner decides not to deal with a\nprivacy complaint, or to stop dealing with a privacy complaint, the\ncommissioner must tell the complainant and respondent about the\ndecision, including the reasons for the decision.\n","sortOrder":24},{"sectionNumber":"41A","sectionType":"section","heading":"Commissioner may conciliate privacy complaint","content":"41A Commissioner may conciliate privacy complaint\n(1) The information privacy commissioner may, at any time, conciliate a\nprivacy complaint, or part of a complaint, if satisfied that the\ncomplaint or part of the complaint is appropriate for conciliation.\nNote Conciliation is dealt with in div 6.3A.\n(2) The commissioner may continue to deal with a privacy complaint in\nanother way while the commissioner is conciliating the complaint, or\npart of the complaint.\n(3) In this section:\nconciliation—see section 44A.\n","sortOrder":25},{"sectionNumber":"42","sectionType":"section","heading":"Commissioner may refer privacy complaint to other entity","content":"42 Commissioner may refer privacy complaint to other entity\n(1) If the information privacy commissioner, after considering a privacy\ncomplaint, is reasonably satisfied that the complaint would be better\ndealt with by an investigative entity with power to investigate the\ncomplaint, the commissioner may refer the privacy complaint to the\nentity.\n(2) If the information privacy commissioner refers the privacy complaint\nto an investigative entity, the commissioner must—\n(a) give the entity any information the commissioner has in relation\nto the complaint; and\n\nPrivacy complaints Part 6\nDealing with privacy complaints Division 6.3\nSection 43\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 29\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(b) tell the complainant and respondent about the referral.\n(3) In this section:\ninvestigative entity means—\n(a) the ombudsman; or\n(b) the human rights commission; or\n(c) an entity having functions, under a State or Commonwealth law\nthat corresponds to this Act, that correspond to the functions of\nthe information privacy commissioner; or\n(d) an entity prescribed by regulation.\n","sortOrder":26},{"sectionNumber":"43","sectionType":"section","heading":"Commissioner may report serious or repeated","content":"43 Commissioner may report serious or repeated\ninterferences to Minister\n(1) If the information privacy commissioner, after dealing with a privacy\ncomplaint, is reasonably satisfied that the act or practice the subject\nof the complaint is a serious or repeated interference with the\ncomplainant’s privacy, the commissioner may give the Minister a\nwritten report about the complaint.\n(2) If the commissioner gives the Minister a report mentioned in\nsubsection (1), the Minister must present the report to the Legislative\nAssembly within 6 sitting days after the day the Minister receives the\nreport.\n","sortOrder":27},{"sectionNumber":"44","sectionType":"section","heading":"Commissioner may obtain information","content":"44 Commissioner may obtain information\n(1) The information privacy commissioner may ask anyone to give the\ncommissioner information so that the commissioner may deal with a\nprivacy complaint.\n(2) A public sector agency or public official for the agency must comply\nwith a request made to the agency or official.\n\nPart 6 Privacy complaints\nDivision 6.3A Conciliation of privacy complaints\nSection 44A\npage 30 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(3) In this section:\npublic official, for a public sector agency, means a person who is or\nhas been—\n(a) an employee of the public sector agency; or\n(b) a contractor, employee of a contractor or volunteer exercising a\nfunction of the public sector agency.\nDivision 6.3A Conciliation of privacy complaints\n","sortOrder":28},{"sectionNumber":"44A","sectionType":"section","heading":"Definitions—div 6.3A","content":"44A Definitions—div 6.3A\nIn this division:\nconciliation, of a privacy complaint, is a process in which—\n(a) the parties give willing and informed agreement to take part; and\n(b) the information privacy commissioner impartially helps the\nparties resolve some or all of the complaint; and\n(c) the parties decide the outcome, usually with advice from the\ncommissioner.\nconciliation agreement—see section 44E (1).\nparties, to the conciliation of a privacy complaint, means the\ncomplainant and respondent in relation to the complaint.\n","sortOrder":29},{"sectionNumber":"44B","sectionType":"section","heading":"Parties must attend conciliation","content":"44B Parties must attend conciliation\n(1) The parties to the conciliation of a privacy complaint must attend the\nconciliation.\n(2) A person commits an offence if—\n(a) the person is a party to the conciliation; and\n(b) the information privacy commissioner tells the person, in\nwriting, to attend the conciliation at a stated time and place; and\n\nPrivacy complaints Part 6\nConciliation of privacy complaints Division 6.3A\nSection 44C\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 31\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(c) the person does not attend the conciliation at the stated time and\nplace.\nMaximum penalty: 50 penalty units.\n(3) Subsection (2) does not apply if the person has a reasonable excuse\nfor not attending the conciliation at the stated time and place.\nNote The defendant has an evidential burden in relation to the matters\nmentioned in s (3) (see Criminal Code, s 58).\n","sortOrder":30},{"sectionNumber":"44C","sectionType":"section","heading":"Attendance at conciliation—people other than parties","content":"44C Attendance at conciliation—people other than parties\n(1) The information privacy commissioner may allow people other than\nparties to attend the conciliation if the commissioner considers that\ntheir attendance will help the conciliation.\n(2) However, neither party may be represented by anyone else in the\nconciliation unless the commissioner is satisfied that the\nrepresentation is likely to substantially help the conciliation.\n(3) The information privacy commissioner may also, in writing, ask a\nperson other than a party to attend the conciliation if satisfied that the\nperson’s attendance is likely to help the conciliation.\n","sortOrder":31},{"sectionNumber":"44D","sectionType":"section","heading":"Conduct of conciliation","content":"44D Conduct of conciliation\nConciliation is to be conducted in the way the information privacy\ncommissioner decides.\nExample\nThe commissioner may decide that a privacy complaint is to be split and the parts\nare to be conciliated separately.\n","sortOrder":32},{"sectionNumber":"44E","sectionType":"section","heading":"Conciliated agreements","content":"44E Conciliated agreements\n(1) If a complaint is resolved by conciliation, the information privacy\ncommissioner may help the parties make a written record\n(the conciliation agreement) of the agreement they have reached.\n\nPart 6 Privacy complaints\nDivision 6.3A Conciliation of privacy complaints\nSection 44F\npage 32 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(2) If a conciliation agreement is made—\n(a) each party to the agreement must sign the agreement; and\n(b) the commissioner must give each party a copy of the conciliation\nagreement.\n","sortOrder":33},{"sectionNumber":"44F","sectionType":"section","heading":"Use of conciliation agreement by commissioner","content":"44F Use of conciliation agreement by commissioner\n(1) The information privacy commissioner may use information in a\nconciliation agreement, whether for dealing with the complaint to\nwhich the agreement relates or otherwise, only if the parties to the\nagreement agree to the use by the commissioner of the agreement, or\nthe part of the agreement, containing the information.\n(2) An agreement to allow the commissioner to use a conciliation\nagreement, or part of a conciliation agreement, may be in the\nconciliation agreement or elsewhere.\n(3) If the parties agree to the use by the commissioner of the conciliation\nagreement, or a part of the agreement, the commissioner may use\nanything in the conciliation agreement, or the part of the agreement,\nas the commissioner considers appropriate.\n","sortOrder":34},{"sectionNumber":"44G","sectionType":"section","heading":"End of conciliation","content":"44G End of conciliation\n(1) Conciliation of a privacy complaint ends if—\n(a) agreement is reached on the matters being conciliated, whether\nor not a conciliation agreement is made, and the parties end the\nconciliation; or\n(b) the parties agree to end the conciliation; or\n(c) a party withdraws from the conciliation; or\n(d) the information privacy commissioner is satisfied that the\nconciliation is unlikely to be successful.\n\nPrivacy complaints Part 6\nConciliation of privacy complaints Division 6.3A\nSection 44H\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 33\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(2) If the conciliation ends, the commissioner must, as soon as\npracticable, tell the parties that the conciliation has ended and why it\nhas ended.\n(3) If the conciliation ends because subsection (1) (a) applies, the\ninformation privacy commissioner may close the complaint.\n","sortOrder":35},{"sectionNumber":"44H","sectionType":"section","heading":"Admissibility of evidence","content":"44H Admissibility of evidence\n(1) This section—\n(a) applies to—\n(i) a communication made between people attending a\nconciliation (including the information privacy\ncommissioner); and\n(ii) a document (whether delivered or not) prepared in relation\nto the conciliation; but\n(b) does not apply to a conciliation agreement, or part of a\nconciliation agreement, if the parties have agreed under\nsection 44F to allow the commissioner to use the agreement or\npart of the agreement.\n(2) The Evidence Act 2011, section 131 (Exclusion of evidence of\nsettlement negotiations) applies to the communication or document\nas if the communication or document were a communication or\ndocument mentioned in that Act, section 131 (1).\n","sortOrder":36},{"sectionNumber":"44I","sectionType":"section","heading":"Conciliation attendees protected from civil liability","content":"44I Conciliation attendees protected from civil liability\nA person attending conciliation does not incur civil liability for an act\ndone honestly and without recklessness at the conciliation.\n\nPart 6 Privacy complaints\nDivision 6.4 Application to court\nSection 45\npage 34 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nDivision 6.4 Application to court\n","sortOrder":37},{"sectionNumber":"45","sectionType":"section","heading":"Commissioner must tell parties application may be made","content":"45 Commissioner must tell parties application may be made\nto court\n(1) This section applies if, after dealing with a privacy complaint, the\ninformation privacy commissioner is reasonably satisfied that the act\nor practice the subject of the complaint is an interference with the\ncomplainant’s privacy.\n(2) However, this section does not apply if the complaint is resolved by\nconciliation, whether or not a conciliation agreement is made in\nrelation to the complaint.\n(3) The commissioner must give written notice to the complainant and\nthe respondent for the complaint telling them—\n(a) that the commissioner is reasonably satisfied that the act or\npractice the subject of the complaint is an interference with the\ncomplainant’s privacy; and\n(b) that the complainant may apply to a court for an order.\n(4) In this section:\nconciliation—see section 44A.\nconciliation agreement—see section 44F (1).\n","sortOrder":38},{"sectionNumber":"46","sectionType":"section","heading":"Complainant may apply for court order","content":"46 Complainant may apply for court order\nA complainant may, within 6 months after the day the complainant is\nnotified under section 45, apply to a court for an order mentioned in\nsection 47.\n\nPrivacy complaints Part 6\nApplication to court Division 6.4\nSection 47\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 35\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":39},{"sectionNumber":"47","sectionType":"section","heading":"What orders may a court make?","content":"47 What orders may a court make?\nOn application by a complainant in relation to a privacy complaint,\nthe court may make 1 or more of the following orders:\n(a) an order that the complaint, or a part of the complaint, has been\nsubstantiated, together with, if considered appropriate, 1 or more\nof the following orders:\n(i) that an act or practice of the respondent is an interference\nwith the privacy of the complainant and that the respondent\nmust not repeat or continue the act or practice;\n(ii) that the respondent must engage in a stated reasonable act\nor practice to compensate for loss or damage suffered by\nthe complainant;\n(iii) that the respondent must make a stated amendment of a\nrecord it holds;\n(iv) that the complainant is entitled to a stated amount, of not\nmore than $100 000, to compensate the complainant for\neconomic loss or damage suffered by the complainant\nbecause of the act or practice complained of;\n(b) an order that the complaint, or a part of the complaint, has been\nsubstantiated together with an order that no further action is\nrequired to be taken;\n(c) an order that the complaint, or a part of the complaint, has not\nbeen substantiated, together with an order that the complaint or\npart is dismissed;\n(d) an order that the complainant be reimbursed for expenses\nreasonably incurred in relation to making the complaint.\n\n","sortOrder":40},{"sectionNumber":"Part 6","sectionType":"part","heading":"Privacy complaints","content":"Part 6 Privacy complaints\nDivision 6.5 Contracted service providers\nSection 48\npage 36 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":41},{"sectionNumber":"Div 6","sectionType":"division","heading":"5 Contracted service providers","content":"Division 6.5 Contracted service providers\n","sortOrder":42},{"sectionNumber":"48","sectionType":"section","heading":"Private sector agency must be kept informed about","content":"48 Private sector agency must be kept informed about\nprivacy complaint involving contracted service provider\n(1) This section applies if—\n(a) the respondent in relation to a privacy complaint is a contracted\nservice provider under a government contract; and\n(b) the information privacy commissioner is required under this part\nto tell, or give, something to the respondent.\n(2) The information privacy commissioner must also tell, or give, the\nthing to the public sector agency to which the government contract\nrelates.\n\nTPP codes Part 7\nSection 49\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 37\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 7 TPP codes\n","sortOrder":43},{"sectionNumber":"49","sectionType":"section","heading":"Meaning of TPP code","content":"49 Meaning of TPP code\n(1) For this Act, a TPP code is a code of practice about information\nprivacy.\n(2) A TPP code must—\n(a) set out how 1 or more of the TPPs are to be applied or complied\nwith; and\n(b) state the public sector agencies that are bound by the code, or a\nway of working out which public sector agencies are bound by\nthe code; and\n(c) set out when the code is in force.\n(3) A TPP code may do 1 or more of the following:\n(a) impose additional requirements to those imposed by 1 or more\nTPPs that are not contrary to, or inconsistent with, the TPPs;\n(b) deal with the internal handling of privacy complaints;\n(c) provide for the reporting to the information privacy\ncommissioner about privacy complaints;\n(d) deal with any other relevant matters.\n","sortOrder":44},{"sectionNumber":"50","sectionType":"section","heading":"Development of TPP codes and proposed amendment of","content":"50 Development of TPP codes and proposed amendment of\nTPP codes\n(1) A public sector agency may develop a draft TPP code or draft\namendment of a TPP code.\n(2) Before adopting a TPP code, the public sector agency must—\n(a) publish the draft TPP code or draft amendment on the agency’s\nwebsite or in a daily newspaper; and\n\n","sortOrder":45},{"sectionNumber":"Part 7","sectionType":"part","heading":"TPP codes","content":"Part 7 TPP codes\nSection 51\npage 38 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(b) invite the public to make submissions to the agency about the\ndraft or amendment within a stated period of at least 28 days;\nand\n(c) consider any submissions made within the stated period.\n(3) A TPP code adopted by a public sector agency is a notifiable\ninstrument.\nNote See s 56 (Instruments made under this Act).\n","sortOrder":46},{"sectionNumber":"51","sectionType":"section","heading":"Public sector agencies must comply with TPP codes","content":"51 Public sector agencies must comply with TPP codes\nA public sector agency must not do an act, or engage in a practice,\nthat breaches a TPP code notified under section 50 (3).\n\nMiscellaneous Part 8\nSection 52\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 39\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 8 Miscellaneous\n","sortOrder":47},{"sectionNumber":"52","sectionType":"section","heading":"Protection of officials from liability","content":"52 Protection of officials from liability\n(1) An official is not civilly liable for anything done or omitted to be done\nhonestly and without recklessness—\n(a) in the exercise of a function under this Act; or\n(b) in the reasonable belief that the act or omission was in the\nexercise of a function under this Act.\n(2) Any civil liability that would, apart from subsection (1), attach to an\nofficial attaches instead to the Territory.\n(3) In this section:\nofficial means—\n(a) the information privacy commissioner; or\n(b) a person authorised under this Act to do or not to do a thing.\nNote A reference to an Act includes a reference to the statutory instruments\nmade or in force under the Act, including any regulation (see Legislation\nAct, s 104).\n","sortOrder":48},{"sectionNumber":"53","sectionType":"section","heading":"Offence—use or divulge protected information","content":"53 Offence—use or divulge protected information\n(1) A person to whom this section applies commits an offence if—\n(a) the person uses information; and\n(b) the information is protected information about someone else;\nand\n(c) the person is reckless about whether the information is protected\ninformation about someone else.\nMaximum penalty: 50 penalty units, imprisonment for 6 months or\nboth.\n\nPart 8 Miscellaneous\nSection 53\npage 40 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(2) A person to whom this section applies commits an offence if—\n(a) the person does something that divulges information; and\n(b) the information is protected information about someone else;\nand\n(c) the person is reckless about whether—\n(i) the information is protected information about someone\nelse; and\n(ii) doing the thing would result in the information being\ndivulged to someone else.\nMaximum penalty: 50 penalty units, imprisonment for 6 months or\nboth.\n(3) Subsections (1) and (2) do not apply—\n(a) if the information is used or divulged—\n(i) under this Act or another territory law; or\n(ii) in relation to the exercise of a function by a person to whom\nthis section applies under this Act or another territory law;\nor\n(iii) in a court proceeding; or\n(b) to the using or divulging of protected information about a person\nwith the person’s consent.\nNote The defendant has an evidential burden in relation to the matters\nmentioned in s (3) (see Criminal Code, s 58).\n(4) A person to whom this section applies need not divulge protected\ninformation to a court, or produce a document containing protected\ninformation to a court, unless it is necessary to do so for this Act or\nanother law in force in the ACT.\n\nMiscellaneous Part 8\nSection 54\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 41\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(5) In this section:\ncourt includes a tribunal, authority or person having power to\nrequire the production of documents or the answering of\nquestions.\ndivulge includes—\n(a) communicate; or\n(b) publish.\nperson to whom this section applies means a person who\nexercises, or has exercised, a function under this Act.\nproduce includes allow access to.\nprotected information means information about a person that is\ndisclosed to, or obtained by, a person to whom this section\napplies because of the exercise of a function under this Act by\nthe person or someone else.\nuse, in relation to information, includes make a record of the\ninformation.\n","sortOrder":49},{"sectionNumber":"54","sectionType":"section","heading":"Report by information privacy commissioner","content":"54 Report by information privacy commissioner\n(1) The information privacy commissioner must, for each financial year,\ngive a report to the Minister about—\n(a) the total number of privacy complaints made or referred to the\ncommissioner; and\n(b) the total number of privacy complaints dealt with by the\ncommissioner; and\n(c) the total number of privacy complaints in relation to which the\ncommissioner has given a notice under section 45\n(Commissioner must tell parties application may be made to\ncourt); and\n(d) anything else prescribed by regulation.\n\n","sortOrder":50},{"sectionNumber":"Part 8","sectionType":"part","heading":"Miscellaneous","content":"Part 8 Miscellaneous\nSection 55\npage 42 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(2) The report—\n(a) must identify the respondent in relation to each privacy\ncomplaint reported on under subsection (1); but\n(b) must not include the complainant’s personal information.\n(3) The Minister must present the report to the Legislative Assembly\nwithin 15 sitting days after the day the report is given to the Minister.\n","sortOrder":51},{"sectionNumber":"55","sectionType":"section","heading":"Information privacy commissioner may make guidelines","content":"55 Information privacy commissioner may make guidelines\n(1) The information privacy commissioner may make guidelines about\nthe following:\n(a) to help public sector agencies bound by TPP codes to apply or\ncomply with the codes;\n(b) matters the public sector agency must consider when developing\na TPP code under section 50;\n(c) the conduct of disclosure of personal information about an\nindividual by a public sector agency for TPP 6.3 (d).\n(2) A guideline is a notifiable instrument.\n","sortOrder":52},{"sectionNumber":"56","sectionType":"section","heading":"Instruments made under this Act","content":"56 Instruments made under this Act\nAn instrument made under this Act may apply, adopt or incorporate\nanother instrument as in force from time to time.\nNote The text of an applied, adopted or incorporated instrument, whether\napplied as in force from time to time or as at a particular time, is taken to\nbe a notifiable instrument if the operation of the Legislation Act, s 47 (5)\nor (6) is not disapplied (see s 47 (7)).\n\nMiscellaneous Part 8\nSection 57\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 43\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":53},{"sectionNumber":"57","sectionType":"section","heading":"Approved forms","content":"57 Approved forms\n(1) The information privacy commissioner may approve forms for this\nAct.\n(2) If the information privacy commissioner approves a form for a\nparticular purpose, the approved form must be used for that purpose.\n(3) An approved form is a notifiable instrument.\n","sortOrder":54},{"sectionNumber":"58","sectionType":"section","heading":"Regulation-making power","content":"58 Regulation-making power\nThe Executive may make regulations for this Act.\n\nSchedule 1 Territory privacy principles\npage 44 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nSchedule 1 Territory privacy principles\n(see s 13)\nNote 1 This schedule sets out the TPPs.\n• Pt 1.1 sets out principles that require public sector agencies to\nconsider the privacy of personal information, including ensuring that\npublic sector agencies manage personal information in an open and\ntransparent way.\n• Pt 1.2 sets out principles that deal with the collection of personal\ninformation, including unsolicited personal information.\n• Pt 1.3 sets out principles about how public sector agencies deal with\npersonal information. The part includes principles about the use and\ndisclosure of personal information.\n• Pt 1.4 sets out principles about the integrity of personal information.\nThe part includes principles about the quality and security of\npersonal information.\n• Pt 1.5 sets out principles that deal with requests for access to, and\nthe correction of, personal information.\nNote 2 The TPPs are:\n• TPP 1—open and transparent management of personal information\n• TPP 2—anonymity and pseudonymity\n• TPP 3—collection of solicited personal information\n• TPP 4—dealing with unsolicited personal information\n• TPP 5—notification of the collection of personal information\n• TPP 6—use or disclosure of personal information\n• TPP 8—cross-border disclosure of personal information\n• TPP 10—quality of personal information\n• TPP 11—security of personal information\n• TPP 12—access to personal information\n• TPP 13—correction of personal information.\n\nTerritory privacy principles Schedule 1\nConsideration of personal information privacy Part 1.1\nSection 1\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 45\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nNote 3 The TPPs do not include provisions equivalent to the\nCommonwealth APPs relating to certain private sector and other entities.\nTo maintain consistent numbering between the TPPs and the\nCommonwealth APPs—\n• if the Commonwealth APPs contain a provision that is not included\nin this Act—the relevant TPP in this schedule is numbered to\nmaintain consistency in numbering between provisions common to\nboth Acts; and\n• a note appears under the relevant TPP in this schedule describing the\nomitted provision of the Commonwealth APPs.\nThe TPPs also contain minor textual and formatting differences to the\nCommonwealth APPs.\nPart 1.1 Consideration of personal\ninformation privacy\n1 TPP 1—open and transparent management of personal\ninformation\n1.1 The object of this TPP is to ensure that public sector agencies manage\npersonal information in an open and transparent way.\nCompliance with the TPPs etc\n1.2 A public sector agency must take reasonable steps to implement\npractices, procedures and systems relating to the agency’s functions\nor activities that—\n(a) will ensure that the agency complies with the TPPs and any TPP\ncode that binds the agency; and\n(b) will enable the agency to deal with inquiries or complaints from\nindividuals about the agency’s compliance with the TPPs or a\ncode.\n\nSchedule 1 Territory privacy principles\nPart 1.1 Consideration of personal information privacy\nSection 1\npage 46 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nTPP privacy policy\n1.3 A public sector agency must have a clearly expressed and up-to-date\npolicy (the TPP privacy policy) about the management of personal\ninformation by the agency.\n1.4 Without limiting TPP 1.3, the TPP privacy policy of the public sector\nagency must contain the following information:\n(a) the kinds of personal information that the agency collects and\nholds;\n(b) how the agency collects and holds personal information;\n(c) the purposes for which the agency collects, holds, uses and\ndiscloses personal information;\n(d) how an individual may access personal information about the\nindividual that is held by the agency and seek the correction of\nthe information;\n(e) how an individual may complain about a breach of the TPPs, or\nany TPP code that binds the agency, and how the agency will\ndeal with the complaint;\n(f) whether the agency is likely to disclose personal information to\noverseas recipients;\n(g) if the agency is likely to disclose personal information to\noverseas recipients—the countries in which the recipients are\nlikely to be located if it is practicable to state those countries in\nthe policy.\n\nTerritory privacy principles Schedule 1\nConsideration of personal information privacy Part 1.1\nSection 2\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 47\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nAvailability of TPP privacy policy etc\n1.5 A public sector agency must take reasonable steps to make its TPP\nprivacy policy available—\n(a) free of charge; and\n(b) in an appropriate form.\nExample\non the agency’s website\n1.6 If a person requests a copy of the TPP privacy policy of a public sector\nagency in a particular form, the agency must take reasonable steps to\ngive the person a copy in that form.\nNote Person includes a reference to a corporation as well as an individual (see\nLegislation Act, s 160).\n2 TPP 2—anonymity and pseudonymity\n2.1 Individuals must have the option of not identifying themselves, or of\nusing a pseudonym, when dealing with a public sector agency in\nrelation to a particular matter.\n2.2 TPP 2.1 does not apply if, in relation to the matter—\n(a) the public sector agency is required or authorised by or under an\nAustralian law, or a court or tribunal order, to deal with\nindividuals who have identified themselves; or\n(b) it is impracticable for the public sector agency to deal with\nindividuals who have not identified themselves or who have\nused a pseudonym.\n\nSchedule 1 Territory privacy principles\nPart 1.2 Collection of personal information\nSection 3\npage 48 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 1.2 Collection of personal\ninformation\n3 TPP 3—collection of solicited personal information\nPersonal information other than sensitive information\n3.1 A public sector agency must not collect personal information (other\nthan sensitive information) unless the information is reasonably\nnecessary for, or directly related to, 1 or more of the agency’s\nfunctions or activities.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 3, s 3.2).\nSensitive information\n3.3 A public sector agency must not collect sensitive information about\nan individual unless—\n(a) the individual consents to the collection of the information and\nthe information is reasonably necessary for, or directly related\nto, 1 or more of the agency’s functions or activities; or\n(b) TPP 3.4 applies in relation to the information.\nNote The equivalent provision in the Commonwealth APPs also applies to\ncertain private sector entities (see Commonwealth APP 3, s 3.3 (a) (ii)).\n3.4 This subsection applies in relation to sensitive information about an\nindividual if—\n(a) the collection of the information is required or authorised by or\nunder an Australian law or a court or tribunal order; or\n\nTerritory privacy principles Schedule 1\nCollection of personal information Part 1.2\nSection 3\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 49\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(b) a permitted general situation exists in relation to the collection\nof the information by the public sector agency; or\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see Commonwealth\nAPP 3, s 3.4 (c)).\n(d) the public sector agency is an enforcement body and the agency\nreasonably believes that the collection of the information is\nreasonably necessary for, or directly related to, 1 or more of the\nagency’s functions or activities.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to—\n• the Commonwealth Immigration Department (see Commonwealth\nAPP 3, s 3.4 (d) (i)); and\n• non-profit organisations (see Commonwealth APP 3, s 3.4 (e)).\nMeans of collection\n3.5 A public sector agency must collect personal information only by\nlawful and fair means.\n3.6 A public sector agency must collect personal information about an\nindividual only from the individual unless—\n(a) either—\n(i) the individual consents to the collection of the information\nfrom someone other than the individual; or\n(ii) the agency is required or authorised by or under an\nAustralian law, or a court or tribunal order, to collect the\ninformation from someone other than the individual; or\n(b) it is unreasonable or impracticable to do so.\nNote The equivalent provision in the Commonwealth APPs applies, in part, to\ncertain private sector entities.\n\nSchedule 1 Territory privacy principles\nPart 1.2 Collection of personal information\nSection 4\npage 50 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nSolicited personal information\n3.7 TPP 3 applies to the collection of personal information that is\nsolicited by a public sector agency.\n4 TPP 4—dealing with unsolicited personal information\n4.1 If—\n(a) a public sector agency receives personal information; and\n(b) the agency did not solicit the information;\nthe agency must, within a reasonable period after receiving the\ninformation, decide whether or not the agency could have collected\nthe information under TPP 3 if the agency had solicited the\ninformation.\n4.2 The public sector agency may use or disclose the personal\ninformation for the purposes of making the decision under TPP 4.1.\n4.3 If—\n(a) the public sector agency decides that the agency could not have\ncollected the personal information; and\n(b) the information is not contained in a territory record;\nthe agency must, as soon as practicable but only if it is lawful and\nreasonable to do so, destroy the information or ensure that the\ninformation is de-identified.\n4.4 If TPP 4.3 does not apply in relation to the personal information,\nTPPs 5 to 13 apply in relation to the information as if the agency had\ncollected the information under TPP 3.\n\nTerritory privacy principles Schedule 1\nCollection of personal information Part 1.2\nSection 5\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 51\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n5 TPP 5—notification of the collection of personal\ninformation\n5.1 At or before the time or, if that is not practicable, as soon as\npracticable after, a public sector agency collects personal information\nabout an individual, the agency must take reasonable steps—\n(a) to notify the individual of the matters mentioned in TPP 5.2 that\nare reasonable in the circumstances; or\n(b) to otherwise ensure that the individual is aware of those matters.\n5.2 The matters for TPP 5.1 are as follows:\n(a) the identity and contact details of the public sector agency;\n(b) if—\n(i) the public sector agency collects the personal information\nfrom someone other than the individual; or\n(ii) the individual may not be aware that the public sector\nagency has collected the personal information;\nthe fact that the agency collects, or has collected, the information\nand the circumstances of that collection;\n(c) if the collection of the personal information is required or\nauthorised by or under an Australian law, or a court or tribunal\norder—the fact that the collection is required or authorised\n(including the name of the Australian law, or details of the court\nor tribunal order, that requires or authorises the collection);\n(d) the purposes for which the public sector agency collects the\npersonal information;\n(e) the main consequences (if any) for the individual if all or some\nof the personal information is not collected by the public sector\nagency;\n\nSchedule 1 Territory privacy principles\nPart 1.2 Collection of personal information\nSection 5\npage 52 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(f) any other public sector agency or entity, or the kinds of any other\npublic sector agencies or entities, to which the public sector\nagency usually discloses personal information of the kind\ncollected by the agency;\n(g) that the TPP privacy policy of the public sector agency contains\ninformation about how the individual may access the personal\ninformation about the individual that is held by the agency and\nseek the correction of the information;\n(h) that the TPP privacy policy of the public sector agency contains\ninformation about how the individual may complain about a\nbreach of the TPPs, or any TPP code that binds the agency, and\nhow the agency will deal with the complaint;\n(i) whether the public sector agency is likely to disclose the\npersonal information to overseas recipients;\n(j) if the public sector agency is likely to disclose the personal\ninformation to overseas recipients—the countries in which the\nrecipients are likely to be located if it is practicable to state those\ncountries in the notification or to otherwise make the individual\naware of them.\n\nTerritory privacy principles Schedule 1\nDealing with personal information Part 1.3\nSection 6\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 53\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 1.3 Dealing with personal\ninformation\n","sortOrder":55},{"sectionNumber":"6","sectionType":"section","heading":"TPP 6—use or disclosure of personal information","content":"6 TPP 6—use or disclosure of personal information\nUse or disclosure\n6.1 If a public sector agency holds personal information about an\nindividual that was collected for a particular purpose (the primary\npurpose), the agency must not use or disclose the information for\nanother purpose (the secondary purpose) unless—\n(a) the individual has consented to the use or disclosure of the\ninformation; or\n(b) TPP 6.2 or TPP 6.3 applies in relation to the use or disclosure of\nthe information.\nNote TPP 8 sets out requirements for the disclosure of personal information to\na person who is not in Australia or an external territory.\n6.2 This subsection applies in relation to the use or disclosure of personal\ninformation about an individual if—\n(a) the individual would reasonably expect the public sector agency\nto use or disclose the information for the secondary purpose and\nthe secondary purpose is—\n(i) if the information is sensitive information—directly related\nto the primary purpose; or\n(ii) if the information is not sensitive information—related to\nthe primary purpose; or\n(b) the use or disclosure of the information is required or authorised\nby or under an Australian law or a court or tribunal order; or\n\nSchedule 1 Territory privacy principles\nPart 1.3 Dealing with personal information\nSection 6\npage 54 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(c) a permitted general situation exists in relation to the use or\ndisclosure of the information by the public sector agency; or\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see Commonwealth\nAPP 6, s 6.2 (d)).\n(e) the public sector agency reasonably believes that the use or\ndisclosure of the information is reasonably necessary for 1 or\nmore enforcement-related activities conducted by, or on behalf\nof, an enforcement body.\n6.3 This subsection applies in relation to the disclosure of personal\ninformation about an individual by a public sector agency if—\n(a) the agency is not an enforcement body; and\n(b) the information is biometric information or biometric templates;\nand\n(c) the recipient of the information is an enforcement body; and\n(d) the disclosure is conducted in accordance with the guidelines\nmade by the information privacy commissioner for this\nsubsection.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 6, s 6.4).\nWritten note of use or disclosure\n6.5 If a public sector agency uses or discloses personal information in\naccordance with TPP 6.2 (e), the agency must make a written note of\nthe use or disclosure.\n\nTerritory privacy principles Schedule 1\nDealing with personal information Part 1.3\nSection 7\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 55\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nRelated bodies corporate\n6.6 If—\n(a) a public sector agency is a corporation; and\n(b) the agency collects personal information from a related body\ncorporate;\nthis TPP applies as if the agency’s primary purpose for the collection\nof the information were the primary purpose for which the related\nbody corporate collected the information.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 6, s 6.7).\n","sortOrder":56},{"sectionNumber":"7","sectionType":"section","heading":"Direct marketing","content":"7 Direct marketing\nNote 1 The Commonwealth Act includes a privacy principle prohibiting direct\nmarketing by certain private sector entities (see Commonwealth APP 7).\nNote 2 However, Commonwealth APP 7 applies to an act or practice of a public\nsector agency if the agency engages in commercial activities (see s 23).\n","sortOrder":57},{"sectionNumber":"8","sectionType":"section","heading":"TPP 8—cross-border disclosure of personal information","content":"8 TPP 8—cross-border disclosure of personal information\n8.1 Before a public sector agency discloses personal information about\nan individual to a person (an overseas recipient)—\n(a) who is not in Australia or an external territory; and\n(b) who is not the agency or the individual;\nthe agency must take reasonable steps to ensure that the overseas\nrecipient does not breach the TPPs (other than TPP 1) in relation to\nthe information.\nNote In certain circumstances, an act done, or a practice engaged in, by an\noverseas recipient is taken, under s 22, to have been done, or engaged in,\nby the public sector agency and to be a breach of the TPPs.\n\nSchedule 1 Territory privacy principles\nPart 1.3 Dealing with personal information\nSection 8\npage 56 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n8.2 TPP 8.1 does not apply to the disclosure of personal information\nabout an individual by a public sector agency to the overseas recipient\nif—\n(a) the agency reasonably believes that—\n(i) the recipient of the information is subject to a law, or\nbinding scheme, that has the effect of protecting the\ninformation in a way that, overall, is at least substantially\nsimilar to the way in which the TPPs protect the\ninformation; and\n(ii) there are mechanisms that the individual can access to take\naction to enforce that protection of the law or binding\nscheme; or\n(b) both of the following apply:\n(i) the agency expressly informs the individual that if the\nindividual consents to the disclosure of the information,\nTPP 8.1 will not apply to the disclosure;\n(ii) after being informed, the individual consents to the\ndisclosure; or\n(c) the disclosure of the information is required or authorised by or\nunder an Australian law, or a court or tribunal order; or\n(d) a permitted general situation (other than the situation mentioned\nin section 19 (1) (d) or (e)) exists in relation to the disclosure of\nthe information by the agency; or\n(e) the disclosure of the information is required or authorised by or\nunder an international agreement relating to information sharing\nto which Australia or the Territory is a party; or\n\nTerritory privacy principles Schedule 1\nDealing with personal information Part 1.3\nSection 9\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 57\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n(f) both of the following apply:\n(i) the agency reasonably believes that the disclosure of the\ninformation is reasonably necessary for 1 or more\nenforcement-related activities conducted by, or on behalf\nof, an enforcement body;\n(ii) the recipient is a body that exercises functions that are\nsimilar to those exercised by an enforcement body.\n","sortOrder":58},{"sectionNumber":"9","sectionType":"section","heading":"Adoption, use or disclosure of government-related","content":"9 Adoption, use or disclosure of government-related\nidentifiers\nNote 1 The Commonwealth Act includes a privacy principle regulating the\nadoption, use or disclosure of government-related identifiers by certain\nprivate sector entities (see Commonwealth APP 9).\nNote 2 However, Commonwealth APP 9 applies to an act or practice of a public\nsector agency if the agency engages in commercial activities (see s 23).\n\nSchedule 1 Territory privacy principles\nPart 1.4 Integrity of personal information\nSection 10\npage 58 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 1.4 Integrity of personal information\n10 TPP 10—quality of personal information\n10.1 A public sector agency must take reasonable steps to ensure that the\npersonal information that the agency collects is accurate, up-to-date\nand complete.\n10.2 A public sector agency must take reasonable steps to ensure that the\npersonal information that the agency uses or discloses is, having\nregard to the purpose of the use or disclosure, accurate, up-to-date,\ncomplete and relevant.\n","sortOrder":59},{"sectionNumber":"11","sectionType":"section","heading":"TPP 11—security of personal information","content":"11 TPP 11—security of personal information\n11.1 If a public sector agency holds personal information, the agency must\ntake reasonable steps to protect the information—\n(a) from misuse, interference or loss; and\n(b) from unauthorised access, modification or disclosure.\n11.2 If—\n(a) a public sector agency holds personal information about an\nindividual; and\n(b) the agency no longer needs the information for a purpose for\nwhich the information may be used or disclosed by the agency\nunder the TPPs; and\n(c) the information is not contained in a territory record; and\n(d) the agency is not required by or under an Australian law, or a\ncourt or tribunal order, to retain the information;\nthe agency must take reasonable steps to destroy the information or\nto ensure that the information is de-identified.\n\nTerritory privacy principles Schedule 1\nAccess to, and correction of, personal information Part 1.5\nSection 12\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 59\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nPart 1.5 Access to, and correction of,\npersonal information\n","sortOrder":60},{"sectionNumber":"12","sectionType":"section","heading":"TPP 12—access to personal information","content":"12 TPP 12—access to personal information\nAccess\n12.1 If a public sector agency holds personal information about an\nindividual, the agency must, on request by the individual, give the\nindividual access to the information.\nException to access—agency\n12.2 If the public sector agency is required or authorised to refuse to give\nthe individual access to the personal information by or under—\n(a) the Freedom of Information Act 2016; or\n(b) another law in force in the ACT that provides for access by\npeople to documents;\nthen, despite TPP 12.1, the agency is not required to give access to\nthe extent that the agency is required or authorised to refuse to give\naccess.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 12, s 12.3).\n\nSchedule 1 Territory privacy principles\nPart 1.5 Access to, and correction of, personal information\nSection 12\npage 60 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nDealing with requests for access\n12.4 The public sector agency must—\n(a) respond to the request for access to the personal information\nwithin 30 days after the day the request is made; and\n(b) give access to the information in the way requested by the\nindividual, if it is reasonable and practicable to do so.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 12, s 12.4 (a) (ii)).\nOther means of access\n12.5 If the public sector agency refuses—\n(a) to give access to the personal information because of TPP 12.2;\nor\n(b) to give access in the way requested by the individual;\nthe agency must take reasonable steps to give access in a way that\nmeets the needs of the agency and the individual.\n12.6 Without limiting TPP 12.5, access may be given through the use of a\nmutually agreed intermediary.\nAccess charges\n12.7 The public sector agency must not charge the individual for the\nmaking of the request or for giving access to the personal information.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 12, s 12.8).\n\nTerritory privacy principles Schedule 1\nAccess to, and correction of, personal information Part 1.5\nSection 13\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 61\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nRefusal to give access\n12.9 If the public sector agency refuses to give access to the personal\ninformation because of TPP 12.2, or to give access in the way\nrequested by the individual, the agency must give the individual a\nwritten notice that sets out—\n(a) the reasons for the refusal except to the extent that, having\nregard to the grounds for the refusal, it would be unreasonable\nto do so; and\n(b) the mechanisms available to complain about the refusal; and\n(c) any other matter prescribed by regulation.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 12, s 12.10).\n13 TPP 13—correction of personal information\nCorrection\n13.1 If—\n(a) a public sector agency holds personal information about an\nindividual; and\n(b) either—\n(i) the agency is satisfied that, having regard to a purpose for\nwhich the information is held, the information is\ninaccurate, out-of-date, incomplete, irrelevant or\nmisleading; or\n(ii) the individual requests the agency to correct the\ninformation;\nthe agency must take reasonable steps to correct the information to\nensure that, having regard to the purpose for which it is held, the\ninformation is accurate, up-to-date, complete, relevant and not\nmisleading.\n\n","sortOrder":61},{"sectionNumber":"Sch 1","sectionType":"schedule","heading":"Territory privacy principles","content":"Schedule 1 Territory privacy principles\n","sortOrder":62},{"sectionNumber":"Part 1","sectionType":"part","heading":"5 Access to, and correction of, personal information","content":"Part 1.5 Access to, and correction of, personal information\nSection 13\npage 62 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nNotification of correction to third parties\n13.2 If—\n(a) the public sector agency corrects personal information about an\nindividual that the agency previously disclosed to another public\nsector agency; and\n(b) the individual requests the agency to notify the other public\nsector agency of the correction;\nthe agency must take reasonable steps to give the notification unless\nit is impracticable or unlawful to do so.\nRefusal to correct information\n13.3 If the public sector agency refuses to correct the personal information\nas requested by the individual, the agency must give the individual a\nwritten notice that sets out—\n(a) the reasons for the refusal except to the extent that it would be\nunreasonable to do so; and\n(b) the mechanisms available to complain about the refusal; and\n(c) any other matter prescribed by regulation.\nRequest to associate a statement\n13.4 If—\n(a) the public sector agency refuses to correct the personal\ninformation as requested by the individual; and\n(b) the individual requests the agency to associate with the\ninformation a statement that the information is inaccurate,\nout-of-date, incomplete, irrelevant or misleading;\nthe agency must take reasonable steps to associate the statement in a\nway that will make the statement apparent to users of the information.\n\nTerritory privacy principles Schedule 1\nAccess to, and correction of, personal information Part 1.5\nSection 13\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 63\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nDealing with requests\n13.5 If a request is made under TPP 13.1 or TPP 13.4, the public sector\nagency—\n(a) must respond to the request within 30 days after the day the\nrequest is made; and\n(b) must not charge the individual for the making of the request, for\ncorrecting the personal information or for associating the\nstatement with the personal information.\nNote The equivalent provision in the Commonwealth APPs includes a\nprovision applying to certain private sector entities (see\nCommonwealth APP 13, s 13.5 (a) (ii)).\n\nDictionary\npage 64 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nDictionary\n(see s 3)\nNote 1 The Legislation Act contains definitions and other provisions relevant to\nthis Act.\nNote 2 For example, the Legislation Act, dict, pt 1, defines the following terms:\n• ACT\n• administrative unit\n• Coroner’s Court\n• corporation\n• Corporations Act\n• document\n• DPP\n• exercise (a function)\n• external territory\n• function\n• human rights commission\n• individual\n• integrity commission\n• judge\n• magistrate\n• Magistrates Court\n• Minister (see s 162)\n• Office of the Legislative Assembly\n• officer of the Assembly\n• State\n• statutory office-holder\n• Supreme Court\n• territory authority\n• territory instrumentality\n• tribunal\n• working day.\n\nDictionary\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 65\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nact—see section 10.\nACT court—\n(a) means the Supreme Court, Magistrates Court, Coroner’s Court\nor a tribunal; and\n(b) includes a judge, magistrate, tribunal member and any other\nperson exercising a function of the court or tribunal in relation\nto the hearing or determination of a matter before it.\nAustralian law, for schedule 1 (Territory privacy principles)—see\nsection 14.\nbreach, a TPP—see section 12.\ncollects, personal information, for schedule 1 (Territory privacy\nprinciples)—see section 15.\nCommonwealth Act means the Privacy Act 1988 (Cwlth).\nCommonwealth APPs means the Australian privacy principles set\nout in the Commonwealth Act, schedule 1.\ncomplainant, in relation to a privacy complaint—see section 33.\nconciliation, of a privacy complaint, for division 6.3A (Conciliation\nof privacy complaints)—see section 44A.\nconciliation agreement, for division 6.3A (Conciliation of privacy\ncomplaints)—see section 44F (1).\nconsent means express or implied consent.\ncontracted service provider—\n(a) means a person engaged under a government contract to provide\nservices to the Territory or a public sector agency; and\n(b) includes a subcontractor in relation to the contract.\ncourt or tribunal order, for schedule 1 (Territory privacy\nprinciples)—see section 14.\n\nDictionary\npage 66 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nde-identified, personal information, for schedule 1 (Territory privacy\nprinciples)—see section 18.\ndoing, an act—see section 10 (2).\nenforcement body, for schedule 1 (Territory privacy principles)—see\nsection 14.\nenforcement-related activity, for schedule 1 (Territory privacy\nprinciples)—see section 14.\ngenerally available publication means a magazine, book, article,\nnewspaper or other publication that is, or will be, generally available\nto members of the public—\n(a) whether or not it is published in print, electronically or in any\nother form; and\n(b) whether or not it is available on the payment of a fee.\ngovernment contract means a contract, to which the Territory or a\npublic sector agency is a party, under which services are to be\nprovided to—\n(a) the Territory or agency; or\n(b) another entity in relation to the exercise of the agency’s\nfunctions.\nholds, personal information, for schedule 1 (Territory privacy\nprinciples)—see section 16.\ninformation privacy commissioner means—\n(a) the Information Privacy Commissioner appointed under\nsection 26; or\n(b) if an appointment is not made under section 26, the person\nexercising 1 or more functions under an arrangement mentioned\nin section 28.\ninterference, with an individual’s privacy—see section 11.\n\nDictionary\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 67\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nmisconduct, of a person includes fraud, negligence, default, breach\nof trust, breach of duty, breach of discipline by or any other\nmisconduct of the person in the exercise of the person’s functions as\na public official.\noverseas recipient, in relation to personal information—see TPP 8.1.\nparties, to the conciliation of a privacy complaint, for division 6.3A\n(Conciliation of privacy complaints)—see section 44A.\npermitted general situation, in relation to the collection, use or\ndisclosure of personal information, for schedule 1 (Territory privacy\nprinciples)—see section 19.\npersonal information—see section 8.\npractice—see section 10.\nprivacy complaint—see section 33.\npublic sector agency—see section 9.\nrecord—\n(a) includes—\n(i) a document; or\n(ii) an electronic or other device; and\n(b) does not include—\n(i) a generally available publication; or\n(ii) anything kept in a library, art gallery or museum for the\npurposes of reference, study or exhibition; or\n(iii) a record open to public access under the Territory Records\nAct 2002, part 3; or\n(iv) a letter or other item in the course of being sent by post.\nNote Document—see the Legislation Act, dictionary, pt 1.\n\nDictionary\npage 68 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nrelated body corporate, for schedule 1 (Territory privacy\nprinciples)—see the Corporations Act, section 9.\nrespondent, in relation to a privacy complaint—see section 33.\nsensitive information, for schedule 1 (Territory privacy principles)—\nsee section 14.\nsolicits, personal information, for schedule 1 (Territory privacy\nprinciples)—see section 17.\nsubcontractor, in relation to a government contract—see\nsection 21 (4) (Privacy protection requirements for government\ncontracts).\nterritory record, for schedule 1 (Territory privacy principles)—see\nthe Territory Records Act 2002, section 9 (3).\nTPP code—see section 49.\nTPP privacy policy, for schedule 1 (Territory privacy principles)—\nsee TPP 1.3.\nTPPs—see section 13 (Territory privacy principles).\n\nEndnotes\nAbout the endnotes 1\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 69\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nEndnotes\n1 About the endnotes\nAmending and modifying laws are annotated in the legislation history and the\namendment history. Current modifications are not included in the republished law\nbut are set out in the endnotes.\nNot all editorial amendments made under the Legislation Act 2001, part 11.3 are\nannotated in the amendment history. Full details of any amendments can be\nobtained from the Parliamentary Counsel’s Office.\nUncommenced amending laws are not included in the republished law. The details\nof these laws are underlined in the legislation history. Uncommenced expiries are\nunderlined in the legislation history and amendment history.\nIf all the provisions of the law have been renumbered, a table of renumbered\nprovisions gives details of previous and current numbering.\nThe endnotes also include a table of earlier republications.\n2 Abbreviation key\nA = Act NI = Notifiable instrument\nAF = Approved form o = order\nam = amended om = omitted/repealed\namdt = amendment ord = ordinance\nAR = Assembly resolution orig = original\nch = chapter par = paragraph/subparagraph\nCN = Commencement notice pres = present\ndef = definition prev = previous\nDI = Disallowable instrument (prev...) = previously\ndict = dictionary pt = part\ndisallowed = disallowed by the Legislative r = rule/subrule\nAssembly reloc = relocated\ndiv = division renum = renumbered\nexp = expires/expired R[X] = Republication No\nGaz = gazette RI = reissue\nhdg = heading s = section/subsection\nIA = Interpretation Act 1967 sch = schedule\nins = inserted/added sdiv = subdivision\nLA = Legislation Act 2001 SL = Subordinate law\nLR = legislation register sub = substituted\nLRA = Legislation (Republication) Act 1996 underlining = whole or part not commenced\nmod = modified/modification or to be expired\n\nEndnotes\n3 Legislation history\npage 70 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n3 Legislation history\nInformation Privacy Act 2014 A2014-24\nnotified LR 11 June 2014\ns 1, s 2 commenced 11 June 2014 (LA s 75 (1))\nremainder commenced 1 September 2014 (s 2 and CN2014-10)\nas amended by\nJustice and Community Safety Legislation Amendment Act 2014\n(No 2) A2014-49 sch 1 pt 1.10\nnotified LR 10 November 2014\ns 1, s 2 commenced 10 November 2014 (LA s 75 (1))\nsch 1 pt 1.10 commenced 17 November 2014 (s 2)\nJudicial Commissions Amendment Act 2015 A2015-1 sch 1 pt 1.4\n(as am by A2015-52 s 28)\nnotified LR 25 February 2015\ns 1, s 2 commenced 25 February 2015 (LA s 75 (1))\nsch 1 pt 1.4 commenced 1 February 2017 (s 2 (as am by A2015-52\ns 28))\nStatute Law Amendment Act 2015 A2015-15 sch 3 pt 3.8\nnotified LR 27 May 2015\ns 1, s 2 commenced 27 May 2015 (LA s 75 (1))\nsch 3 pt 3.8 commenced 10 June 2015 (s 2)\nCourts Legislation Amendment Act 2015 (No 2) A2015-52 pt 10\nnotified LR 26 November 2015\ns 1, s 2 commenced 26 November 2015 (LA s 75 (1))\npt 10 (s 28) commenced 10 December 2015 (s 2 (2))\nNote Pt 10 (s 28) only amends the Judicial Commissions\nAmendment Act 2015 A2015-1\nFreedom of Information Act 2016 A2016-55 sch 4 pt 4.18 (as am by\nA2017-14 s 19)\nnotified LR 26 August 2016\ns 1, s 2 commenced 26 August 2016 (LA s 75 (1))\nsch 4 pt 4.18 commenced 1 January 2018 (s 2 as am by A2017-14\ns 19)\n\nEndnotes\nLegislation history 3\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 71\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nJustice and Community Safety Legislation Amendment Act 2017\nA2017-5 sch 1 pt 1.6\nnotified LR 23 February 2017\ns 1, s 2 commenced 23 February 2017 (LA s 75 (1))\nsch 1 pt 1.6 commenced 2 March 2017 (s 2 (3))\nJustice and Community Safety Legislation Amendment Act 2017\n(No 2) A2017-14 s 19\nnotified LR 17 May 2017\ns 1, s 2 commenced 17 May 2017 (LA s 75 (1))\ns 19 commenced 24 May 2017 (s 2 (1))\nNote This Act only amends the Freedom of Information Act 2016\nA2016-55.\nIntegrity Commission Act 2018 A2018-52 sch 1 pt 1.13 (as am by\nA2019-18 s 4)\nnotified LR 11 December 2018\ns 1, s 2 commenced 11 December 2018 (LA s 75 (1))\nsch 1 pt 1.13 commenced 1 July 2019 (s 2 (1) as am by A2019-18 s 4)\nIntegrity Commission Amendment Act 2019 A2019-18 s 4\nnotified LR 14 June 2019\ns 1, s 2 commenced 14 June 2019 (LA s 75 (1))\ns 4 commenced 1 July 2019 (s 2 (1))\nNote This Act only amends the Integrity Commission Act 2018\nA2018-52.\nStatute Law Amendment Act 2021 A2021-12 sch 3 pt 3.26\nnotified LR 9 June 2021\ns 1, s 2 commenced 9 June 2021 (LA s 75 (1))\nsch 3 pt 3.26 commenced 23 June 2021 (s 2 (1))\nCrimes Legislation Amendment Act 2024 (No 2) A2024-16\nsch 1 pt 1.1\nnotified LR 19 April 2024\ns 1, s 2 commenced 19 April 2024 (LA s 75 (1))\nsch 1 pt 1.1 commenced 26 April 2024 (s 2)\n\nEndnotes\n","sortOrder":63},{"sectionNumber":"3","sectionType":"section","heading":"Legislation history","content":"3 Legislation history\npage 72 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nJustice and Community Safety Legislation Amendment\nAct 2025 (No 3) A2025-22 pt 6\nnotified LR 12 September 2025\ns 1, s 2 commenced 12 September 2025 (LA s 75 (1))\npt 6 commenced 13 September 2025 (s 2 (1))\nStatute Law Amendment Act 2025 A2025-29 sch 4 pt 4.97\nnotified LR 6 November 2025\ns 1, s 2 commenced 6 November 2025 (LA s 75 (1))\nsch 4 pt 4.97 commenced 16 December 2025 (s 2 (6))\n\nEndnotes\nAmendment history 4\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 73\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n","sortOrder":64},{"sectionNumber":"4","sectionType":"section","heading":"Amendment history","content":"4 Amendment history\nCommencement\ns 2 om LA s 89 (4)\nRelationship with other laws\ns 6 am A2016-55 amdt 4.22\nMeaning of public sector agency\ns 9 am A2014-49 amdt 1.20\nDefinitions—sch 1\ns 14 def enforcement body am A2018-52 amdt 1.82; pars renum\nR9 LA\ndef enforcement-related activity am A2018-52 amdt 1.83;\npars renum R9 LA\nMeaning of permitted general situation in relation to the collection, use or\ndisclosure of personal information—sch 1\ns 19 am A2025-29 amdt 4.97\nPrivacy protection requirements for government contracts\ns 21 am A2017-5 amdt 1.13, amdt 1.14\nCommonwealth APPs apply to certain public sector agencies engaged in\ncommercial activities\ns 23 am A2016-55 amdt 4.23\nExempt public sector agencies\ns 24 am A2014-49 amdt 1.21; pars renum R2 LA; A2015-15\namdt 3.41; A2015-1 amdt 1.4; pars renum R5 LA\nExempt acts or practices\ns 25 am A2014-49 amdt 1.22; A2016-55 amdts 4.24-4.26;\nA2021-12 amdt 3.61, amdt 3.62; A2024-16 amdt 1.1\nHow may a privacy complaint be made?\ns 35 am A2025-29 amdt 4.97\nDealing with privacy complaints\ns 40 am A2025-22 s 17\nCommissioner may conciliate privacy complaint\ns 41A ins A2025-22 s 18\nConciliation of privacy complaints\ndiv 6.3A hdg ins A2025-22 s 19\nDefinitions—div 6.3A\ns 44A ins A2025-22 s 19\ndef conciliation ins A2025-22 s 19\ndef conciliation agreement ins A2025-22 s 19\ndef parties ins A2025-22 s 19\n\nEndnotes\nAmendment history\npage 74 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nParties must attend conciliation\ns 44B ins A2025-22 s 19\nAttendance at conciliation—people other than parties\ns 44C ins A2025-22 s 19\nConduct of conciliation\ns 44D ins A2025-22 s 19\nConciliated agreements\ns 44E ins A2025-22 s 19\nUse of conciliation agreement by commissioner\ns 44F ins A2025-22 s 19\nEnd of conciliation\ns 44G ins A2025-22 s 19\nAdmissibility of evidence\ns 44H ins A2025-22 s 19\nConciliation attendees protected from civil liability\ns 44I ins A2025-22 s 19\nCommissioner must tell parties application may be made to court\ns 45 sub A2025-22 s 20\nDevelopment of TPP codes and proposed amendment of TPP codes\ns 50 am A2025-29 amdt 4.97\nInformation privacy commissioner may make guidelines\ns 55 am A2025-29 amdt 4.97\nInstruments made under this Act\ns 56 am A2025-29 amdt 4.97\nApproved forms\ns 57 am A2025-29 amdt 4.97\nRegulation-making power\ns 58 am A2025-29 amdt 4.97\nAccess to, and correction of, personal information\nsch 1 pt 1.5 am A2014-49 amdt 1.23, amdt 1.24; A2016-55 amdt 4.27\nDictionary\ndict am A2014-49 amdt 1.25; A2018-52 amdt 1.84\ndef conciliation ins A2025-22 s 21\ndef conciliation agreement ins A2025-22 s 21\ndef parties ins A2025-22 s 21\n\nEndnotes\nEarlier republications 5\nR13\n16/12/25\nInformation Privacy Act 2014\nEffective: 16/12/25\npage 75\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\n5 Earlier republications\nSome earlier republications were not numbered. The number in column 1 refers to\nthe publication order.\nSince 12 September 2001 every authorised republication has been published in\nelectronic pdf format on the ACT legislation register. A selection of authorised\nrepublications have also been published in printed format. These republications are\nmarked with an asterisk (*) in column 1. Electronic and printed versions of an\nauthorised republication are identical.\nRepublication\nNo and date\nEffective Last\namendment\nmade by\nRepublication\nfor\nR1\n1 Sept 2014\n1 Sept 2014-\n16 Nov 2014\nnot amended new Act\nR2\n17 Nov 2014\n","sortOrder":65},{"sectionNumber":"17","sectionType":"section","heading":"Nov 2014-","content":"17 Nov 2014-\n9 June 2015\nA2014-49 amendments by\nA2014-49\nR3\n10 June 2015\n10 June 2015-\n9 Dec 2015\nA2015-15 amendments by\nA2015-15\nR4\n10 Dec 2015\n","sortOrder":66},{"sectionNumber":"10","sectionType":"section","heading":"Dec 2015-","content":"10 Dec 2015-\n31 Jan 2017\nA2015-15 updated endnotes\nas amended by\nA2015-52\nR5\n1 Feb 2017\n1 Feb 2017-\n1 Mar 2017\nA2015-52 amendments by\nA2015-1 as\namended by\nA2015-52\nR6\n2 Mar 2017\n","sortOrder":67},{"sectionNumber":"2","sectionType":"section","heading":"Mar 2017-","content":"2 Mar 2017-\n23 May 2017\nA2017-5 amendments by\nA2017-5\nR7\n24 May 2017\n","sortOrder":68},{"sectionNumber":"24","sectionType":"section","heading":"May 2017-","content":"24 May 2017-\n31 Dec 2017\nA2017-14 updated endnotes\nas amended by\nA2017-14\nR8\n1 Jan 2018\n1 Jan 2018–\n30 June 2019\nA2017-14 amendments by\nA2016-55\nas amended by\nA2017-14\nR9\n1 July 2019\n","sortOrder":69},{"sectionNumber":"1","sectionType":"section","heading":"July 2019–","content":"1 July 2019–\n22 June 2021\nA2019-18 amendments by\nA2018-52 and\nA2019-18\nR10\n23 June 2021\n","sortOrder":70},{"sectionNumber":"23","sectionType":"section","heading":"June 2021–","content":"23 June 2021–\n25 April 2024\nA2021-12 amendments by\nA2021-12\n\nEndnotes\n","sortOrder":71},{"sectionNumber":"5","sectionType":"section","heading":"Earlier republications","content":"5 Earlier republications\npage 76 Information Privacy Act 2014\nEffective: 16/12/25\nR13\n16/12/25\nAuthorised by the ACT Parliamentary Counsel—also accessible at www.legislation.act.gov.au\nRepublication\nNo and date\nEffective Last\namendment\nmade by\nRepublication\nfor\nR11\n26 Apr 2024\n","sortOrder":72},{"sectionNumber":"26","sectionType":"section","heading":"Apr 2024–","content":"26 Apr 2024–\n12 Sept 2025\nA2024-16 amendments by\nA2024-16\nR12\n13 Sept 2025\n","sortOrder":73},{"sectionNumber":"13","sectionType":"section","heading":"Sept 2025–","content":"13 Sept 2025–\n15 Dec 2025\nA2025-22 amendments by\nA2025-22\n© Australian Capital Territory 2025","sortOrder":74}],"analysis":{"flash_summary":{"complexity_score":7,"scope_assessment":{"changed":true,"description":"The republished Act as presented includes substantive amendments and additions compared with the original 2014 enactment. Notable scope changes recorded in the amendment history and visible in the text include: insertion of a statutory conciliation regime with attendance obligations and evidentiary protections (div 6.3A; s 44A–44I) introduced by the Justice and Community Safety Legislation Amendment Act 2025 (A2025-22) (amendment history); amendments to how complaints may be made (s 35 amended by A2025-29), and expansion of the permitted general situations rules (s 19 amended by A2025-29). The Act also reflects prior amendments requiring contractual privacy provisions in government contracts (s 21 as amended A2017-5) and various technical and scope adjustments noted in the amendment history (endnotes). These changes expand procedural enforcement options (conciliation, attendance obligations, Commissioner rule-making and guidance powers) and adjust the administrative interface between agencies, contracted providers and the Commissioner (s 21; div 6.3A; s 55)."},"complexity_factors":["Extensive cross-references to schedules, other Territory laws and Commonwealth privacy principles (sch 1; s 6; s 23).","Multiple layers of compliance duties (TPP substantive rules, agency TPP privacy policies, contractual obligations for suppliers) (TPP 1.3; s 21).","Detailed procedural regime for complaints, including new statutory conciliation division with attendance obligations, admissibility rules and protections (Part 6; div 6.3A; s 44B, 44H, 44I).","Discretion vested in the Information Privacy Commissioner on investigation, conciliation, referrals, guidance and rule-making (s 29, s 38–44, s 55, s 19(2)).","Cross-border disclosure rules with both procedural duties and deemed-breach backstop for overseas recipients (TPP 8.1; s 22).","Multiple exemptions and exceptions that narrow application (s 8(1)(b); s 24–25; s 12(2)), requiring careful scope analysis in practice.","Interaction of civil, administrative and limited criminal sanctions (s 47 remedies cap; s 53 criminal offences; s 52 official liability protections) and the compensation cap (s 47(a)(iv)).","Significant documentary and time-bound obligations (privacy policy publication, 30-day response times for access/correction requests) that create operational complexity (TPP 1.5; TPP 12.4; TPP 13.5)."],"plain_english_summary":"What this law does (mechanics)\n\n- Establishes Territory Privacy Principles (TPPs) that set out how public sector agencies must handle personal information (sch 1; s 13). Agencies must not do acts or engage in practices that breach those principles (s 20).  \n- Requires public sector agencies to have an up-to-date, public privacy policy describing what personal information they collect, why, how they handle it, whether they disclose it overseas, and how people can access or correct their information (TPP 1.3–1.6).  \n- Limits collection, use and disclosure of personal information to purposes related to an agency’s functions, restricts collection of sensitive information, and sets rules for unsolicited information, notification on collection and cross-border disclosures (TPP 3–5, 6, 8).  \n- Imposes integrity and security duties: agencies must keep information accurate and secure, and destroy or de-identify information no longer needed (TPP 10–11).  \n- Gives individuals rights to access and correct personal information held by agencies, with timelines (30 days) and no charge for requests (TPP 12–13).  \n- Requires public sector agencies to insert contractual provisions into government contracts so contracted service providers and subcontractors must comply with the TPPs, TPP codes or a corresponding privacy law (s 21).  \n- Creates an Information Privacy Commissioner to promote the TPPs, give guidance, investigate complaints, conciliate disputes and make rules and guidelines (s 26–31, s 29, s 55).  \n- Provides a complaint and enforcement pathway: individuals may complain to the Commissioner (Part 6); the Commissioner can investigate, make preliminary inquiries, conciliate (div 6.3A), refer complaints to other investigative entities, report serious or repeated breaches to the Minister (s 38–44, s 42–43). If the Commissioner is satisfied a complaint is an interference with privacy, the complainant may apply to a court for orders (including compensation up to $100,000 and corrective orders) (s 45–47).  \n- Creates criminal offences and penalties for improper use or disclosure of protected information by people exercising functions under the Act (s 53) and protects officials from civil liability where acts are honest and not reckless, with civil liability instead attaching to the Territory in those cases (s 52). Penalty-unit values at the republication date are stated in the republished material header (penalty unit = $160 for an individual; $810 for a corporation).\n\nWho it affects and who decides\n\n- Who must comply: public sector agencies (defined to include Ministers, administrative units, statutory office-holders and staff, territory authorities, instrumentality, certain corporations and prescribed entities) (s 9). Contracted service providers and subcontractors performing under government contracts are bound through contract clauses the agency must include (s 21, s 10(1)(b), dictionary).  \n- Who enforces/decides: the Information Privacy Commissioner administers the regime (s 26–29). The Commissioner may decline to deal with complaints for specified reasons (s 39), investigate, conciliate (div 6.3A), refer complaints to other investigative entities (s 42), and report to the Minister (s 43). Courts may make binding orders, including compensation and corrective directions, on application by complainants (s 45–47).  \n- Exemptions and limits: the Act excludes personal health information from its definition of personal information (s 8(1)(b)) and lists specific agencies and acts/practices that the Act does not apply to (s 24–25). The TPPs also do not duplicate some Commonwealth APP provisions; the Act brings Commonwealth APPs into force for certain prescribed agencies when engaged in commercial activity (s 23).\n\nWhy it matters (claimed purpose and practical implications)\n\n- The Act states its objects as promoting privacy protection, balancing privacy with agencies’ functional needs, promoting responsible and transparent handling by agencies and contracted providers, and providing a complaint pathway for individuals (s 7). Those are the policy claims the Act sets out.\n\nPractical trade-offs, incentives and costs (mechanisms, not judgments)\n\n- Compliance costs are borne mainly by public sector agencies and, by contractual extension, their contracted service providers and subcontractors. Specific cost drivers in the text include preparing and publishing a TPP privacy policy (TPP 1.3–1.6), implementing systems, procedures and staff training to meet TPPs (TPP 1.2), record-keeping requirements such as written notes when disclosing for enforcement-related activities (TPP 6.5), access/correction compliance within 30 days and free of charge (TPP 12.4, 12.7, 13.5), and obligations to destroy or de-identify data when no longer required (TPP 11.2). Agencies must also include appropriate contractual clauses in government contracts (s 21), which shifts compliance duties onto private contracted providers.  \n- Legal and litigation risk rests with agencies and, where individuals apply to court after Commissioner findings, respondents may face compensatory orders capped at $100,000 for economic loss (s 47(a)(iv)), corrective orders and declarations (s 47(a)(i)–(iii)). Criminal exposure for persons exercising functions under the Act is created by s 53 (maximum 50 penalty units, 6 months’ imprisonment, or both). Officials acting honestly and without recklessness are protected from civil liability, with the Territory taking on civil liability instead in those cases (s 52).  \n- Cross-border disclosures impose procedural checks: before disclosing to an overseas recipient agencies must take reasonable steps to ensure the overseas recipient will not breach the TPPs (TPP 8.1), or rely on specific exceptions (TPP 8.2). This creates administrative steps and potential transaction costs for transfers overseas.  \n- Incentives to document and localise control: the Act encourages agencies to document reasons for collection, notifications to individuals (TPP 5), to prefer collection from the individual (TPP 3.6), and to log certain disclosures (TPP 6.5). These documentation requirements change behaviour toward greater record-keeping and transparency.  \n- Interaction with other laws and limits on scope: the Act explicitly does not affect operation of other Territory laws such as the Freedom of Information Act 2016 and the Health Records (Privacy and Access) Act 1997 (s 6). Acts done outside the ACT required by a foreign law are not treated as breaches (s 12(2)). The Act excludes personal health information from its definition of personal information, so those records remain subject to the Health Records Act (s 8(1)(b)).  \n\nDiscretion, implementation risk and administrative burden\n\n- The Commissioner has significant discretion: to decide whether to deal with complaints (s 39), to make preliminary inquiries (s 38), to conciliate and determine conciliation procedures (div 6.3A, s 44D), to refer matters to other bodies (s 42), to make rules about specific permitted situations (s 19(2)), to make guidelines (s 55), and to delegate functions (s 31). These discretion points create implementation variance depending on Commissioner choices and guidance.  \n- The Act creates enforceable procedural requirements with penalties for non-attendance at conciliation when a party is told in writing to attend (s 44B) and for improper use/divulgence of protected information (s 53). The addition of mandatory conciliation procedures and statutory protections around conciliation (e.g. admissibility rules at s 44H and liability protection at s 44I) increases procedural complexity for parties and agencies.  \n- The Act uses cross-references to other Territory and Commonwealth laws (e.g. FOI Act, Health Records Act, Territory Records Act, Commonwealth Privacy Act) and to delegated instruments such as TPP codes, Commissioner guidelines and rules (s 50, s 55, s 56). That network of cross-references increases legal and practical complexity for implementers.\n\nConcrete who-pays / who-decides summary\n\n- Who pays: public sector agencies (compliance costs, process changes), contracted service providers (contractual obligations under government contracts) and, potentially, the Territory (civil liability in specified official-execution cases) (s 21, s 52). Individuals may incur minimal costs (the Act requires no charge for access/correction requests) (TPP 12.7, TPP 13.5).  \n- Who decides: agencies must implement TPPs; the Information Privacy Commissioner oversees and enforces the framework, with courts providing final orders where complainants apply (s 20, s 26–29, s 45–47). Ministers and the Executive have appointment and regulation powers (s 26, s 58).  \n\nPrimary trade-offs and implementation notes (source-linked)\n\n- The Act trades greater transparency, access and complaint avenues for administrative and contractual compliance costs (TPP 1.3–1.6; TPP 12.4; s 21).  \n- It centralises enforcement around an independent Commissioner with discretionary powers to conciliate or investigate, but it reserves judicial remedies for complainants (s 29; div 6.3A; s 45–47).  \n- It creates specific operational obligations for cross-border disclosures, record destruction/de-identification, and notification on collection—all of which impose concrete process changes for agencies (TPP 8.1; TPP 11.2; TPP 5.1–5.2).  \n\nKey statutory citations referenced above: s 7 (objects); s 8 (personal information scope); s 9 (public sector agency); s 10 (acts/practices definition); s 11–12 (interference and breach definitions); s 13 and sch 1 (TPPs); TPP 1.3–1.6, TPP 3–6, TPP 8, TPP 10–13 (selected TPP provisions); s 20 (must comply with TPPs); s 21 (contract clauses); s 22 (deemed breach for overseas recipients); s 23 (APPs for prescribed agencies engaged in commercial activities); s 24–25 (exemptions); s 26–32 (Commissioner appointment and functions); Part 6 and div 6.3A (complaints and conciliation); s 43 (report to Minister); s 45–47 (court orders and remedies); s 52–53 (official liability protection and criminal offences); s 55–58 (guidelines, instruments, forms, regulations)."},"kimi_summary":{"_metrics":{"provider":"moonshot","completionTokens":2237},"content_quality":"ok","complexity_score":6,"scope_assessment":{"changed":true,"description":"While the Act retains its core focus on public sector privacy, its scope has expanded significantly beyond the original 2014 framework. Key expansions include: (1) supply chain coverage—explicit extension to subcontractors and contracted service providers via section 21 and the definition of 'contracted service provider'; (2) cross-border data governance—section 22 creates deemed liability for overseas data mishandling, and TPP 8 establishes complex transfer mechanisms; (3) alternative dispute resolution—the 2025 amendments inserted Division 6.3A, creating a formal statutory conciliation framework alongside traditional investigations; and (4) hybrid regulation—section 23 allows application of Commonwealth private sector privacy laws to public sector commercial activities, creating overlapping regulatory regimes."},"complexity_factors":["Approximately 35 defined terms in the Dictionary, plus sectional definitions and signpost definitions referencing other Acts (e.g., 'territory record' defined in Territory Records Act 2002)","Extensive cross-referencing to Commonwealth legislation (Privacy Act 1988, Criminal Code, Corporations Act) and multiple other ACT statutes (Freedom of Information Act 2016, Health Records Act 1997, Territory Records Act 2002)","Nested conditional logic in exemptions (Part 4) and permitted general situations (section 19), requiring multi-layered analysis to determine applicability","13 distinct Territory Privacy Principles in Schedule 1, each containing multiple sub-clauses with exceptions (e.g., TPP 6.1 primary purpose limitation subject to TPP 6.2 and 6.3 exceptions)","Deemed liability provisions for overseas data transfers (section 22) creating attribution of overseas recipient's conduct to the local agency","Parallel application provisions where Commonwealth APPs apply to certain public sector commercial activities (section 23), creating dual compliance tracks","Formal conciliation procedures (Division 6.3A) with specific evidentiary protections, attendance requirements, and admissibility rules","Regulatory powers allowing prescription of additional exempt agencies, enforcement bodies, and entities by regulation, creating delegated legislative complexity"],"plain_english_summary":"**What this law does**\n\nThis Act is the ACT’s privacy protection framework for government-held personal information. It sets out how ACT public sector agencies—including government departments, ministers, statutory bodies, and certain government-owned companies—must handle your personal details.\n\n**Who it affects**\n\n*   **Public sector agencies**: Any ACT government entity listed in section 9 (including Ministers, administrative units, territory authorities, and entities like ACTTAB).\n*   **Contracted service providers**: Private companies or subcontractors doing work for the ACT government under contract (e.g., IT providers, consultants).\n*   **Individuals**: Anyone whose personal information is collected, used, or stored by the above entities.\n\n**Key protections (the Territory Privacy Principles)**\n\nThe Act establishes **13 Territory Privacy Principles (TPPs)** that agencies must follow:\n\n*   **Transparency**: Agencies must publish privacy policies explaining what data they collect and why (TPP 1).\n*   **Anonymity**: You generally have the right to interact with government without identifying yourself, unless legally required (TPP 2).\n*   **Collection limits**: Agencies can only collect information that is reasonably necessary for their work. Special rules apply to \"sensitive information\" (race, religion, health, biometrics, etc.) (TPP 3).\n*   **Unsolicited data**: If agencies receive information they didn’t ask for, they must decide whether they could have legally collected it; if not, they must usually destroy it (TPP 4).\n*   **Notification**: When collecting your data, they must tell you why and how you can access or complain about it (TPP 5).\n*   **Use and disclosure**: Your information generally cannot be used for purposes other than why it was collected, unless you consent or specific legal exceptions apply (e.g., for law enforcement or to prevent serious harm) (TPP 6).\n*   **Overseas transfers**: Strict rules apply before sending your data overseas; the agency remains responsible if the overseas recipient mishandles it (TPP 8 and section 22).\n*   **Data quality and security**: Agencies must keep your information accurate, secure, and destroy it when no longer needed (TPPs 10–11).\n*   **Access and correction**: You have the right to see what information an agency holds about you and to request corrections (TPPs 12–13).\n\n**Complaints and enforcement**\n\n*   **Information Privacy Commissioner**: An independent officer who investigates complaints, educates agencies, and can report serious breaches to the Minister.\n*   **Making a complaint**: You can complain if you believe an agency has interfered with your privacy. The Commissioner can investigate, conciliate (mediate), or refer matters to court.\n*   **Court orders**: If the Commissioner finds a breach, you can apply to the courts for orders including compensation (up to $100,000), orders to stop the practice, or corrections to records.\n*   **Conciliation**: The Act provides a formal mediation process where parties can reach binding agreements without going to court (Division 6.3A).\n\n**Important exemptions**\n\nThe Act does not apply to:\n*   Certain intelligence and law enforcement bodies (e.g., ASIO, Australian Federal Police)\n*   Information contrary to the public interest under Freedom of Information laws\n*   Acts of Ministers done in a personal capacity (not as head of an agency)\n*   Judicial functions of courts\n\n**Why it matters**\n\nThis law ensures that when the ACT government collects your data—whether for driver’s licences, rates, health services, or education—it must treat that information responsibly, keep it secure, and give you rights to access and correct it. It also ensures that private contractors doing government work are bound by the same privacy rules."},"flash_summary_failed":{"failed":true,"reason":"A positive credit balance is required for all requests, including BYOK, so fallback providers remain available. Add credits at https://vercel.com/d?to=%2F%5Bteam%5D%2F%7E%2Fai%3Fmodal%3Dtop-up to continue.","source":"analysis-cron"}},"importantCases":[],"_links":{"self":"/api/acts/information-privacy-act-2014","history":"/api/acts/information-privacy-act-2014/history","analysis":"/api/acts/information-privacy-act-2014/analysis","conflicts":"/api/acts/information-privacy-act-2014/conflicts","importantCases":"/api/acts/information-privacy-act-2014/important-cases","documents":"/api/acts/information-privacy-act-2014/documents"}}